Loading ...

Play interactive tourEdit tour

Analysis Report x7RtG4Phju.exe

Overview

General Information

Sample Name:x7RtG4Phju.exe
Analysis ID:286550
MD5:594719c16f8cb2849bf7d54e9e7a5e5f
SHA1:af31ffbe1b225edceaff3f71f2df2ef025a60f71
SHA256:ea58e11a292557eb1f0fe266eb07bc184764c84f0a132893e4c67db230bb2b64
Tags:exeNetWireRAT

Most interesting Screenshot:

Detection

NetWire
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Yara detected Netwire RAT
Contains functionality to detect sleep reduction / modifications
Contains functionality to steal Internet Explorer form passwords
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May check if the current machine is a sandbox (GetTickCount - Sleep)
PE file contains strange resources
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • x7RtG4Phju.exe (PID: 6408 cmdline: 'C:\Users\user\Desktop\x7RtG4Phju.exe' MD5: 594719C16F8CB2849BF7D54E9E7A5E5F)
    • x7RtG4Phju.exe (PID: 3068 cmdline: 'C:\Users\user\Desktop\x7RtG4Phju.exe' MD5: 594719C16F8CB2849BF7D54E9E7A5E5F)
      • Host.exe (PID: 4768 cmdline: 'C:\Users\user\AppData\Roaming\windows\Install\Host.exe' MD5: 594719C16F8CB2849BF7D54E9E7A5E5F)
        • Host.exe (PID: 6368 cmdline: 'C:\Users\user\AppData\Roaming\windows\Install\Host.exe' MD5: 594719C16F8CB2849BF7D54E9E7A5E5F)
  • Host.exe (PID: 6264 cmdline: 'C:\Users\user\AppData\Roaming\windows\Install\Host.exe' MD5: 594719C16F8CB2849BF7D54E9E7A5E5F)
    • Host.exe (PID: 6856 cmdline: 'C:\Users\user\AppData\Roaming\windows\Install\Host.exe' MD5: 594719C16F8CB2849BF7D54E9E7A5E5F)
  • Host.exe (PID: 4448 cmdline: 'C:\Users\user\AppData\Roaming\windows\Install\Host.exe' MD5: 594719C16F8CB2849BF7D54E9E7A5E5F)
    • Host.exe (PID: 6584 cmdline: 'C:\Users\user\AppData\Roaming\windows\Install\Host.exe' MD5: 594719C16F8CB2849BF7D54E9E7A5E5F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000001.423569512.0000000000400000.00000040.00020000.sdmpSuspicious_BAT_StringsDetects a string also used in Netwire RAT auxilliaryFlorian Roth
  • 0x1c68b:$s1: ping 192.0.2.2 -n 1
0000000E.00000001.423569512.0000000000400000.00000040.00020000.sdmpMalicious_BAT_StringsDetects a string also used in Netwire RAT auxilliaryFlorian Roth
  • 0x1c6c7:$s1: call :deleteSelf&exit /b
0000000E.00000001.423569512.0000000000400000.00000040.00020000.sdmpMAL_unspecified_Jan18_1Detects unspecified malware sampleFlorian Roth
  • 0x1cec0:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
  • 0x1c68b:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1
  • 0x1cfc8:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
  • 0x1c6ee:$s4: start /b "" cmd /c del "%%~f0"&exit /b
  • 0x1cffc:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
  • 0x1cd87:$s6: %s\%s.bat
  • 0x1c6b0:$s7: DEL /s "%s" >nul 2>&1
0000000E.00000001.423569512.0000000000400000.00000040.00020000.sdmpJoeSecurity_NetwireYara detected Netwire RATJoe Security
    0000000E.00000001.423569512.0000000000400000.00000040.00020000.sdmpnetwiredetect netwire in memoryJPCERT/CC Incident Response Group
    • 0x1c68b:$ping: ping 192.0.2.2
    • 0x1cfc8:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
    Click to see the 101 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    3.1.Host.exe.400000.0.raw.unpackSuspicious_BAT_StringsDetects a string also used in Netwire RAT auxilliaryFlorian Roth
    • 0x1c68b:$s1: ping 192.0.2.2 -n 1
    3.1.Host.exe.400000.0.raw.unpackMalicious_BAT_StringsDetects a string also used in Netwire RAT auxilliaryFlorian Roth
    • 0x1c6c7:$s1: call :deleteSelf&exit /b
    3.1.Host.exe.400000.0.raw.unpackMAL_unspecified_Jan18_1Detects unspecified malware sampleFlorian Roth
    • 0x1cec0:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    • 0x1c68b:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1
    • 0x1cfc8:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
    • 0x1c6ee:$s4: start /b "" cmd /c del "%%~f0"&exit /b
    • 0x1cffc:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
    • 0x1cd87:$s6: %s\%s.bat
    • 0x1c6b0:$s7: DEL /s "%s" >nul 2>&1
    3.1.Host.exe.400000.0.raw.unpackJoeSecurity_NetwireYara detected Netwire RATJoe Security
      3.1.Host.exe.400000.0.raw.unpacknetwiredetect netwire in memoryJPCERT/CC Incident Response Group
      • 0x1c68b:$ping: ping 192.0.2.2
      • 0x1cfc8:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
      Click to see the 147 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NetWireShow sources
      Source: Registry Key setAuthor: Joe Security: Data: Details: HostId-gYKkGs, EventID: 13, Image: C:\Users\user\AppData\Roaming\windows\Install\Host.exe, ProcessId: 6368, TargetObject: HKEY_CURRENT_USER\Software\NetWire\HostId

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeVirustotal: Detection: 28%Perma Link
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeMetadefender: Detection: 15%Perma Link
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeReversingLabs: Detection: 41%
      Multi AV Scanner detection for submitted fileShow sources
      Source: x7RtG4Phju.exeVirustotal: Detection: 28%Perma Link
      Source: x7RtG4Phju.exeMetadefender: Detection: 15%Perma Link
      Source: x7RtG4Phju.exeReversingLabs: Detection: 41%
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: x7RtG4Phju.exeJoe Sandbox ML: detected
      Source: 5.2.Host.exe.4180000.3.unpackAvira: Label: TR/Spy.Gen
      Source: 1.1.x7RtG4Phju.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
      Source: 3.2.Host.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
      Source: 9.2.Host.exe.4180000.3.unpackAvira: Label: TR/Spy.Gen
      Source: 6.1.Host.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
      Source: 1.2.x7RtG4Phju.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
      Source: 3.1.Host.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
      Source: 14.1.Host.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
      Source: 14.2.Host.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
      Source: 2.2.Host.exe.27d0000.2.unpackAvira: Label: TR/Spy.Gen
      Source: 0.2.x7RtG4Phju.exe.4190000.3.unpackAvira: Label: TR/Spy.Gen
      Source: 6.2.Host.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_0041249C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,1_2_0041249C
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_0041294C CryptDestroyHash,CryptReleaseContext,1_2_0041294C
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_00412660 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,RegQueryValueExA,LocalFree,CryptDestroyHash,CryptReleaseContext,1_2_00412660
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_00413F70 CryptUnprotectData,LocalFree,1_2_00413F70
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_00411320 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,1_2_00411320
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_0041249C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,1_1_0041249C
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_0041294C CryptDestroyHash,CryptReleaseContext,1_1_0041294C
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_00412660 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,RegQueryValueExA,LocalFree,CryptDestroyHash,CryptReleaseContext,1_1_00412660
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_00413F70 CryptUnprotectData,LocalFree,1_1_00413F70
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_00411320 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,1_1_00411320
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_0041249C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,3_2_0041249C
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_0041294C CryptDestroyHash,CryptReleaseContext,3_2_0041294C
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_00412660 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,RegQueryValueExA,LocalFree,CryptDestroyHash,CryptReleaseContext,3_2_00412660
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_00413F70 CryptUnprotectData,LocalFree,3_2_00413F70
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_00411320 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,3_2_00411320
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_2_0041249C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,6_2_0041249C
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_2_0041294C CryptDestroyHash,CryptReleaseContext,6_2_0041294C
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_2_00412660 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,RegQueryValueExA,LocalFree,CryptDestroyHash,CryptReleaseContext,6_2_00412660
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_2_00413F70 CryptUnprotectData,LocalFree,6_2_00413F70
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_2_00411320 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,6_2_00411320
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_0041249C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,6_1_0041249C
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_0041294C CryptDestroyHash,CryptReleaseContext,6_1_0041294C
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_00412660 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,RegQueryValueExA,LocalFree,CryptDestroyHash,CryptReleaseContext,6_1_00412660
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_00413F70 CryptUnprotectData,LocalFree,6_1_00413F70
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_00411320 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,6_1_00411320
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 0_2_00405C14 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405C14
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_0040A450 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,1_2_0040A450
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_0040A070 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose,1_2_0040A070
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_00413400 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen,1_2_00413400
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_0040AB10 GetFileAttributesA,GetFileAttributesExA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,1_2_0040AB10
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_0041A720 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,1_2_0041A720
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_0040A450 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,1_1_0040A450
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_0040A070 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose,1_1_0040A070
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_00413400 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen,1_1_00413400
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_0040AB10 GetFileAttributesA,GetFileAttributesExA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,1_1_0040AB10
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_0041A720 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,1_1_0041A720
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 2_2_00405C14 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_00405C14
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_0040A450 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,3_2_0040A450
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_0040A070 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose,3_2_0040A070
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_00413400 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen,3_2_00413400
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_0040AB10 GetFileAttributesA,GetFileAttributesExA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,3_2_0040AB10
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_0041A720 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,3_2_0041A720
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 5_2_00405C14 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,5_2_00405C14
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_2_0040A450 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,6_2_0040A450
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_2_0040A070 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose,6_2_0040A070
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_2_00413400 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen,6_2_00413400
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_2_0040AB10 GetFileAttributesA,GetFileAttributesExA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,6_2_0040AB10
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_2_0041A720 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,6_2_0041A720
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_0040A450 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,6_1_0040A450
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_0040A070 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose,6_1_0040A070
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_00413400 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen,6_1_00413400
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_0040AB10 GetFileAttributesA,GetFileAttributesExA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,6_1_0040AB10
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_0041A720 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,6_1_0041A720
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_00409CE0 SetErrorMode,GetLogicalDriveStringsA,GetDiskFreeSpaceExA,GetDriveTypeA,GetVolumeInformationA,1_2_00409CE0
      Source: global trafficTCP traffic: 192.168.2.3:49736 -> 149.202.112.165:3360
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_0040D8EC recv,fopen,fwrite,recv,fclose,1_2_0040D8EC
      Source: unknownDNS traffic detected: queries for: hellosecures.xyz
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_00417A40 GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteDC,DeleteObject,free,GetDIBits,calloc,GetDIBits,1_2_00417A40
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 0_2_00430A94 GetKeyboardState,0_2_00430A94
      Source: x7RtG4Phju.exe, 00000000.00000002.372530356.000000000085A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_0040E409 DefWindowProcA,RegisterRawInputDevices,GetRawInputData,malloc,GetRawInputData,PostQuitMessage,3_2_0040E409
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_0040E040 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,GetForegroundWindow,GetLocalTime,GetWindowTextA,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,1_2_0040E040
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_0040E040 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,GetForegroundWindow,GetLocalTime,GetWindowTextA,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,1_1_0040E040
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_0040E040 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,GetForegroundWindow,GetLocalTime,GetWindowTextA,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,3_2_0040E040
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_2_0040E040 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,GetForegroundWindow,GetLocalTime,GetWindowTextA,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,6_2_0040E040
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_0040E040 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,GetForegroundWindow,GetLocalTime,GetWindowTextA,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,6_1_0040E040

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000E.00000001.423569512.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 0000000E.00000001.423569512.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000001.379363182.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000003.00000001.379363182.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.374961798.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000001.00000002.374961798.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.381610674.0000000004150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000002.00000002.381610674.0000000004150000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.372581187.0000000002310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000000.00000002.372581187.0000000002310000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.381250917.00000000027D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000002.00000002.381250917.00000000027D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000001.371927114.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000001.00000001.371927114.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.425880977.0000000004180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000009.00000002.425880977.0000000004180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000005.00000002.409622784.0000000004180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000005.00000002.409622784.0000000004180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.425825972.0000000004150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000009.00000002.425825972.0000000004150000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.374508165.0000000004190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000000.00000002.374508165.0000000004190000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.423894381.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 0000000E.00000002.423894381.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000001.404931565.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000006.00000001.404931565.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000005.00000002.409601235.0000000004150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000005.00000002.409601235.0000000004150000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.405162004.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000006.00000002.405162004.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.634109350.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000003.00000002.634109350.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: Host.exe PID: 6856, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: Process Memory Space: Host.exe PID: 6856, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: Host.exe PID: 4448, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: x7RtG4Phju.exe PID: 6408, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: Host.exe PID: 4768, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: Host.exe PID: 6264, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: x7RtG4Phju.exe PID: 3068, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: Host.exe PID: 6584, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: Process Memory Space: Host.exe PID: 6584, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: Host.exe PID: 6368, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 3.1.Host.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 3.1.Host.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 14.1.Host.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 14.1.Host.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 6.1.Host.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 6.1.Host.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 9.2.Host.exe.4150000.2.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 5.2.Host.exe.4180000.3.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 5.2.Host.exe.4180000.3.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 0.2.x7RtG4Phju.exe.2310000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 0.2.x7RtG4Phju.exe.2310000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 2.2.Host.exe.4150000.3.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 5.2.Host.exe.4150000.2.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 1.1.x7RtG4Phju.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 1.1.x7RtG4Phju.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 0.2.x7RtG4Phju.exe.4190000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 0.2.x7RtG4Phju.exe.4190000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 14.2.Host.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 14.2.Host.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 3.2.Host.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 3.2.Host.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 9.2.Host.exe.4180000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 9.2.Host.exe.4180000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 1.1.x7RtG4Phju.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 1.1.x7RtG4Phju.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 3.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 3.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 2.2.Host.exe.4150000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 2.2.Host.exe.4150000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 1.2.x7RtG4Phju.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 1.2.x7RtG4Phju.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 9.2.Host.exe.4180000.3.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 9.2.Host.exe.4180000.3.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 6.1.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 6.1.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 5.2.Host.exe.4180000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 5.2.Host.exe.4180000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 3.1.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 3.1.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 1.2.x7RtG4Phju.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 1.2.x7RtG4Phju.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 2.2.Host.exe.27d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 2.2.Host.exe.27d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 14.1.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 14.1.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 5.2.Host.exe.4150000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 5.2.Host.exe.4150000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 0.2.x7RtG4Phju.exe.2310000.2.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 14.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 14.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 6.2.Host.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 6.2.Host.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 0.2.x7RtG4Phju.exe.4190000.3.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 0.2.x7RtG4Phju.exe.4190000.3.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 6.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 6.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 9.2.Host.exe.4150000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 9.2.Host.exe.4150000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 2.2.Host.exe.27d0000.2.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 2.2.Host.exe.27d0000.2.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 0_2_0044E1DC NtdllDefWindowProc_A,0_2_0044E1DC
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 0_2_00433944 NtdllDefWindowProc_A,GetCapture,0_2_00433944
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 0_2_0044E958 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0044E958
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 0_2_0044EA08 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0044EA08
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 0_2_00442DCC GetSubMenu,SaveDC,RestoreDC,739EB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_00442DCC
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 0_2_0042906C NtdllDefWindowProc_A,0_2_0042906C
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 2_2_0044E1DC NtdllDefWindowProc_A,2_2_0044E1DC
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 2_2_00433944 NtdllDefWindowProc_A,GetCapture,2_2_00433944
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 2_2_0044E958 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,2_2_0044E958
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 2_2_0044EA08 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,2_2_0044EA08
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 2_2_00442DCC GetSubMenu,SaveDC,RestoreDC,739EB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,2_2_00442DCC
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 2_2_0042906C NtdllDefWindowProc_A,2_2_0042906C
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 5_2_0044E1DC NtdllDefWindowProc_A,5_2_0044E1DC
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 5_2_00433944 NtdllDefWindowProc_A,GetCapture,5_2_00433944
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 5_2_0044E958 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,5_2_0044E958
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 5_2_0044EA08 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,5_2_0044EA08
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 5_2_00442DCC GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,5_2_00442DCC
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 5_2_0042906C NtdllDefWindowProc_A,5_2_0042906C
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_00402C67 CloseHandle,ntohs,inet_ntoa,ntohs,inet_ntoa,CreateToolhelp32Snapshot,Process32First,Process32Next,6_1_00402C67
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_004029C0 malloc,CloseHandle,ntohs,inet_ntoa,ntohs,inet_ntoa,CreateToolhelp32Snapshot,Process32First,Process32Next,malloc,CloseHandle,ntohs,inet_ntoa,CreateToolhelp32Snapshot,Process32First,Process32Next,6_1_004029C0
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_00417670 select,__WSAFDIsSet,recv,recv,ntohs,socket,connect,send,recv,send,send,send,6_1_00417670
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_00417709 recv,recv,ntohs,socket,connect,send,6_1_00417709
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 6_1_00402F19 CloseHandle,ntohs,inet_ntoa,CreateToolhelp32Snapshot,Process32First,6_1_00402F19
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 0_2_004488B00_2_004488B0
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 0_2_00442DCC0_2_00442DCC
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 0_2_0040BF040_2_0040BF04
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_004030F01_2_004030F0
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_00403DF01_2_00403DF0
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_0040DE211_2_0040DE21
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_0040DAC01_2_0040DAC0
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_0040368C1_2_0040368C
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_004042811_2_00404281
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_00403EB71_2_00403EB7
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_0040F3401_2_0040F340
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_004063601_2_00406360
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_004047791_2_00404779
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_004153001_2_00415300
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_004047301_2_00404730
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_0040A7A01_2_0040A7A0
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_2_00403BB01_2_00403BB0
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_004030F01_1_004030F0
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_00403DF01_1_00403DF0
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_0040DE211_1_0040DE21
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_0040DAC01_1_0040DAC0
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_0040368C1_1_0040368C
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_004042811_1_00404281
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_00403EB71_1_00403EB7
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_0040F3401_1_0040F340
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_004063601_1_00406360
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_004047791_1_00404779
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_004153001_1_00415300
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_004047301_1_00404730
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_0040A7A01_1_0040A7A0
      Source: C:\Users\user\Desktop\x7RtG4Phju.exeCode function: 1_1_00403BB01_1_00403BB0
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 2_2_004488B02_2_004488B0
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 2_2_00442DCC2_2_00442DCC
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 2_2_0040BF042_2_0040BF04
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_004030F03_2_004030F0
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_00403DF03_2_00403DF0
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_0040DE213_2_0040DE21
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_0040DAC03_2_0040DAC0
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_0040368C3_2_0040368C
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_004042813_2_00404281
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_00403EB73_2_00403EB7
      Source: C:\Users\user\AppData\Roaming\windows\Install\Host.exeCode function: 3_2_0040F3403_2_0040F340
      Source: C:\Users\u<