Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report
000002.exe

Overview

General Information

Sample Name:000002.exe
Analysis ID:1327116
MD5:a205a6202f91daab00d4cfb555cbcd0e
SHA1:9c5eef29ae538b14e805bfc234290ee0062ba76b
SHA256:39e66194e9d181d8cda1ecd48f18b95d644dd89000251268eaf118f432c47f60
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Clears Internet Explorer cache and cookies (likely to cover tracks)
Machine Learning detection for sample
Allocates memory in foreign processes
Creates files in the system32 config directory
Machine Learning detection for dropped file
Creates autorun.inf (USB autostart)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Sleep loop found (likely to delay execution)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Entry point lies outside standard sections
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Installs a global mouse hook
Contains functionality to retrieve information about pressed keystrokes
Checks for available system drives (often done to infect USB drives)
Creates or modifies windows services
Found large amount of non-executed APIs
Contains functionality to detect sandboxes (foreground window change detection)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w7x64
  • 000002.exe (PID: 2588 cmdline: C:\Users\user\Desktop\000002.exe MD5: A205A6202F91DAAB00D4CFB555CBCD0E)
  • svchost.exe (PID: 1960 cmdline: C:\Windows\system\svchost.exe MD5: A205A6202F91DAAB00D4CFB555CBCD0E)
    • wupdmgr.exe (PID: 428 cmdline: C:\Windows\system\wupdmgr.exe MD5: EAF804ADBB753C761F7101C4DB14C0FB)
    • iexplore.exe (PID: 2968 cmdline: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" \ MD5: 4EB098135821348270F27157F7A84E65)
      • ie4uinit.exe (PID: 236 cmdline: "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon MD5: AB5576121AEC5386E15E6DCE469BB3C4)
      • iexplore.exe (PID: 2348 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:2 MD5: 8A590F790A98F3D77399BE457E01386A)
      • rundll32.exe (PID: 2068 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000 MD5: DD81D91FF3B0763C392422865C9AC12E)
      • rundll32.exe (PID: 1852 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000 MD5: DD81D91FF3B0763C392422865C9AC12E)
      • rundll32.exe (PID: 268 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000 MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Compliance
  • Spreading
  • Networking
  • Key, Mouse, Clipboard, Microphone and Screen Capturing
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Boot Survival
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 000002.exeVirustotal: Detection: 68%Perma Link
Source: 000002.exeAvira: detected
Source: C:\Windows\SysWOW64\Panel sterowania.{21EC2020-3AEA-1069-A2DD-08002B30309D}\winlogon.dllAvira: detection malicious, Label: W32/VB.BU
Source: C:\Windows\system\wupdmgr.exeAvira: detection malicious, Label: TR/Crypt.FKM.Gen
Source: C:\explore.exeAvira: detection malicious, Label: W32/VB.BU
Source: C:\Windows\system\svchost.exeAvira: detection malicious, Label: W32/VB.BU
Source: C:\Windows\SysWOW64\explorxp.exeAvira: detection malicious, Label: TR/Agent.afvz
Source: C:\Windows\SysWOW64\Panel sterowania.{21EC2020-3AEA-1069-A2DD-08002B30309D}\winlogon.dllVirustotal: Detection: 68%Perma Link
Source: C:\Windows\SysWOW64\explorxp.exeReversingLabs: Detection: 56%
Source: C:\Windows\SysWOW64\explorxp.exeVirustotal: Detection: 47%Perma Link
Source: C:\Windows\system\svchost.exeVirustotal: Detection: 68%Perma Link
Source: C:\Windows\system\wupdmgr.exeReversingLabs: Detection: 88%
Source: C:\Windows\system\wupdmgr.exeVirustotal: Detection: 74%Perma Link
Source: C:\explore.exeVirustotal: Detection: 68%Perma Link
Source: 000002.exeJoe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Panel sterowania.{21EC2020-3AEA-1069-A2DD-08002B30309D}\winlogon.dllJoe Sandbox ML: detected
Source: C:\Windows\system\wupdmgr.exeJoe Sandbox ML: detected
Source: C:\explore.exeJoe Sandbox ML: detected
Source: C:\Windows\system\svchost.exeJoe Sandbox ML: detected
Source: 000002.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Spreading

barindex
Source: C:\Users\user\Desktop\000002.exeFile created: c:\autorun.infJump to behavior
Source: 000002.exeBinary or memory string: c:\autorun.inf
Source: 000002.exeBinary or memory string: [autorun] Shellexecute=explore.exe
Source: 000002.exeBinary or memory string: %sautorun.inf
Source: 000002.exe, 00000000.00000002.351583858.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
Source: 000002.exe, 00000000.00000002.351583858.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %sautorun.inf
Source: 000002.exe, 00000000.00000002.351583858.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: svchost.exeuniplat.dllADVAPI32.dllkernel32.dllGetModuleHandleAGetProcAddressgg.exegadu-gadu.exetlen.exegadu.exeakuku.exeskype.exeaqq.exeicq.exeICQLite.exepowergg.exe%c%c\Program Files\Internet Explorer\iexplore.exe \%c%c\Program Files\Internet Explorer\IEXPLORE.EXE \SeDebugPrivilege%s\system\win32out.dll%s\system\win32in.dll%s\system\geturladres.txt%s\system\geturlplik.txt%s\system\inicadres.dll%s\system\inidccport.dllrw[autorun]
Source: 000002.exe, 00000000.00000002.351583858.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Shellexecute=explore.exeShellexecute=explore.exe%c:\%sautorun.inf%sexplore.exer+bw+b
Source: 000002.exe, 00000000.00000002.351583858.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: c:\autorun.inf
Source: 000002.exe, 00000000.00000002.351583858.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: tc:\autorun.infc:\explore.exeC:\WindowsC:\Users\user\Desktop\000002.exe
Source: svchost.exeBinary or memory string: )tc:\autorun.inf
Source: svchost.exeBinary or memory string: [autorun] Shellexecute=explore.exe
Source: svchost.exeBinary or memory string: %sautorun.inf
Source: svchost.exe, 00000002.00000002.611920729.0000000000401000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: [autorun]
Source: svchost.exe, 00000002.00000002.611920729.0000000000401000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %sautorun.inf
Source: svchost.exe, 00000002.00000002.611920729.0000000000401000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: svchost.exeuniplat.dllADVAPI32.dllkernel32.dllGetModuleHandleAGetProcAddressgg.exegadu-gadu.exetlen.exegadu.exeakuku.exeskype.exeaqq.exeicq.exeICQLite.exepowergg.exe%c%c\Program Files\Internet Explorer\iexplore.exe \%c%c\Program Files\Internet Explorer\IEXPLORE.EXE \SeDebugPrivilege%s\system\win32out.dll%s\system\win32in.dll%s\system\geturladres.txt%s\system\geturlplik.txt%s\system\inicadres.dll%s\system\inidccport.dllrw[autorun]
Source: svchost.exe, 00000002.00000002.611920729.0000000000401000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Shellexecute=explore.exeShellexecute=explore.exe%c:\%sautorun.inf%sexplore.exer+bw+b
Source: svchost.exe, 00000002.00000002.611920729.0000000000401000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: tc:\autorun.inf
Source: svchost.exe, 00000002.00000002.611920729.0000000000401000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: tc:\autorun.infc:\explore.exeC:\WindowsC:\Windows\system\svchost.exe
Source: 000002.exeBinary or memory string: AutoRun.inf
Source: 000002.exeBinary or memory string: [autorun]
Source: winlogon.dll.0.drBinary or memory string: AutoRun.inf
Source: winlogon.dll.0.drBinary or memory string: [autorun]
Source: explore.exe.0.drBinary or memory string: AutoRun.inf
Source: explore.exe.0.drBinary or memory string: [autorun]
Source: svchost.exe.0.drBinary or memory string: AutoRun.inf
Source: svchost.exe.0.drBinary or memory string: [autorun]
Source: autorun.inf.0.drBinary or memory string: [autorun]
Source: C:\Windows\system\svchost.exeFile opened: z:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: x:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: v:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: t:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: r:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: p:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: n:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: l:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: j:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: h:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: f:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: b:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: y:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: w:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: u:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: s:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: q:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: o:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: m:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: k:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: i:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: g:Jump to behavior
Source: C:\Windows\system\svchost.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\rundll32.exeFile opened: c:
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Windows\System32Jump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Windows\System32\config\systemprofile\AppDataJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Windows\System32\configJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Windows\System32\config\systemprofile\AppData\RoamingJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Windows\System32\config\systemprofile\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Windows\System32\config\systemprofileJump to behavior
Source: rundll32.exe, 0000000B.00000003.600834144.0000000002D60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.macromedia.com
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\LowJump to behavior
Source: C:\Windows\System32\rundll32.exeWindows user hook set: 0 mouse low level C:\Windows\system32\dinput8.dllJump to behavior
Source: C:\Windows\system\wupdmgr.exeCode function: 3_2_004012A4 time,GetForegroundWindow,fopen,ctime,sprintf,fputs,fclose,Sleep,GetAsyncKeyState,fopen,GetForegroundWindow,GetWindowTextA,strcmp,sprintf,fputs,GetWindowTextA,fputc,fclose,fputc,fclose,fclose,3_2_004012A4

System Summary

barindex
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000Jump to behavior
Source: 000002.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Program Files\Internet Explorer\iexplore.exeFile deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6E6BDFD5-6CCE-11EE-8F38-ECF4BBB5915B}.datJump to behavior
Source: C:\Users\user\Desktop\000002.exeFile created: C:\Windows\SysWOW64\Panel sterowania.{21EC2020-3AEA-1069-A2DD-08002B30309D}Jump to behavior
Source: C:\Windows\system\wupdmgr.exeCode function: String function: 00402120 appears 31 times
Source: 000002.exeBinary or memory string: OriginalFilename vs 000002.exe
Source: 000002.exe, 00000000.00000002.351583858.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewupdmgr.exel& vs 000002.exe
Source: 000002.exe, 00000000.00000000.344208370.00000000018A9000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs 000002.exe
Source: 000002.exe, 00000000.00000002.351787858.00000000018C0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs 000002.exe
Source: 000002.exeBinary or memory string: OriginalFilenamesvchost.exej% vs 000002.exe
Source: 000002.exeBinary or memory string: OriginalFilenameEXPLORER.EXE vs 000002.exe
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Users\user\Desktop\000002.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\000002.exeMemory allocated: 771D0000 page execute and read and writeJump to behavior
Source: C:\Windows\system\svchost.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Windows\system\svchost.exeMemory allocated: 771D0000 page execute and read and writeJump to behavior
Source: C:\Windows\system\wupdmgr.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Windows\system\wupdmgr.exeMemory allocated: 771D0000 page execute and read and writeJump to behavior
Source: 000002.exeVirustotal: Detection: 68%
Source: C:\Users\user\Desktop\000002.exeFile read: C:\Users\user\Desktop\000002.exeJump to behavior
Source: C:\Users\user\Desktop\000002.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\000002.exe C:\Users\user\Desktop\000002.exe
Source: unknownProcess created: C:\Windows\system\svchost.exe C:\Windows\system\svchost.exe
Source: C:\Windows\system\svchost.exeProcess created: C:\Windows\system\wupdmgr.exe C:\Windows\system\wupdmgr.exe
Source: C:\Windows\system\svchost.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\IEXPLORE.EXE" \
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\ie4uinit.exe "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
Source: C:\Windows\system\svchost.exeProcess created: C:\Windows\system\wupdmgr.exe C:\Windows\system\wupdmgr.exeJump to behavior
Source: C:\Windows\system\svchost.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\IEXPLORE.EXE" \Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\ie4uinit.exe "C:\Windows\System32\ie4uinit.exe" -ShowQLIconJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000Jump to behavior
Source: C:\Windows\System32\ie4uinit.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Source: Launch Internet Explorer Browser.lnk.6.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Internet Explorer\iexplore.exe
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\TEMP\LowJump to behavior
Source: classification engineClassification label: mal100.spre.evad.winEXE@16/19@0/0
Source: C:\Program Files\Internet Explorer\iexplore.exeFile read: C:\Windows\System32\config\systemprofile\Favorites\desktop.iniJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
Source: 000002.exe, winlogon.dll.0.dr, explore.exe.0.dr, svchost.exe.0.drBinary or memory string: z1\EXPLORER.vbp
Source: C:\Program Files\Internet Explorer\iexplore.exeFile written: C:\Windows\System32\config\systemprofile\Favorites\desktop.iniJump to behavior
Source: 000002.exeStatic file information: File size 21759708 > 1048576

Data Obfuscation

barindex
Source: C:\Windows\system\wupdmgr.exeUnpacked PE file: 3.2.wupdmgr.exe.400000.0.unpack code:EW;text:EW;.rsrc:W; vs code:ER;text:ER;.rsrc:W;
Source: C:\Windows\system\wupdmgr.exeCode function: 3_2_0040C953 pushad ; ret 3_2_0040C8F3
Source: C:\Windows\system\wupdmgr.exeCode function: 3_2_0040C8C6 pushad ; ret 3_2_0040C8F3
Source: wupdmgr.exe.0.drStatic PE information: section name: text
Source: C:\Users\user\Desktop\000002.exeCode function: 0_2_018BF770 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_018BF770
Source: initial sampleStatic PE information: section where entry point is pointing to: text
Source: initial sampleStatic PE information: section name: text entropy: 7.396129849490653
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior

barindex
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\FavoritesJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\Favorites\desktop.iniJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\LowJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\LowJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\LowJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\VirtualizedJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\AdobeJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Flash PlayerJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Flash Player\NativeCacheJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserDataJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\LowJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet ExplorerJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tracking ProtectionJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\FeedsJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoamingJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\PlayReadyJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIEJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\LowJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTExceptionJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\LowJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCacheJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\LowJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACacheJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\LowJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\RecoveryJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\ActiveJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6E6BDFD5-6CCE-11EE-8F38-ECF4BBB5915B}.datJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\1033Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick LaunchJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnkJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5Jump to behavior
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5Jump to behavior
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATJump to behavior
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~Jump to behavior
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DATJump to behavior
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directoryJump to behavior
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Flash Player\AssetCache
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Flash Player\AssetCache\YY5BP89L
Source: unknownExecutable created and started: C:\Windows\system\svchost.exe
Source: C:\Windows\system\svchost.exeExecutable created and started: C:\Windows\system\wupdmgr.exeJump to behavior
Source: C:\Users\user\Desktop\000002.exeFile created: C:\Windows\system\svchost.exeJump to dropped file
Source: C:\Users\user\Desktop\000002.exeFile created: C:\Windows\system\svchost.exeJump to dropped file
Source: C:\Users\user\Desktop\000002.exeFile created: C:\Windows\system\wupdmgr.exeJump to dropped file
Source: C:\Users\user\Desktop\000002.exeFile created: C:\Windows\SysWOW64\Panel sterowania.{21EC2020-3AEA-1069-A2DD-08002B30309D}\winlogon.dllJump to dropped file
Source: C:\Users\user\Desktop\000002.exeFile created: C:\explore.exeJump to dropped file
Source: C:\Users\user\Desktop\000002.exeFile created: C:\Windows\SysWOW64\explorxp.exeJump to dropped file
Source: C:\Users\user\Desktop\000002.exeFile created: C:\Windows\system\svchost.exeJump to dropped file
Source: C:\Users\user\Desktop\000002.exeFile created: C:\Windows\system\wupdmgr.exeJump to dropped file
Source: C:\Users\user\Desktop\000002.exeFile created: C:\Windows\SysWOW64\Panel sterowania.{21EC2020-3AEA-1069-A2DD-08002B30309D}\winlogon.dllJump to dropped file
Source: C:\Users\user\Desktop\000002.exeFile created: C:\Windows\SysWOW64\explorxp.exeJump to dropped file
Source: C:\Users\user\Desktop\000002.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CreateProcessJump to behavior
Source: C:\Windows\system\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\system\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\system\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\system\svchost.exe TID: 2592Thread sleep count: 743 > 30Jump to behavior
Source: C:\Windows\system\svchost.exe TID: 2592Thread sleep time: -74300s >= -30000sJump to behavior
Source: C:\Windows\system\svchost.exe TID: 2592Thread sleep count: 31 > 30Jump to behavior
Source: C:\Windows\system\wupdmgr.exe TID: 2468Thread sleep count: 7777 > 30Jump to behavior
Source: C:\Windows\system\wupdmgr.exe TID: 2468Thread sleep time: -77770s >= -30000sJump to behavior
Source: C:\Windows\system\wupdmgr.exeThread sleep count: Count: 7777 delay: -10Jump to behavior
Source: C:\Windows\system\svchost.exeLast function: Thread delayed
Source: C:\Windows\system\svchost.exeLast function: Thread delayed
Source: C:\Windows\system\wupdmgr.exeLast function: Thread delayed
Source: C:\Windows\system\wupdmgr.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\000002.exeDropped PE file which has not been started: C:\Windows\SysWOW64\explorxp.exeJump to dropped file
Source: C:\Windows\system\svchost.exeWindow / User API: threadDelayed 743Jump to behavior
Source: C:\Windows\system\wupdmgr.exeWindow / User API: threadDelayed 7777Jump to behavior
Source: C:\Windows\system\wupdmgr.exeAPI coverage: 6.0 %
Source: C:\Windows\system\wupdmgr.exeCode function: time,GetForegroundWindow,fopen,ctime,sprintf,fputs,fclose,Sleep,GetAsyncKeyState,fopen,GetForegroundWindow,GetWindowTextA,strcmp,sprintf,fputs,GetWindowTextA,fputc,fclose,fputc,fclose,fclose,3_2_004012A4
Source: C:\Windows\system\svchost.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\000002.exeAPI call chain: ExitProcess graph end nodegraph_0-53
Source: C:\Windows\system\svchost.exeAPI call chain: ExitProcess graph end nodegraph_2-53
Source: C:\Windows\system\wupdmgr.exeAPI call chain: ExitProcess graph end nodegraph_3-950
Source: C:\Windows\system\wupdmgr.exeAPI call chain: ExitProcess graph end nodegraph_3-971
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Windows\System32Jump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Windows\System32\config\systemprofile\AppDataJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Windows\System32\configJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Windows\System32\config\systemprofile\AppData\RoamingJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Windows\System32\config\systemprofile\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Windows\System32\config\systemprofileJump to behavior
Source: C:\Users\user\Desktop\000002.exeCode function: 0_2_018BF770 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_018BF770
Source: C:\Windows\system\svchost.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\system\wupdmgr.exeCode function: 3_2_00401100 SetUnhandledExceptionFilter,__getmainargs,74EB2900,74EB2900,_setmode,74EB2900,74EB2900,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,74EB2900,_setmode,74EB2900,3_2_00401100

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\system\svchost.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: 20C0000Jump to behavior
Source: C:\Windows\system\svchost.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: 20D0000Jump to behavior
Source: C:\Windows\system\svchost.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: 20E0000Jump to behavior
Source: C:\Windows\system\svchost.exeMemory allocated: C:\Program Files\Internet Explorer\iexplore.exe base: 20C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\system\svchost.exeMemory allocated: C:\Program Files\Internet Explorer\iexplore.exe base: 20D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\system\svchost.exeMemory allocated: C:\Program Files\Internet Explorer\iexplore.exe base: 20E0000 protect: page read and writeJump to behavior
Source: C:\Windows\system\svchost.exeProcess created: C:\Windows\system\wupdmgr.exe C:\Windows\system\wupdmgr.exeJump to behavior
Source: C:\Windows\system\svchost.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\IEXPLORE.EXE" \Jump to behavior
Source: C:\Windows\System32\ie4uinit.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\ie4uinit.exeQueries volume information: C:\Program Files\Internet Explorer\iexplore.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\Macromed\Flash\activex.vch VolumeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\Macromed\Flash\activex.vch VolumeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\System32\Macromed\Flash\activex.vch VolumeInformation
Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
12
Replication Through Removable Media		1
Native API		1
Windows Service		1
Windows Service		32
Masquerading		21
Input Capture		11
Security Software Discovery		12
Replication Through Removable Media		1
Email Collection		Exfiltration Over Other Network Medium1
Ingress Tool Transfer		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts211
Process Injection		2
Virtualization/Sandbox Evasion		LSASS Memory2
Virtualization/Sandbox Evasion		Remote Desktop Protocol21
Input Capture		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)211
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script31
Obfuscated Files or Information		LSA Secrets11
Peripheral Device Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Rundll32		Cached Domain Credentials3
File and Directory Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items111
Software Packing		DCSync12
System Information Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1327116 Sample: 000002.exe Startdate: 17/10/2023 Architecture: WINDOWS Score: 100 38 Antivirus detection for dropped file 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 5 other signatures 2->44 7 svchost.exe 5 2->7         started        10 000002.exe 1 11 2->10         started        process3 file4 48 Antivirus detection for dropped file 7->48 50 Multi AV Scanner detection for dropped file 7->50 52 Machine Learning detection for dropped file 7->52 58 3 other signatures 7->58 13 iexplore.exe 23 78 7->13         started        16 wupdmgr.exe 1 7->16         started        30 C:\explore.exe, PE32 10->30 dropped 32 C:\Windows\system\wupdmgr.exe, PE32 10->32 dropped 34 C:\Windows\system\svchost.exe, PE32 10->34 dropped 36 2 other malicious files 10->36 dropped 54 Creates autorun.inf (USB autostart) 10->54 56 Drops PE files with benign system names 10->56 signatures5 process6 signatures7 60 Creates files in the system32 config directory 13->60 62 Clears Internet Explorer cache and cookies (likely to cover tracks) 13->62 18 ie4uinit.exe 1 17 13->18         started        22 rundll32.exe 6 18 13->22         started        24 rundll32.exe 25 13->24         started        26 2 other processes 13->26 64 Antivirus detection for dropped file 16->64 66 Multi AV Scanner detection for dropped file 16->66 68 Detected unpacking (changes PE section rights) 16->68 70 Machine Learning detection for dropped file 16->70 process8 file9 28 C:\Windows\System32\config\...\desktop.ini, Windows 18->28 dropped 46 Creates files in the system32 config directory 18->46 signatures10

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
000002.exe68%VirustotalBrowse
000002.exe100%AviraW32/VB.BU
000002.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\SysWOW64\Panel sterowania.{21EC2020-3AEA-1069-A2DD-08002B30309D}\winlogon.dll100%AviraW32/VB.BU
C:\Windows\system\wupdmgr.exe100%AviraTR/Crypt.FKM.Gen
C:\explore.exe100%AviraW32/VB.BU
C:\Windows\system\svchost.exe100%AviraW32/VB.BU
C:\Windows\SysWOW64\explorxp.exe100%AviraTR/Agent.afvz
C:\Windows\SysWOW64\Panel sterowania.{21EC2020-3AEA-1069-A2DD-08002B30309D}\winlogon.dll100%Joe Sandbox ML
C:\Windows\system\wupdmgr.exe100%Joe Sandbox ML
C:\explore.exe100%Joe Sandbox ML
C:\Windows\system\svchost.exe100%Joe Sandbox ML
C:\Windows\SysWOW64\Panel sterowania.{21EC2020-3AEA-1069-A2DD-08002B30309D}\winlogon.dll68%VirustotalBrowse
C:\Windows\SysWOW64\explorxp.exe57%ReversingLabsWin32.Trojan.Generic
C:\Windows\SysWOW64\explorxp.exe47%VirustotalBrowse
C:\Windows\system\svchost.exe68%VirustotalBrowse
C:\Windows\system\wupdmgr.exe88%ReversingLabsWin32.Backdoor.GrayBird
C:\Windows\system\wupdmgr.exe74%VirustotalBrowse
C:\explore.exe68%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://www.macromedia.comrundll32.exe, 0000000B.00000003.600834144.0000000002D60000.00000004.00000020.00020000.00000000.sdmpfalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:38.0.0 Ammolite
    Analysis ID:1327116
    Start date and time:2023-10-17 11:17:54 +02:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 5m 49s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:12
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample file name:000002.exe
    Detection:MAL
    Classification:mal100.spre.evad.winEXE@16/19@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Exclude process from analysis (whitelisted): UI0Detect.exe, dllhost.exe, WMIADAP.exe
    • Excluded IPs from analysis (whitelisted): 209.197.3.8, 72.21.81.240, 23.35.30.151
    • Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, go.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, go.microsoft.com.edgekey.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtEnumerateKey calls found.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtReadVirtualMemory calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    11:18:44API Interceptor1x Sleep call for process: 000002.exe modified
    11:18:45API Interceptor716x Sleep call for process: svchost.exe modified
    11:19:32API Interceptor4776x Sleep call for process: wupdmgr.exe modified
    11:20:38API Interceptor2x Sleep call for process: ie4uinit.exe modified
    11:20:41API Interceptor34x Sleep call for process: rundll32.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Windows\SysWOW64\Panel sterowania.{21EC2020-3AEA-1069-A2DD-08002B30309D}\winlogon.dll

    Download File
    Process:C:\Users\user\Desktop\000002.exe
    File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
    Category:dropped
    Size (bytes):21759708
    Entropy (8bit):1.9436428734025761
    Encrypted:false
    SSDEEP:196608:xkjkKk68hA6dv/z/LsI1gsI1esI1FqsI1xMsI1tsI1qsI15sI1gsI1:xSzIhA6dv/z/
    MD5:A205A6202F91DAAB00D4CFB555CBCD0E
    SHA1:9C5EEF29AE538B14E805BFC234290EE0062BA76B
    SHA-256:39E66194E9D181D8CDA1ECD48F18B95D644DD89000251268EAF118F432C47F60
    SHA-512:250D5FA9FF0F6A6AEAE53442A69B192C06E3DE70EA8B06D5703F6864CC9D832BEC6CA7906FAC314C485421F50B2E9886C9DA4E0CB391D01B73FE062B55285702
    Malicious:true
    Antivirus:
    • Antivirus: Avira, Detection: 100%
    • Antivirus: Joe Sandbox ML, Detection: 100%
    • Antivirus: Virustotal, Detection: 68%, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$./G.>.............8.p........J.p.K...J...L...@...........................L............... ...............................L.......L.............................................................................................................UPX0......J.............................UPX1.....p....J..j..................@....rsrc...X.....L.X....l.............. ...3.01.UPX!....UT6f..;Y..K.Wg..X...&.......U.....]..U.1.u...1...=....wC=...w.r[.....$.1..D$........,...tl..t*.......7w..FQ..]..I.t.f{a.=.....v..3 ..u.A.\..t4.`.Y..\.g.....}.\(..t...\|..;{./.$.L).n`..O.....S..v..$.7..@.)....Rw....E.E...@C.U.s....k..@,...T.[.8......b\......X.P%............E...t =m......K0..$:L,$.f.m<..%\...o.QP...<.]...k...(.......E..........6....#.g.......o.B.#.a..$.g...'...7....N...!B&.w,.....&........%]..t2U. .....]r...,.Ox..?...{.s.e_.y..........=..u.E... ..E..8

    C:\Windows\SysWOW64\Panel sterowania.{21EC2020-3AEA-1069-A2DD-08002B30309D}\winlogon.dll:Zone.Identifier

    Download File
    Process:C:\Users\user\Desktop\000002.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:3:ggPYV:rPYV
    MD5:187F488E27DB4AF347237FE461A079AD
    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
    Malicious:false
    Reputation:high, very likely benign file
    Preview:[ZoneTransfer]....ZoneId=0

    C:\Windows\SysWOW64\explorxp.exe

    Download File
    Process:C:\Users\user\Desktop\000002.exe
    File Type:PE32 executable (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):137729
    Entropy (8bit):6.3620679511258
    Encrypted:false
    SSDEEP:3072:xvsZpk7sToiFgQNNjDBX05Wti5yWHFA9m068Q5:x6kIoiFXNRX05qi8yFA9368m
    MD5:AB7C80B08FB806F943B8E22A7363FD4B
    SHA1:B954EA878F9B9BD9052ADE4FC14D9AE61670FAEB
    SHA-256:EC64740391869236C167227874EB9CB1C9C0DE08F253A92B9C9F46D15F48437F
    SHA-512:4974A7D5871D482A372E5D8B716F4CB8DCB4E5641E83342531B4CC3B061FCF9F5C19691073600E05EEB86482E38FB2A203369F8DEB8FFE3FC63DA95BFE2FC172
    Malicious:true
    Antivirus:
    • Antivirus: Avira, Detection: 100%
    • Antivirus: ReversingLabs, Detection: 57%
    • Antivirus: Virustotal, Detection: 47%, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........j..r..r..r...n..r...n..r...P..r...P..r...P..r..wm..r..eQ..r..r...r...P..r..Rich.r..........................PE..L...GF.=.....................N....../.............@..............._..........@.......................................................................................................................................................................text............................... ..`.rdata..f).......*..................@..@.data...."..........................@...................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\SysWOW64\settings.dll

    Download File
    Process:C:\Users\user\Desktop\000002.exe
    File Type:Generic INItialization configuration [Logging]
    Category:modified
    Size (bytes):1409
    Entropy (8bit):5.166661958914264
    Encrypted:false
    SSDEEP:24:1Gx+gxDRskU1yoXDZbLLHqZZ7sMro7FUIJQXY/5C6FRGPrK:1ZgvUxVPaCpZ
    MD5:0002F4B62BD98411F889A8C4653B9B9A
    SHA1:CFF91171F8E30B8015AC871E2E79C6BCCF1058A2
    SHA-256:77A1AC5C5DA6217ACC7A50D723C5A050C3106EE3403503EA532475B56E4F16C6
    SHA-512:F224B0F8114566E0ABE2D26254592AAE602565402296BDDE4C8992475BB277A693B7F6C9B5FD46320DFA3F05D206E687F8EAF6E442CA2517B089CD172CF64A74
    Malicious:false
    Reputation:low
    Preview:[General]..FileVersion=2..[Logging]..Log=0..LogFileRules=14336..[NetworkSystem]..ServerPort=21..MaxUsers=10..LaunchBoot=1..PreviousStatus=25..[USER=root]..GroupName= ""..Activated=1..LoginType=2..Password= "dupa"..Login= "root"..Name= "root"..DefaultDirectory= ""..FSysModification_Path1= "/"..FSysModification_RealPath1= ""..FSysModification_AccessRight1=9642999..FSysModification_Path2= "/C:"..FSysModification_RealPath2= "C:"..FSysModification_AccessRight2=1062400..FSysModification_Path3= "/D:"..FSysModification_RealPath3= "D:"..FSysModification_AccessRight3=1062400..FSysModification_Path4= "/E:"..FSysModification_RealPath4= "E:"..FSysModification_AccessRight4=1062400..FSysModification_Path5= "/F:"..FSysModification_RealPath5= "F:"..FSysModification_AccessRight5=1062400..FSysModification_Path6= "/A:"..FSysModification_RealPath6= "A:"..FSysModification_AccessRight6=1062400..FSysModification_Path7= "/G:"..FSysModification_RealPath7= "G:"..FSysModification_AccessRight7=1062400..FSysModific

    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:data
    Category:dropped
    Size (bytes):49120
    Entropy (8bit):0.0017331682157558962
    Encrypted:false
    SSDEEP:3:Ztt:T
    MD5:0392ADA071EB68355BED625D8F9695F3
    SHA1:777253141235B6C6AC92E17E297A1482E82252CC
    SHA-256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
    SHA-512:EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6E6BDFD5-6CCE-11EE-8F38-ECF4BBB5915B}.dat

    Download File
    Process:C:\Program Files\Internet Explorer\iexplore.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):3584
    Entropy (8bit):1.734216510667583
    Encrypted:false
    SSDEEP:12:rl0YmGF11DrEgmf+IaCyo6F8ADrEgmf+IaCyoqgNNlTqZvZhZ1zdTZtQJl/:r9Gv/QGv//NNlWZ1gj
    MD5:B8AD6EBE65917008CC114784534FB4C5
    SHA1:FBCD4CCA81E618236B6EDE5DBB01302563E23AB1
    SHA-256:271E26C60C9BBD1183F9405691A29886E63C50EF6178B7C0639D8B45006C51E9
    SHA-512:F8E92A6BBE8B95732DECBF8A8172ABDD002CE6CE29484F686DC6A04A7FCDD45716EA9AEEDDB84E5B8FD16C15A3587AE769C6F38E02D975BA748B2527E0A3F928
    Malicious:false
    Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................`..1..................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t.......................................................................................................0...............................................................................................................

    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

    Download File
    Process:C:\Program Files\Internet Explorer\iexplore.exe
    File Type:data
    Category:dropped
    Size (bytes):298032
    Entropy (8bit):5.297553497908716
    Encrypted:false
    SSDEEP:3072:wJSeGFgPDjVbaYAxsCNev1ZlVYYqyqv+1fDFmyoi:wSeGFgPDIY4sCNev1ZlVVqjqFmy9
    MD5:4E016F45211AF98239AD32BBAF75E5D9
    SHA1:FC2DCBF22936C9848731FD45D2EC04F04BAFDA20
    SHA-256:9880A4BD68834D20A08FA538033AA89393418C70CD2C640196786B78420C8551
    SHA-512:8481AB3FDEFA040D8AABC9C7F45B349065F28D92DB38A5CF22D75A04C740B3001B5C6A9B38671C59BCFEA76E109668067B6CC72245DC1B9520F079B43D5DA7F3
    Malicious:false
    Preview:...P........,...j...&...........6.......>...i...........,...System.StructuredQueryType.Action.System.StructuredQueryType.AllBitsSet.System.StructuredQueryType.AnyBitsSet.System.StructuredQueryType.Blurb.System.StructuredQueryType.Boolean.=TRUE.=FALSE.System.StructuredQueryType.ByteUnit.=1.=1024.=1048576.=1073741824.=1099511627776.=1125899906842624.=1152921504606846976.=1000.=1000000.=1000000000.=1000000000000.=1000000000000000.=1000000000000000000.System.StructuredQueryType.DateTime.N00UUUUUUUK7ZZNNU.N00UUUUUUUK1ZZNNU.N00UUUUUUUK2ZZNNU.N00UUUUUUUK3ZZNNU.N00UUUUUUUK4ZZNNU.N00UUUUUUUK5ZZNNU.N00UUUUUUUK6ZZNNU.N00UK1UUUUUUZZNNU.N00UK2UUUUUUZZNNU.N00UK3UUUUUUZZNNU.N00UK4UUUUUUZZNNU.N00UK5UUUUUUZZNNU.N00UK6UUUUUUZZNNU.N00UK7UUUUUUZZNNU.N00UK8UUUUUUZZNNU.N00UK9UUUUUUZZNNU.N00UK10UUUUUUZZNNU.N00UK11UUUUUUZZNNU.N00UK12UUUUUUZZNNU.R00UUUUUUUUZDNNU.R00UUUUUUUUD-1DNNU.R00UUUUUUUUD1DNNU.R00UUUUUUUUZZXD-1NU.R00UUUUUUUUZZXD1NU.R00UUUUUUUUZWNNU.R00UUUUUUUUW-1WNNU.R00UUUUUUUUW1WNNU.R00UUUUUUUUZZXW-1NU.

    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:data
    Category:dropped
    Size (bytes):49120
    Entropy (8bit):0.0017331682157558962
    Encrypted:false
    SSDEEP:3:Ztt:T
    MD5:0392ADA071EB68355BED625D8F9695F3
    SHA1:777253141235B6C6AC92E17E297A1482E82252CC
    SHA-256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
    SHA-512:EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

    Download File
    Process:C:\Windows\System32\ie4uinit.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Thu Mar 23 14:50:06 2017, mtime=Thu Mar 23 14:50:06 2017, atime=Thu Mar 23 14:50:06 2017, length=814288, window=hide
    Category:dropped
    Size (bytes):1347
    Entropy (8bit):4.45937951709948
    Encrypted:false
    SSDEEP:24:8G44YeldfxonEMtvHCbd/ANkcSgdCEMBCaBJP7YHtIX8EEZzevnyaxy:8kdmnvZYdIAgdCvBCsAIX/jvjxy
    MD5:444FFE43CBC21C4263BB70D6986C49FC
    SHA1:B27962C1E36322036C3AD80BA49F5D08E69F951F
    SHA-256:1A84081496CCCEEC9F01A9DA4145C567DDA7AAE4A2C2E3CB4104264CFB58192C
    SHA-512:23420BE77E3CCD5F614754945E524BCFB81AEFDF86BFDB275906CBDE1E34F5D07F06DB116EF88CC822141D280302E1290D0F7C87D92BCC52DE4A19C2629AEC50
    Malicious:false
    Preview:L..................F.... ....b.$....b.$....b.$....l...........................P.O. .:i.....+00.../C:\.....................1......W.v..PROGRA~1..p.......:...W.v*...<...............F.....P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....wJ.~..INTERN~1..P.......:..wJ.~*.........................I.n.t.e.r.n.e.t. .E.x.p.l.o.r.e.r.....b.2..l..wJD~ .iexplore.exe..F......wJD~wJD~*....H....................i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]............7.e.....C:\Program Files\Internet Explorer\iexplore.exe..&.@.".%.w.i.n.d.i.r.%.\.S.y.s.t.e.m.3.2.\.i.e.4.u.i.n.i.t...e.x.e.".,.-.7.3.2.G.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.I.n.t.e.r.n.e.t. .E.x.p.l.o.r.e.r.\.i.e.x.p.l.o.r.e...e.x.e...%.H.O.M.E.D.R.I.V.E.%.%.H.O.M.E.P.A.T.H.%.........&................c^...NI..e.2.......|...........1SPSU(L.y.9K....-....................Y............#...M.i.c.r.o.s.o.f.t...I.n.t.e.r.n.e.t.E.x.p.l.o.r.e.r...D.e.f.a.u.l.t

    C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    Download File
    Process:C:\Windows\System32\ie4uinit.exe
    File Type:Windows desktop.ini
    Category:dropped
    Size (bytes):97
    Entropy (8bit):5.027755937250173
    Encrypted:false
    SSDEEP:3:dCoVMEhAgeWlYAs1NLOIASw5vtZ4RPAn:qcnlYb1ZV3uv46n
    MD5:45746B5317D380078FEBE04385B81405
    SHA1:E6B9A47DEAB744C12125936C5E5ABB3E07B87FE8
    SHA-256:A42B05C8BA93F4F590F5F367118F4850DFF4F3EC3A4A5E1AECCE87A9AE4D5511
    SHA-512:CAF91351C5590922A9A3FAA41F5EBC82B450208A486A7A1CEE32C140C2290F8890BCDD216371CFE5135E5CC0CFECA323B1D3A09973CD415239B1F7959AF28098
    Malicious:true
    Preview:[LocalizedFileNames]..Launch Internet Explorer Browser.lnk=@%windir%\System32\ie4uinit.exe,-733..

    C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

    Download File
    Process:C:\Program Files\Internet Explorer\iexplore.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):402
    Entropy (8bit):3.5061348430835744
    Encrypted:false
    SSDEEP:12:QZsiL5wmHOlDmo0qmTgclLwr2FlDmo0IWFkpklrgl2FlDmo0qjKAGlc9:QCGwv4o0plLwiF4o0hUsF4o01Ayc9
    MD5:881DFAC93652EDB0A8228029BA92D0F5
    SHA1:5B317253A63FECB167BF07BEFA05C5ED09C4CCEA
    SHA-256:A45E345556901CD98B9BF8700B2A263F1DA2B2E53DBDF69B9E6CFAB6E0BD3464
    SHA-512:592B24DEB837D6B82C692DA781B8A69D9FA20BBAA3041D6C651839E72F45AC075A86CB967EA2DF08FA0635AE28D6064A900F5D15180B9037BB8BA02F9E8E1810
    Malicious:false
    Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.6.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.5.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.1.7.3.....

    C:\Windows\Temp\~DF113CA722E08891AD.TMP

    Download File
    Process:C:\Program Files\Internet Explorer\iexplore.exe
    File Type:data
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):0.09235269762233589
    Encrypted:false
    SSDEEP:3:FrJAqL4on/lgV//lluUfilclllv/nt+lybltll1lRslkhlEkllpqL0qL4ovjrF08:FrJTZtQ/+UuUFAlkx2vZvjrFvZ1iWCh
    MD5:4DC24114FADA8ADAB5130B0E2DD4B286
    SHA1:A7F5D9DF8E91B72BB458D09305C1E4430A45E37C
    SHA-256:CEB46E0FF07EE85C47ACEE322C09049F1EF6EE87CBAA4D4145F0613957136B8C
    SHA-512:4E87832D3ADF89282E7361E7085A79124408C36A66829A335DBB922D007B5AE745F984CB67033F557F185AF88CA6A2AB0967EB58F6B173E60568A0A9A6CB8FB7
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\system\mmtaskclean.log

    Download File
    Process:C:\Windows\system\wupdmgr.exe
    File Type:ISO-8859 text, with CRLF line terminators
    Category:dropped
    Size (bytes):54
    Entropy (8bit):4.4650451974523
    Encrypted:false
    SSDEEP:3:vowSs+23FFHToSUdPX0Wl4fn:Qfs+Qb4dPkWl4f
    MD5:A76212E31E415F8EC1D7FCFE46B8B4D6
    SHA1:F4F9789302D14EA16F9E2EB8AB9EF3A4CBE67D5F
    SHA-256:F9AD66CF1B083606EC8D579ED86A73EA1AC39E240CF233AE7478B0D75E764914
    SHA-512:22743B88F57D3C0E7B34D2727730C08EF8D2080DE4079DB9E7F702F89E4BF37F2DEEEA67BD04BB81752ECEF588F3C81087CF051F5E8FCCAB2AAB35B95BEAF71C
    Malicious:false
    Preview:.....@.....@....... Tue Oct 17 11:18:46 2023.. .....

    C:\Windows\system\svchost.exe

    Download File
    Process:C:\Users\user\Desktop\000002.exe
    File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
    Category:dropped
    Size (bytes):21759708
    Entropy (8bit):1.9436428734025761
    Encrypted:false
    SSDEEP:196608:xkjkKk68hA6dv/z/LsI1gsI1esI1FqsI1xMsI1tsI1qsI15sI1gsI1:xSzIhA6dv/z/
    MD5:A205A6202F91DAAB00D4CFB555CBCD0E
    SHA1:9C5EEF29AE538B14E805BFC234290EE0062BA76B
    SHA-256:39E66194E9D181D8CDA1ECD48F18B95D644DD89000251268EAF118F432C47F60
    SHA-512:250D5FA9FF0F6A6AEAE53442A69B192C06E3DE70EA8B06D5703F6864CC9D832BEC6CA7906FAC314C485421F50B2E9886C9DA4E0CB391D01B73FE062B55285702
    Malicious:true
    Antivirus:
    • Antivirus: Avira, Detection: 100%
    • Antivirus: Joe Sandbox ML, Detection: 100%
    • Antivirus: Virustotal, Detection: 68%, Browse
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$./G.>.............8.p........J.p.K...J...L...@...........................L............... ...............................L.......L.............................................................................................................UPX0......J.............................UPX1.....p....J..j..................@....rsrc...X.....L.X....l.............. ...3.01.UPX!....UT6f..;Y..K.Wg..X...&.......U.....]..U.1.u...1...=....wC=...w.r[.....$.1..D$........,...tl..t*.......7w..FQ..]..I.t.f{a.=.....v..3 ..u.A.\..t4.`.Y..\.g.....}.\(..t...\|..;{./.$.L).n`..O.....S..v..$.7..@.)....Rw....E.E...@C.U.s....k..@,...T.[.8......b\......X.P%............E...t =m......K0..$:L,$.f.m<..%\...o.QP...<.]...k...(.......E..........6....#.g.......o.B.#.a..$.g...'...7....N...!B&.w,.....&........%]..t2U. .....]r...,.Ox..?...{.s.e_.y..........=..u.E... ..E..8

    C:\Windows\system\svchost.exe:Zone.Identifier

    Download File
    Process:C:\Users\user\Desktop\000002.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:3:ggPYV:rPYV
    MD5:187F488E27DB4AF347237FE461A079AD
    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
    Malicious:false
    Preview:[ZoneTransfer]....ZoneId=0

    C:\Windows\system\wupdmgr.exe

    Download File
    Process:C:\Users\user\Desktop\000002.exe
    File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
    Category:dropped
    Size (bytes):20708
    Entropy (8bit):4.877252981445995
    Encrypted:false
    SSDEEP:384:hf6WHkMW2WrHkvAJ082eOyH+2hQVijNxapJu+uWzO1+Uqh+2yav1ghcVwZsEdMNu:hyWSLEAJ082eOyH+2hQVijNxapJu+uWk
    MD5:EAF804ADBB753C761F7101C4DB14C0FB
    SHA1:16867ACE9459E97C7577DECF7F487952625853A4
    SHA-256:71C54A1B8B657DF81CDB1ED5B01375371472562863B44B24D78E2FA763555C30
    SHA-512:8794B739891662650280A42DADF8D1D12E94BF5CFE046D2442B79198635722331D5DB43896F466919F9A7E6D9AAD6DE0C1A1286057CF8316CCFFE7801D7A427E
    Malicious:true
    Antivirus:
    • Antivirus: Avira, Detection: 100%
    • Antivirus: Joe Sandbox ML, Detection: 100%
    • Antivirus: ReversingLabs, Detection: 88%
    • Antivirus: Virustotal, Detection: 74%, Browse
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,G.<.............8............0.............@........................................... .............................|...........|...........................................................................................................code....................................text................................@....rsrc...............................@...3.01........j.H...9..........t..&..@....U.....]..U.1.u...1...=....wC=...w.r[.....$.1..D$........l...tl..t*.......7w..FQ..]..I.Bt.n{a.=.....v...3 ..u.A.\..t47.-X..\.g...v..\(..t....|....`/.$.L).....O.....S...v$..7..@.J........R.E.....`..U.s..}... @...T..[k.p..8........+..X.0%..L.....QG...~...t =....K0..$.B.}:.,$O......F.m%QP....}*|.]...|.......\....E......~........#L..E..`g....B.#...w.$.g...'.....n..N..D.I......M.&.....~.m.\3e]..t2U...0dP._]r.|..,..ob...E....[......H.`.....f...

    C:\autorun.inf

    Download File
    Process:C:\Users\user\Desktop\000002.exe
    File Type:Microsoft Windows Autorun file
    Category:dropped
    Size (bytes):35
    Entropy (8bit):3.8645783739023827
    Encrypted:false
    SSDEEP:3:It12NApYdVJMlAn:e12ddVsAn
    MD5:0552B41955455B159B21FB6978A15136
    SHA1:238442041BEFEBD01FB3E371DBD7EDFB592C4B29
    SHA-256:724E3B4FD3F51D72C8C1B1D4FE25EEB2DD8D40EAA297D74FF807D8F742D84443
    SHA-512:BB14B46DBC2B8275873B82F3028AEA66A5B6183C7CD810ABF35A2B1BEC17C3649F706358E1FFF9307D263CCAF74A91D3C25FB0F5EA52D3ED8133F38EC2D689D5
    Malicious:false
    Preview:[autorun]..Shellexecute=explore.exe

    C:\explore.exe

    Download File
    Process:C:\Users\user\Desktop\000002.exe
    File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
    Category:dropped
    Size (bytes):21759708
    Entropy (8bit):1.9436428734025761
    Encrypted:false
    SSDEEP:196608:xkjkKk68hA6dv/z/LsI1gsI1esI1FqsI1xMsI1tsI1qsI15sI1gsI1:xSzIhA6dv/z/
    MD5:A205A6202F91DAAB00D4CFB555CBCD0E
    SHA1:9C5EEF29AE538B14E805BFC234290EE0062BA76B
    SHA-256:39E66194E9D181D8CDA1ECD48F18B95D644DD89000251268EAF118F432C47F60
    SHA-512:250D5FA9FF0F6A6AEAE53442A69B192C06E3DE70EA8B06D5703F6864CC9D832BEC6CA7906FAC314C485421F50B2E9886C9DA4E0CB391D01B73FE062B55285702
    Malicious:true
    Antivirus:
    • Antivirus: Avira, Detection: 100%
    • Antivirus: Joe Sandbox ML, Detection: 100%
    • Antivirus: Virustotal, Detection: 68%, Browse
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$./G.>.............8.p........J.p.K...J...L...@...........................L............... ...............................L.......L.............................................................................................................UPX0......J.............................UPX1.....p....J..j..................@....rsrc...X.....L.X....l.............. ...3.01.UPX!....UT6f..;Y..K.Wg..X...&.......U.....]..U.1.u...1...=....wC=...w.r[.....$.1..D$........,...tl..t*.......7w..FQ..]..I.t.f{a.=.....v..3 ..u.A.\..t4.`.Y..\.g.....}.\(..t...\|..;{./.$.L).n`..O.....S..v..$.7..@.)....Rw....E.E...@C.U.s....k..@,...T.[.8......b\......X.P%............E...t =m......K0..$:L,$.f.m<..%\...o.QP...<.]...k...(.......E..........6....#.g.......o.B.#.a..$.g...'...7....N...!B&.w,.....&........%]..t2U. .....]r...,.Ox..?...{.s.e_.y..........=..u.E... ..E..8

    C:\explore.exe:Zone.Identifier

    Download File
    Process:C:\Users\user\Desktop\000002.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:3:ggPYV:rPYV
    MD5:187F488E27DB4AF347237FE461A079AD
    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
    Malicious:false
    Preview:[ZoneTransfer]....ZoneId=0

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
    Entropy (8bit):1.9436428734025761
    TrID:
    • Win32 Executable (generic) a (10002005/4) 98.59%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • UPX compressed Win32 Executable (30571/9) 0.30%
    • Win32 EXE Yoda's Crypter (26571/9) 0.26%
    • Generic Win/DOS Executable (2004/3) 0.02%
    File name:000002.exe
    File size:21'759'708 bytes
    MD5:a205a6202f91daab00d4cfb555cbcd0e
    SHA1:9c5eef29ae538b14e805bfc234290ee0062ba76b
    SHA256:39e66194e9d181d8cda1ecd48f18b95d644dd89000251268eaf118f432c47f60
    SHA512:250d5fa9ff0f6a6aeae53442a69b192c06e3de70ea8b06d5703f6864cc9d832bec6ca7906fac314c485421f50b2e9886c9da4e0cb391d01b73fe062b55285702
    SSDEEP:196608:xkjkKk68hA6dv/z/LsI1gsI1esI1FqsI1xMsI1tsI1qsI15sI1gsI1:xSzIhA6dv/z/
    TLSH:D3271292FE958E5CD5E34B7C5D82BE81443EFCB116A29B4730A97F196E77C042D8230A
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$./G.>.............8.p........J.p.K...J...L...@...........................L............... ............................

    File Icon

    Icon Hash:aaf3e3e3918382a0

    Static PE Info

    General

    Entrypoint:0x18bf770
    Entrypoint Section:UPX1
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
    DLL Characteristics:
    Time Stamp:0x472F9B24 [Mon Nov 5 22:37:24 2007 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:fa9b478be79e2475ccb2af2645153d7d
    Instruction
    pushad
    mov esi, 018A9015h
    lea edi, dword ptr [esi-014A8015h]
    push edi
    jmp 00007FE57D7DFC7Dh
    nop
    mov al, byte ptr [esi]
    inc esi
    mov byte ptr [edi], al
    inc edi
    add ebx, ebx
    jne 00007FE57D7DFC79h
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    jc 00007FE57D7DFC5Fh
    mov eax, 00000001h
    add ebx, ebx
    jne 00007FE57D7DFC79h
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    adc eax, eax
    add ebx, ebx
    jnc 00007FE57D7DFC61h
    jne 00007FE57D7DFC7Bh
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    jnc 00007FE57D7DFC56h
    xor ecx, ecx
    sub eax, 03h
    jc 00007FE57D7DFC7Fh
    shl eax, 08h
    mov al, byte ptr [esi]
    inc esi
    xor eax, FFFFFFFFh
    je 00007FE57D7DFCE6h
    mov ebp, eax
    add ebx, ebx
    jne 00007FE57D7DFC79h
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    adc ecx, ecx
    add ebx, ebx
    jne 00007FE57D7DFC79h
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    adc ecx, ecx
    jne 00007FE57D7DFC92h
    inc ecx
    add ebx, ebx
    jne 00007FE57D7DFC79h
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    adc ecx, ecx
    add ebx, ebx
    jnc 00007FE57D7DFC61h
    jne 00007FE57D7DFC7Bh
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    jnc 00007FE57D7DFC56h
    add ecx, 02h
    cmp ebp, FFFFF300h
    adc ecx, 01h
    lea edx, dword ptr [edi+ebp]
    cmp ebp, FFFFFFFCh
    jbe 00007FE57D7DFC81h
    mov al, byte ptr [edx]
    inc edx
    mov byte ptr [edi], al
    inc edi
    dec ecx
    jne 00007FE57D7DFC69h
    jmp 00007FE57D7DFBD8h
    nop
    mov eax, dword ptr [edx]
    add edx, 04h
    mov dword ptr [edi], eax
    add edi, 04h
    sub ecx, 04h
    jnbe 00007FE57D7DFC63h
    add edi, ecx
    jmp 00007FE57D7EFBC1h
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x14c04980x1ac.rsrc
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x14c00000x498.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    UPX00x10000x14a80000x0unknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    UPX10x14a90000x170000x16a00False0.9005956491712708data7.829910750829017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x14c00000x8d580x8d58False0.23960866681406146data4.243599811678561IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x14c005c0x43cdataEnglishUnited States0.4280442804428044
    DLLImport
    KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
    ADVAPI32.DLLRegCloseKey
    msvcrt.dll_iob
    PSAPI.DLLEnumProcesses
    SHELL32.DLLShellExecuteA
    WSOCK32.DLLhtons

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    • File
    • Registry

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:11:18:42
    Start date:17/10/2023
    Path:C:\Users\user\Desktop\000002.exe
    Wow64 process (32bit):true
    Commandline:C:\Users\user\Desktop\000002.exe
    Imagebase:0x400000
    File size:21'759'708 bytes
    MD5 hash:A205A6202F91DAAB00D4CFB555CBCD0E
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Show Windows behavior

    Registry Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:2
    Start time:11:18:45
    Start date:17/10/2023
    Path:C:\Windows\system\svchost.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\system\svchost.exe
    Imagebase:0x400000
    File size:21'759'708 bytes
    MD5 hash:A205A6202F91DAAB00D4CFB555CBCD0E
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Antivirus matches:
    • Detection: 100%, Avira
    • Detection: 100%, Joe Sandbox ML
    • Detection: 68%, Virustotal, Browse
    Reputation:low
    Has exited:false
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Show Windows behavior

    Registry Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    Show Windows behavior

    System Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Process Token Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:3
    Start time:11:18:45
    Start date:17/10/2023
    Path:C:\Windows\system\wupdmgr.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\system\wupdmgr.exe
    Imagebase:0x400000
    File size:20'708 bytes
    MD5 hash:EAF804ADBB753C761F7101C4DB14C0FB
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Antivirus matches:
    • Detection: 100%, Avira
    • Detection: 100%, Joe Sandbox ML
    • Detection: 88%, ReversingLabs
    • Detection: 74%, Virustotal, Browse
    Reputation:low
    Has exited:false
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    Windows UI Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:5
    Start time:11:20:37
    Start date:17/10/2023
    Path:C:\Program Files\Internet Explorer\iexplore.exe
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Internet Explorer\IEXPLORE.EXE" \
    Imagebase:0x13fb20000
    File size:814'288 bytes
    MD5 hash:4EB098135821348270F27157F7A84E65
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:6
    Start time:11:20:37
    Start date:17/10/2023
    Path:C:\Windows\System32\ie4uinit.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    Imagebase:0x13f950000
    File size:725'504 bytes
    MD5 hash:AB5576121AEC5386E15E6DCE469BB3C4
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Show Windows behavior

    Registry Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    Show Windows behavior

    System Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:7
    Start time:11:20:38
    Start date:17/10/2023
    Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Wow64 process (32bit):true
    Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:2
    Imagebase:0x10e0000
    File size:815'304 bytes
    MD5 hash:8A590F790A98F3D77399BE457E01386A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:9
    Start time:11:20:40
    Start date:17/10/2023
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
    Imagebase:0xff580000
    File size:45'568 bytes
    MD5 hash:DD81D91FF3B0763C392422865C9AC12E
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:10
    Start time:11:20:40
    Start date:17/10/2023
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
    Imagebase:0xff580000
    File size:45'568 bytes
    MD5 hash:DD81D91FF3B0763C392422865C9AC12E
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:11
    Start time:11:20:40
    Start date:17/10/2023
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
    Imagebase:0xff580000
    File size:45'568 bytes
    MD5 hash:DD81D91FF3B0763C392422865C9AC12E
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Disassembly

    Execution Graph

    Execution Coverage

    Dynamic/Packed Code Coverage

    Signature Coverage

    Execution Coverage:54.7%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:100%
    Total number of Nodes:8
    Total number of Limit Nodes:1
    Show Legend
    Hide Nodes/Edges
    execution_graph 46 18bf770 47 18bf780 46->47 48 18bf87a LoadLibraryA 47->48 49 18bf8b6 VirtualProtect VirtualProtect 47->49 50 18bf891 48->50 51 18bf8ea 49->51 50->47 52 18bf898 GetProcAddress 50->52 51->51 52->50 53 18bf8b0 ExitProcess 52->53

    Callgraph

    Hide Legend
    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_018BF770

    Executed Functions

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 18bf770-18bf77d 1 18bf78a-18bf78f 0->1 2 18bf791 1->2 3 18bf793 2->3 4 18bf780-18bf785 2->4 6 18bf798-18bf79a 3->6 5 18bf786-18bf788 4->5 5->1 5->2 7 18bf79c-18bf7a1 6->7 8 18bf7a3-18bf7a7 6->8 7->8 8->6 9 18bf7a9 8->9 10 18bf7ab-18bf7b2 9->10 11 18bf7b4-18bf7b9 9->11 10->6 10->11 12 18bf7bb-18bf7c4 11->12 13 18bf7c8-18bf7ca 11->13 14 18bf83a-18bf83d 12->14 15 18bf7c6 12->15 16 18bf7cc-18bf7d1 13->16 17 18bf7d3-18bf7d7 13->17 20 18bf842-18bf845 14->20 15->13 16->17 18 18bf7d9-18bf7de 17->18 19 18bf7e0-18bf7e2 17->19 18->19 22 18bf804-18bf813 19->22 23 18bf7e4 19->23 21 18bf847-18bf849 20->21 21->20 24 18bf84b-18bf84e 21->24 26 18bf815-18bf81c 22->26 27 18bf824-18bf831 22->27 25 18bf7e5-18bf7e7 23->25 24->20 28 18bf850-18bf86c 24->28 29 18bf7e9-18bf7ee 25->29 30 18bf7f0-18bf7f4 25->30 26->26 31 18bf81e 26->31 27->27 32 18bf833-18bf835 27->32 28->21 33 18bf86e 28->33 29->30 30->25 34 18bf7f6 30->34 31->5 32->5 35 18bf874-18bf878 33->35 36 18bf7f8-18bf7ff 34->36 37 18bf801 34->37 38 18bf87a-18bf890 LoadLibraryA 35->38 39 18bf8b6-18bf8e6 VirtualProtect * 2 35->39 36->25 36->37 37->22 40 18bf891-18bf896 38->40 41 18bf8ea-18bf8ee 39->41 40->35 42 18bf898-18bf8a7 GetProcAddress 40->42 41->41 43 18bf8f0 41->43 44 18bf8a9-18bf8ae 42->44 45 18bf8b0 ExitProcess 42->45 44->40
    Memory Dump Source
    • Source File: 00000000.00000002.351781030.00000000018BF000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.351577303.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.351583858.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.351583858.00000000018BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.351583858.00000000018BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.351787858.00000000018C0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.351790991.00000000018C1000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_000002.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8730751268df0236373008d5169ce7179d41b34d28850949fe18b7d3fe11cdc3
    • Instruction ID: da3865dceb5da3155f976848b1686a6ce88065c4bda0a9f71285d3fa47b21de4
    • Opcode Fuzzy Hash: 8730751268df0236373008d5169ce7179d41b34d28850949fe18b7d3fe11cdc3
    • Instruction Fuzzy Hash: 2E513971A447A25BD7218EBC8CC06E4BB94EB0133471C07B9DBE5CB3C7E7945A0687A4
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage

    Dynamic/Packed Code Coverage

    Signature Coverage

    Execution Coverage:54.7%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:8
    Total number of Limit Nodes:1
    Show Legend
    Hide Nodes/Edges
    execution_graph 46 18bf770 47 18bf780 46->47 48 18bf87a LoadLibraryA 47->48 49 18bf8b6 VirtualProtect VirtualProtect 47->49 50 18bf891 48->50 51 18bf8ea 49->51 50->47 52 18bf898 GetProcAddress 50->52 51->51 52->50 53 18bf8b0 ExitProcess 52->53

    Callgraph

    Hide Legend
    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_018BF770

    Executed Functions

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 18bf770-18bf77d 1 18bf78a-18bf78f 0->1 2 18bf791 1->2 3 18bf793 2->3 4 18bf780-18bf785 2->4 6 18bf798-18bf79a 3->6 5 18bf786-18bf788 4->5 5->1 5->2 7 18bf79c-18bf7a1 6->7 8 18bf7a3-18bf7a7 6->8 7->8 8->6 9 18bf7a9 8->9 10 18bf7ab-18bf7b2 9->10 11 18bf7b4-18bf7b9 9->11 10->6 10->11 12 18bf7bb-18bf7c4 11->12 13 18bf7c8-18bf7ca 11->13 14 18bf83a-18bf83d 12->14 15 18bf7c6 12->15 16 18bf7cc-18bf7d1 13->16 17 18bf7d3-18bf7d7 13->17 20 18bf842-18bf845 14->20 15->13 16->17 18 18bf7d9-18bf7de 17->18 19 18bf7e0-18bf7e2 17->19 18->19 22 18bf804-18bf813 19->22 23 18bf7e4 19->23 21 18bf847-18bf849 20->21 21->20 24 18bf84b-18bf84e 21->24 26 18bf815-18bf81c 22->26 27 18bf824-18bf831 22->27 25 18bf7e5-18bf7e7 23->25 24->20 28 18bf850-18bf86c 24->28 29 18bf7e9-18bf7ee 25->29 30 18bf7f0-18bf7f4 25->30 26->26 31 18bf81e 26->31 27->27 32 18bf833-18bf835 27->32 28->21 33 18bf86e 28->33 29->30 30->25 34 18bf7f6 30->34 31->5 32->5 35 18bf874-18bf878 33->35 36 18bf7f8-18bf7ff 34->36 37 18bf801 34->37 38 18bf87a-18bf890 LoadLibraryA 35->38 39 18bf8b6-18bf8e6 VirtualProtect * 2 35->39 36->25 36->37 37->22 40 18bf891-18bf896 38->40 41 18bf8ea-18bf8ee 39->41 40->35 42 18bf898-18bf8a7 GetProcAddress 40->42 41->41 43 18bf8f0 41->43 44 18bf8a9-18bf8ae 42->44 45 18bf8b0 ExitProcess 42->45 44->40
    Memory Dump Source
    • Source File: 00000002.00000002.612104632.00000000018BF000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.611914748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000002.00000002.611920729.0000000000401000.00000040.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000002.00000002.611920729.00000000018BB000.00000040.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000002.00000002.611920729.00000000018BE000.00000040.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000002.00000002.612108863.00000000018C0000.00000040.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000002.00000002.612112849.00000000018C1000.00000080.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8730751268df0236373008d5169ce7179d41b34d28850949fe18b7d3fe11cdc3
    • Instruction ID: da3865dceb5da3155f976848b1686a6ce88065c4bda0a9f71285d3fa47b21de4
    • Opcode Fuzzy Hash: 8730751268df0236373008d5169ce7179d41b34d28850949fe18b7d3fe11cdc3
    • Instruction Fuzzy Hash: 2E513971A447A25BD7218EBC8CC06E4BB94EB0133471C07B9DBE5CB3C7E7945A0687A4
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage

    Dynamic/Packed Code Coverage

    Signature Coverage

    Execution Coverage:9.3%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:22.2%
    Total number of Nodes:117
    Total number of Limit Nodes:5
    Show Legend
    Hide Nodes/Edges
    execution_graph 1160 401000 1161 401025 1160->1161 1162 40101e 1160->1162 1164 40102a signal 1161->1164 1168 401041 1161->1168 1162->1161 1163 401080 1162->1163 1165 401087 signal 1163->1165 1163->1168 1166 4010ad signal 1164->1166 1164->1168 1167 4010d2 signal 1165->1167 1165->1168 1166->1168 1167->1168 1169 401280 1170 401d80 1169->1170 1171 401d96 1170->1171 1172 401d9e FindAtomA 1170->1172 1173 401e41 malloc 1172->1173 1174 401f7c 1172->1174 1176 401fb0 abort 1173->1176 1177 401e57 AddAtomA 1173->1177 1175 401ce0 5 API calls 1174->1175 1178 401f81 1175->1178 1180 401fa1 1177->1180 1181 401f5f 1177->1181 1182 401ce0 5 API calls 1180->1182 1181->1178 1183 401f65 ??3@YAXPAX FindAtomA 1181->1183 1182->1181 1183->1174 992 401544 fputc fclose 999 401367 992->999 993 401352 Sleep 993->999 994 40136f GetAsyncKeyState 995 401388 fopen 994->995 994->999 996 4013ab 995->996 995->999 997 4013c7 GetForegroundWindow GetWindowTextA strcmp 998 40147d GetWindowTextA 997->998 997->999 998->999 999->993 999->994 999->997 1000 401447 sprintf fputs 999->1000 1001 4014ab fputc fclose 999->1001 1002 4014e2 fputc fclose 999->1002 1003 4019b7 fclose 999->1003 1000->998 1001->993 1002->993 1003->999 1256 401219 1257 401220 __set_app_type 1256->1257 1258 401100 39 API calls 1257->1258 1259 401238 __set_app_type 1258->1259 1260 401100 39 API calls 1259->1260 1261 401258 1260->1261 915 401220 __set_app_type 920 401100 SetUnhandledExceptionFilter 915->920 917 401238 __set_app_type 918 401100 39 API calls 917->918 919 401258 918->919 934 401bb0 920->934 922 40111e __getmainargs 923 4011b0 __p__fmode 922->923 924 401158 922->924 935 401b80 923->935 926 4011f6 _setmode 924->926 927 40116b 924->927 926->927 928 401190 927->928 929 401170 _setmode 927->929 928->923 931 401195 _setmode 928->931 929->928 931->923 934->922 936 4011c2 __p__environ 935->936 937 4019dc 936->937 938 401a0a 937->938 939 401a0f 6 API calls 938->939 940 401ad5 939->940 941 401b5a 939->941 944 401b11 GetFileSize CloseHandle fclose 940->944 945 401290 941->945 944->941 948 4012a4 time GetForegroundWindow fopen 945->948 949 4012fb 948->949 950 4011e7 _cexit ExitProcess 948->950 951 401352 Sleep 949->951 952 401304 ctime sprintf fputs fclose 949->952 953 401367 951->953 952->951 953->951 954 40136f GetAsyncKeyState 953->954 955 401388 fopen 954->955 959 4013ba 954->959 956 4013ab 955->956 955->959 956->950 957 4013c7 GetForegroundWindow GetWindowTextA strcmp 958 40147d GetWindowTextA 957->958 957->959 958->959 959->953 959->957 960 401447 sprintf fputs 959->960 961 4014ab fputc fclose 959->961 962 4014e2 fputc fclose 959->962 963 4019b7 fclose 959->963 960->958 961->951 962->951 963->959 1112 40156d fputs fclose 1119 401367 1112->1119 1113 401352 Sleep 1113->1119 1114 40136f GetAsyncKeyState 1115 401388 fopen 1114->1115 1114->1119 1116 4013ab 1115->1116 1115->1119 1117 4013c7 GetForegroundWindow GetWindowTextA strcmp 1118 40147d GetWindowTextA 1117->1118 1117->1119 1118->1119 1119->1113 1119->1114 1119->1117 1120 401447 sprintf fputs 1119->1120 1121 4014ab fputc fclose 1119->1121 1122 4014e2 fputc fclose 1119->1122 1123 4019b7 fclose 1119->1123 1120->1118 1121->1113 1122->1113 1123->1119 964 40cd30 965 40cd40 964->965 966 40ce76 VirtualProtect VirtualProtect 965->966 967 40ce3a LoadLibraryA 965->967 968 40ceaa 966->968 969 40ce51 967->969 968->968 969->965 970 40ce58 72A1FFF6 969->970 970->969 971 40ce70 ExitProcess 970->971 972 401d72 973 401d80 972->973 974 401d96 973->974 975 401d9e FindAtomA 973->975 976 401e41 malloc 975->976 977 401f7c 975->977 979 401fb0 abort 976->979 980 401e57 AddAtomA 976->980 987 401ce0 GetAtomNameA 977->987 983 401fa1 980->983 984 401f5f 980->984 981 401f81 985 401ce0 5 API calls 983->985 984->981 986 401f65 ??3@YAXPAX FindAtomA 984->986 985->984 986->977 988 401d16 987->988 990 401d30 988->990 991 401ff0 fprintf fflush abort __set_app_type 988->991 990->981

    Callgraph

    Hide Legend
    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_00401BC0 1 Function_00401FC0 2 Function_0040C5C1 3 Function_00401544 4 Function_00401945 5 Function_0040C8C6 6 Function_004018CA 7 Function_0040184F 8 Function_00401CD0 9 Function_0040C552 10 Function_0040C853 11 Function_0040C953 12 Function_004017D4 13 Function_00401759 14 Function_004019DC 14->1 18 Function_00401C60 14->18 45 Function_00401290 14->45 15 Function_004016DE 16 Function_00401CDE 17 Function_00401260 18->17 19 Function_00401CE0 27 Function_00401FF0 19->27 20 Function_00401663 21 Function_004015E8 22 Function_0040196B 23 Function_0040126C 24 Function_0040156D 25 Function_0040CAEE 26 Function_00402270 28 Function_00401D72 28->19 29 Function_004018F3 30 Function_00401878 31 Function_00401BF9 31->17 32 Function_004017FD 33 Function_0040C67E 34 Function_00401C00 34->17 35 Function_00401000 64 Function_00401BB0 35->64 36 Function_00405000 37 Function_00401280 37->19 38 Function_00401100 38->14 39 Function_00401B80 38->39 38->64 40 Function_00401782 41 Function_0040C506 42 Function_00401707 43 Function_0040CA09 44 Function_0040168C 58 Function_004012A4 45->58 46 Function_00401611 47 Function_00401991 48 Function_0040B394 49 Function_00401596 50 Function_00401219 50->38 51 Function_0040C199 52 Function_0040191C 53 Function_0040C39E 54 Function_00401220 54->38 55 Function_0040CD20 56 Function_004018A1 57 Function_0040C8A3 59 Function_00401826 60 Function_004017AB 61 Function_0040C5AE 62 Function_0040CD30 63 Function_00401730 65 Function_0040CA33 66 Function_004016B5 67 Function_0040163A 68 Function_004015BF

    Executed Functions

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: fopen$AsyncForegroundSleepStateWindowctimefclosefputssprintftime
    • String ID: C:\Windows\system\mmtaskclean.log$Z
    • API String ID: 19271391-3603354086
    • Opcode ID: 4f9ffc5df5f70fe0ea73d5357bacf12fbfd90202001bc90b7abfa8319a7387dc
    • Instruction ID: 99973f0d81af2728623730dc7e3b3e2f99f2042feeab3f0dcd89637f3ebca65f
    • Opcode Fuzzy Hash: 4f9ffc5df5f70fe0ea73d5357bacf12fbfd90202001bc90b7abfa8319a7387dc
    • Instruction Fuzzy Hash: A2610CB08153149BCB11AF65C5493AEB7F4AF04304F4194BFE885B72D1D7B88A85CF8A
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
    • String ID:
    • API String ID: 3695137517-0
    • Opcode ID: 723d2875feaf18fad916285d8239d4167fbe978b591880568a06aabeb17f356a
    • Instruction ID: ed262371cd2d99b669261b2289dc79509b1614f2c91a2720501763c72fb6f7ed
    • Opcode Fuzzy Hash: 723d2875feaf18fad916285d8239d4167fbe978b591880568a06aabeb17f356a
    • Instruction Fuzzy Hash: 3B31FBB46057018FC704EF25D68561AB7F1BB8C344F10C93EEA85AB3E6D7789840CB9A
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 26 401280-401d94 28 401d96-401d9d 26->28 29 401d9e-401e3b FindAtomA 26->29 30 401e41-401e51 malloc 29->30 31 401f7c-401f81 call 401ce0 29->31 33 401fb0-401fb5 abort 30->33 34 401e57-401ece 30->34 37 401f83-401fa0 31->37 36 401ed0-401ee7 34->36 36->36 38 401ee9-401f5d AddAtomA 36->38 39 401fa1-401fac call 401ce0 38->39 40 401f5f 38->40 39->40 45 401fae 39->45 41 401f61-401f63 40->41 41->37 43 401f65-401f79 ??3@YAXPAX@Z FindAtomA 41->43 43->31 45->41
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: Atom$Findmalloc
    • String ID: -LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA$P!@
    • API String ID: 822928543-1858288209
    • Opcode ID: b6ff5d63b7ea74e944f6b5b52c77ec8d088df8565a86c425412f1b91e09949b8
    • Instruction ID: 4e60aff06c073efde4a17172efbea8fba85b7edfe20a9ce9cb22ad9490afa695
    • Opcode Fuzzy Hash: b6ff5d63b7ea74e944f6b5b52c77ec8d088df8565a86c425412f1b91e09949b8
    • Instruction Fuzzy Hash: 186149B4A00604CFDB50DF69DA8479ABBF0FB48314F14417AE948EB366E7349884CF59
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: sprintf$CloseDirectoryFileHandleShowSizeWindowWindowsfclosefopen
    • String ID: %s\system\mmtask.dat$%s\system\mmtaskclean.log$%s\system\msimn.exe$C:\Windows$C:\Windows\system\mmtask.dat$C:\Windows\system\mmtaskclean.log$C:\Windows\system\msimn.exe
    • API String ID: 3427481349-154546895
    • Opcode ID: 468db0913ee5887a71fc7dbbb91116dd5326ffd7e68c6cfc61a62e3f7b625b8f
    • Instruction ID: 482f67702dc145efb1e56bebb3b3258d12690240adae491dac448a462854f4c6
    • Opcode Fuzzy Hash: 468db0913ee5887a71fc7dbbb91116dd5326ffd7e68c6cfc61a62e3f7b625b8f
    • Instruction Fuzzy Hash: FC31D8F08083149AD700BF65DA4935EBAF4AB44748F01897EE4C57B2C1D7BC86989F9B
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 74 40cd30-40cd3d 75 40cd4a-40cd4f 74->75 76 40cd51 75->76 77 40cd40-40cd45 76->77 78 40cd53 76->78 79 40cd46-40cd48 77->79 80 40cd58-40cd5a 78->80 79->75 79->76 81 40cd63-40cd67 80->81 82 40cd5c-40cd61 80->82 81->80 83 40cd69 81->83 82->81 84 40cd74-40cd79 83->84 85 40cd6b-40cd72 83->85 86 40cd88-40cd8a 84->86 87 40cd7b-40cd84 84->87 85->80 85->84 90 40cd93-40cd97 86->90 91 40cd8c-40cd91 86->91 88 40cd86 87->88 89 40cdfa-40cdfd 87->89 88->86 92 40ce02-40ce05 89->92 93 40cda0-40cda2 90->93 94 40cd99-40cd9e 90->94 91->90 95 40ce07-40ce09 92->95 96 40cdc4-40cdd3 93->96 97 40cda4 93->97 94->93 95->92 98 40ce0b-40ce0e 95->98 100 40cde4-40cdf1 96->100 101 40cdd5-40cddc 96->101 99 40cda5-40cda7 97->99 98->92 104 40ce10-40ce2c 98->104 105 40cdb0-40cdb4 99->105 106 40cda9-40cdae 99->106 100->100 103 40cdf3-40cdf5 100->103 101->101 102 40cdde 101->102 102->79 103->79 104->95 107 40ce2e 104->107 105->99 108 40cdb6 105->108 106->105 109 40ce34-40ce38 107->109 110 40cdc1 108->110 111 40cdb8-40cdbf 108->111 112 40ce76-40cea6 VirtualProtect * 2 109->112 113 40ce3a-40ce50 LoadLibraryA 109->113 110->96 111->99 111->110 114 40ceaa-40ceae 112->114 115 40ce51-40ce56 113->115 114->114 116 40ceb0 114->116 115->109 117 40ce58-40ce67 72A1FFF6 115->117 118 40ce70 ExitProcess 117->118 119 40ce69-40ce6e 117->119 119->115
    Memory Dump Source
    • Source File: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bc7ed15d379ef6b00bc2cc0f2103e89475f40f4e2ff078514bf5327df98c249c
    • Instruction ID: b2f3010de40a24b26b8a897d832c40a66a72517ff6fa433f9c277007c24724b7
    • Opcode Fuzzy Hash: bc7ed15d379ef6b00bc2cc0f2103e89475f40f4e2ff078514bf5327df98c249c
    • Instruction Fuzzy Hash: 9951F7716402528BD7205F78CCC06A57F90EF52324B28073AD5E6EB3C5E7BC58068798
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 120 401219-401233 __set_app_type call 401100 123 401238-401253 __set_app_type call 401100 120->123 125 401258-401259 123->125
    APIs
    • __set_app_type.MSVCRT ref: 0040122D
      • Part of subcall function 00401100: SetUnhandledExceptionFilter.KERNEL32 ref: 00401111
      • Part of subcall function 00401100: __getmainargs.MSVCRT ref: 0040114A
      • Part of subcall function 00401100: _setmode.MSVCRT ref: 00401185
      • Part of subcall function 00401100: _setmode.MSVCRT ref: 004011AB
      • Part of subcall function 00401100: __p__fmode.MSVCRT ref: 004011B0
      • Part of subcall function 00401100: __p__environ.MSVCRT ref: 004011C5
      • Part of subcall function 00401100: _cexit.MSVCRT ref: 004011E9
      • Part of subcall function 00401100: ExitProcess.KERNEL32 ref: 004011F1
      • Part of subcall function 00401100: _setmode.MSVCRT ref: 00401206
    • __set_app_type.MSVCRT ref: 0040124D
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: _setmode$__set_app_type$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
    • String ID:
    • API String ID: 2043081007-0
    • Opcode ID: 32aa3a61f5790156aa6d4bd4f6e19ca6398fc8689d2e4c25a68e803a36a49234
    • Instruction ID: e68e2e8b23b5cb364d68160bad9ffe22f503ed2db7efef9459ac3227c1c60261
    • Opcode Fuzzy Hash: 32aa3a61f5790156aa6d4bd4f6e19ca6398fc8689d2e4c25a68e803a36a49234
    • Instruction Fuzzy Hash: B6E0EC35404214ABD3007FB5D90A359BBA8BB09341F42082CE6857B1A2D6B438098BD6
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    APIs
    • __set_app_type.MSVCRT ref: 0040122D
      • Part of subcall function 00401100: SetUnhandledExceptionFilter.KERNEL32 ref: 00401111
      • Part of subcall function 00401100: __getmainargs.MSVCRT ref: 0040114A
      • Part of subcall function 00401100: _setmode.MSVCRT ref: 00401185
      • Part of subcall function 00401100: _setmode.MSVCRT ref: 004011AB
      • Part of subcall function 00401100: __p__fmode.MSVCRT ref: 004011B0
      • Part of subcall function 00401100: __p__environ.MSVCRT ref: 004011C5
      • Part of subcall function 00401100: _cexit.MSVCRT ref: 004011E9
      • Part of subcall function 00401100: ExitProcess.KERNEL32 ref: 004011F1
      • Part of subcall function 00401100: _setmode.MSVCRT ref: 00401206
    • __set_app_type.MSVCRT ref: 0040124D
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: _setmode$__set_app_type$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
    • String ID:
    • API String ID: 2043081007-0
    • Opcode ID: ad704b4dd6c1fb5f858e6ac0ccf3e1478abdc948648886d86e72435bf0ea333d
    • Instruction ID: 60b13412fd5a57fc4e3a6c387b4131460759817e1470f5fcadbf26c0b515cf07
    • Opcode Fuzzy Hash: ad704b4dd6c1fb5f858e6ac0ccf3e1478abdc948648886d86e72435bf0ea333d
    • Instruction Fuzzy Hash: 9AD062354042145BD3007FB5DD0A359BBE86B09341F41043CE6C5771B2D6B43C494796
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 203 4016de-401702 fputs fclose 204 4019c5-4019ce 203->204 205 401367-40136d 204->205 206 401352-401361 Sleep 205->206 207 40136f-401382 GetAsyncKeyState 205->207 206->205 207->204 208 401388-4013a9 fopen 207->208 209 4013ba-4013c1 208->209 210 4013ab-4019da 208->210 209->204 211 4013c7-401407 GetForegroundWindow GetWindowTextA strcmp 209->211 213 401409 211->213 214 40147d-4014a2 GetWindowTextA 211->214 215 401413-401420 213->215 216 4014d4-4014d9 214->216 217 4014a4-4014a9 214->217 218 401422-401445 215->218 219 401447-401478 sprintf fputs 215->219 221 401518-40152e 216->221 222 4014db-4014e0 216->222 217->216 220 4014ab-4014cf fputc fclose 217->220 218->215 219->214 220->206 224 401534-40153b 221->224 225 4019b7-4019c0 fclose 221->225 222->221 223 4014e2-401513 fputc fclose 222->223 223->206 224->225 225->204
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputs
    • String ID: ]} $C:\Windows\system\mmtaskclean.log
    • API String ID: 2048754653-3439042769
    • Opcode ID: 2e5bb90e7e716f258309702c986d4a77da689758adc165e76ab091d98b4ad2fb
    • Instruction ID: 6dc1b6a1285fda5505ac1cd26dfad4f1b6e508bd1cc1d3bdad68cc5af1452aad
    • Opcode Fuzzy Hash: 2e5bb90e7e716f258309702c986d4a77da689758adc165e76ab091d98b4ad2fb
    • Instruction Fuzzy Hash: 76014BB08142149ADB10AF65855426EB6F4FF04308F4098BBE885772C0D3BC8AC1CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 134 401663-401687 fputs fclose 135 4019c5-4019ce 134->135 136 401367-40136d 135->136 137 401352-401361 Sleep 136->137 138 40136f-401382 GetAsyncKeyState 136->138 137->136 138->135 139 401388-4013a9 fopen 138->139 140 4013ba-4013c1 139->140 141 4013ab-4019da 139->141 140->135 142 4013c7-401407 GetForegroundWindow GetWindowTextA strcmp 140->142 144 401409 142->144 145 40147d-4014a2 GetWindowTextA 142->145 146 401413-401420 144->146 147 4014d4-4014d9 145->147 148 4014a4-4014a9 145->148 149 401422-401445 146->149 150 401447-401478 sprintf fputs 146->150 152 401518-40152e 147->152 153 4014db-4014e0 147->153 148->147 151 4014ab-4014cf fputc fclose 148->151 149->146 150->145 151->137 155 401534-40153b 152->155 156 4019b7-4019c0 fclose 152->156 153->152 154 4014e2-401513 fputc fclose 153->154 154->137 155->156 156->135
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputs
    • String ID: `~$C:\Windows\system\mmtaskclean.log
    • API String ID: 2048754653-2520190481
    • Opcode ID: eb2e6548559b5328e80939130fd809a4cd463dc6109c39b368a9331d783c3124
    • Instruction ID: 73b9806658f871c97da853d6fce61f456e2b049b807b23618f0173d3bdd41549
    • Opcode Fuzzy Hash: eb2e6548559b5328e80939130fd809a4cd463dc6109c39b368a9331d783c3124
    • Instruction Fuzzy Hash: B7014BB08142189ADB10AF65855436EB6F4FF04308F4098BBE885772C0D3BC8AC1CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 226 401707-40172b fputs fclose 227 4019c5-4019ce 226->227 228 401367-40136d 227->228 229 401352-401361 Sleep 228->229 230 40136f-401382 GetAsyncKeyState 228->230 229->228 230->227 231 401388-4013a9 fopen 230->231 232 4013ba-4013c1 231->232 233 4013ab-4019da 231->233 232->227 234 4013c7-401407 GetForegroundWindow GetWindowTextA strcmp 232->234 236 401409 234->236 237 40147d-4014a2 GetWindowTextA 234->237 238 401413-401420 236->238 239 4014d4-4014d9 237->239 240 4014a4-4014a9 237->240 241 401422-401445 238->241 242 401447-401478 sprintf fputs 238->242 244 401518-40152e 239->244 245 4014db-4014e0 239->245 240->239 243 4014ab-4014cf fputc fclose 240->243 241->238 242->237 243->229 247 401534-40153b 244->247 248 4019b7-4019c0 fclose 244->248 245->244 246 4014e2-401513 fputc fclose 245->246 246->229 247->248 248->227
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputs
    • String ID: '" $C:\Windows\system\mmtaskclean.log
    • API String ID: 2048754653-3250504011
    • Opcode ID: cd8a7e3684b18818272ba3937af8908231e75691f83e1a1110588aa4b0a17cd3
    • Instruction ID: 266c096755aa8236d98dcd1aecaa9eb5157a2cdcfdf2c463932e7595a8432002
    • Opcode Fuzzy Hash: cd8a7e3684b18818272ba3937af8908231e75691f83e1a1110588aa4b0a17cd3
    • Instruction Fuzzy Hash: C8014BB08142149ADB10AF65C55426EB6F4FF04308F4094BBE885772C0D3BC8AC1CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 157 40168c-4016b0 fputs fclose 158 4019c5-4019ce 157->158 159 401367-40136d 158->159 160 401352-401361 Sleep 159->160 161 40136f-401382 GetAsyncKeyState 159->161 160->159 161->158 162 401388-4013a9 fopen 161->162 163 4013ba-4013c1 162->163 164 4013ab-4019da 162->164 163->158 165 4013c7-401407 GetForegroundWindow GetWindowTextA strcmp 163->165 167 401409 165->167 168 40147d-4014a2 GetWindowTextA 165->168 169 401413-401420 167->169 170 4014d4-4014d9 168->170 171 4014a4-4014a9 168->171 172 401422-401445 169->172 173 401447-401478 sprintf fputs 169->173 175 401518-40152e 170->175 176 4014db-4014e0 170->176 171->170 174 4014ab-4014cf fputc fclose 171->174 172->169 173->168 174->160 178 401534-40153b 175->178 179 4019b7-4019c0 fclose 175->179 176->175 177 4014e2-401513 fputc fclose 176->177 177->160 178->179 179->158
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputs
    • String ID: [{ $C:\Windows\system\mmtaskclean.log
    • API String ID: 2048754653-3554109962
    • Opcode ID: 26783f51469a6b0bc3b168fe77e4bc3cd6df57fc5dcb164f550b665e8b2be2f4
    • Instruction ID: a75d77b0362078c0ecfad67f95ea95157bd04787bf0b21274c08362e3c64f6ad
    • Opcode Fuzzy Hash: 26783f51469a6b0bc3b168fe77e4bc3cd6df57fc5dcb164f550b665e8b2be2f4
    • Instruction Fuzzy Hash: 9C014BB08142189ADB10AF65855426EB6F4FF04308F4094BBE885772C0D3BC8AC5CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 180 4016b5-4016d9 fputs fclose 181 4019c5-4019ce 180->181 182 401367-40136d 181->182 183 401352-401361 Sleep 182->183 184 40136f-401382 GetAsyncKeyState 182->184 183->182 184->181 185 401388-4013a9 fopen 184->185 186 4013ba-4013c1 185->186 187 4013ab-4019da 185->187 186->181 188 4013c7-401407 GetForegroundWindow GetWindowTextA strcmp 186->188 190 401409 188->190 191 40147d-4014a2 GetWindowTextA 188->191 192 401413-401420 190->192 193 4014d4-4014d9 191->193 194 4014a4-4014a9 191->194 195 401422-401445 192->195 196 401447-401478 sprintf fputs 192->196 198 401518-40152e 193->198 199 4014db-4014e0 193->199 194->193 197 4014ab-4014cf fputc fclose 194->197 195->192 196->191 197->183 201 401534-40153b 198->201 202 4019b7-4019c0 fclose 198->202 199->198 200 4014e2-401513 fputc fclose 199->200 200->183 201->202 202->181
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputs
    • String ID: \| $C:\Windows\system\mmtaskclean.log
    • API String ID: 2048754653-3648742235
    • Opcode ID: 2f7f66c5034bc06773260de01bd7d7094d3049a6caeb1502b02f41678fcad4d5
    • Instruction ID: 9a394adbe936bc03c232810edf4b707d9a0cf17bd09d85e545a8f35e143ee3dc
    • Opcode Fuzzy Hash: 2f7f66c5034bc06773260de01bd7d7094d3049a6caeb1502b02f41678fcad4d5
    • Instruction Fuzzy Hash: 10014BB08142149ADB10AF65855426EB6F4FF04308F4094BBE885772C0D3BC8AC1CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 249 401ce0-401d14 GetAtomNameA 250 401d16 249->250 251 401d1d-401d22 249->251 252 401d5e-401d70 250->252 253 401d24-401d29 251->253 254 401d18-401d1b 251->254 255 401d49-401d55 252->255 253->251 256 401d2b-401d2e 253->256 254->251 254->256 257 401d59 call 401ff0 255->257 258 401d30-401d36 256->258 259 401d37-401d45 256->259 257->252 259->255
    APIs
    • GetAtomNameA.KERNEL32 ref: 00401CFF
      • Part of subcall function 00401FF0: fprintf.MSVCRT ref: 0040201D
      • Part of subcall function 00401FF0: fflush.MSVCRT ref: 0040202D
      • Part of subcall function 00401FF0: abort.MSVCRT(?,?,?,?,?,00401D5E), ref: 00402032
    Strings
    • %s:%u: failed assertion `%s', xrefs: 00401D49
    • w32_sharedptr->size == sizeof(W32_EH_SHARED), xrefs: 00401D37
    • GetAtomNameA (atom, s, sizeof(s)) != 0, xrefs: 00401D5E
    • ../../gcc/gcc/config/i386/w32-shared-ptr.c, xrefs: 00401D50
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AtomNameabortfflushfprintf
    • String ID: %s:%u: failed assertion `%s'$../../gcc/gcc/config/i386/w32-shared-ptr.c$GetAtomNameA (atom, s, sizeof(s)) != 0$w32_sharedptr->size == sizeof(W32_EH_SHARED)
    • API String ID: 2513348418-2696369246
    • Opcode ID: e24046c84817578ea1a5a5cb31b09110bf3e3ec9fabf156c5f5e9f4f6aa0b181
    • Instruction ID: f6598a687f133b68b143ab81bf56bbcc1bb584ee9fe37f56d859ff9d154e6e09
    • Opcode Fuzzy Hash: e24046c84817578ea1a5a5cb31b09110bf3e3ec9fabf156c5f5e9f4f6aa0b181
    • Instruction Fuzzy Hash: 6A0152B0A04741ABDB149F65C08436BBBE1EF94305F10C83FE589AB7A5D27D9881DF4A
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 260 401544-401568 fputc fclose 261 4019c5-4019ce 260->261 262 401367-40136d 261->262 263 401352-401361 Sleep 262->263 264 40136f-401382 GetAsyncKeyState 262->264 263->262 264->261 265 401388-4013a9 fopen 264->265 266 4013ba-4013c1 265->266 267 4013ab-4019da 265->267 266->261 268 4013c7-401407 GetForegroundWindow GetWindowTextA strcmp 266->268 270 401409 268->270 271 40147d-4014a2 GetWindowTextA 268->271 272 401413-401420 270->272 273 4014d4-4014d9 271->273 274 4014a4-4014a9 271->274 275 401422-401445 272->275 276 401447-401478 sprintf fputs 272->276 278 401518-40152e 273->278 279 4014db-4014e0 273->279 274->273 277 4014ab-4014cf fputc fclose 274->277 275->272 276->271 277->263 281 401534-40153b 278->281 282 4019b7-4019c0 fclose 278->282 279->278 280 4014e2-401513 fputc fclose 279->280 280->263 281->282 282->261
    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: d1d308082c4c0edf889bc776bafc6346457e977b04bdcf212a4304e15d6194b8
    • Instruction ID: 80fc33ff94ceeb42d674f1a3f95645e539ea001627d0d1493febff40af3dad38
    • Opcode Fuzzy Hash: d1d308082c4c0edf889bc776bafc6346457e977b04bdcf212a4304e15d6194b8
    • Instruction Fuzzy Hash: C0014BB08142149ADB11AF65C55436EB6F4BF04308F4094ABE885772C0D7BC8A81CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: 76526cf024a55b6da7c4103335d88fea2f9d0fbbd1c9500b3d9c1d593dc9f2fb
    • Instruction ID: dd7c46b1e37b0863d59d5622d20f6dd45964ee2f6bab965e78d2c2c0330cc683
    • Opcode Fuzzy Hash: 76526cf024a55b6da7c4103335d88fea2f9d0fbbd1c9500b3d9c1d593dc9f2fb
    • Instruction Fuzzy Hash: C501FBB09142149ADB11AF65C55436EB6F4BF04708F4194ABE8C5772C0D7BD8A85CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: 879c1b1b30cf8310a19685b975f4060c61685e4de289ddf43cea7f1f9304bf0f
    • Instruction ID: efc9a26863a80473b9ba88dcf207d9bb73c0869bd568303e8c3b31f107d2b5d2
    • Opcode Fuzzy Hash: 879c1b1b30cf8310a19685b975f4060c61685e4de289ddf43cea7f1f9304bf0f
    • Instruction Fuzzy Hash: 7E01FBB09142149ADB11AF65C55836EB6F4BF04708F4194ABE8C5772C0D7BD8A85CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: a354ed91b16fd11189ddcf78e9ab040fa92108320bd9a922e358e3b7cea05b02
    • Instruction ID: 09bcb6c9bb29c1ffdca8eefc77b15c3c1ad11b8f3a2f9693c8882b7a0b33d2e9
    • Opcode Fuzzy Hash: a354ed91b16fd11189ddcf78e9ab040fa92108320bd9a922e358e3b7cea05b02
    • Instruction Fuzzy Hash: 1601FBB09142149ADB11AF65C55436EB6F4BF04708F4194ABE8C5772C0D7BD8B86CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: 845924090219ab29db0e2b6ad11ac3f3a56ee2cda8b96f3a8bae640bdd14d07c
    • Instruction ID: 89fc1aaeb69fe4daa7cefcaad48c5a6573ce85da860cda6a78b4a5c8cf175897
    • Opcode Fuzzy Hash: 845924090219ab29db0e2b6ad11ac3f3a56ee2cda8b96f3a8bae640bdd14d07c
    • Instruction Fuzzy Hash: 5601FBB09142149ADB11AF65C55436EB6F4BF04708F4194ABE8C5772C0D7BD8A85CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: de77fb1179191d1e7b23f956e964faa5bb136963f6ddf7c6ee087f2b0d3789ee
    • Instruction ID: 43a80e48851bc416a3b272f31b278b17fde4334bd63dc57ae850fc6e30de1270
    • Opcode Fuzzy Hash: de77fb1179191d1e7b23f956e964faa5bb136963f6ddf7c6ee087f2b0d3789ee
    • Instruction Fuzzy Hash: 8D01FBB09142149ADB11AF65C55836EB6F4BF04708F4194ABE885772C0D7BD8A85CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputs
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 2048754653-3449275089
    • Opcode ID: df1bba893fb1b0fd7a372bc12a095bd706408d5ac1a8fad9ea7e89b9c2156338
    • Instruction ID: 1770f3a34e785be06bb88a359fc4983e0b3119e0a59550fad4dee5e59fc2fe90
    • Opcode Fuzzy Hash: df1bba893fb1b0fd7a372bc12a095bd706408d5ac1a8fad9ea7e89b9c2156338
    • Instruction Fuzzy Hash: C5014BB08142149ADB10AF65855426EB6F4FF04308F4098BBE885772C0D3BC8AC1CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputs
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 2048754653-3449275089
    • Opcode ID: 0c6dfe2ec06aa096c16e209ab7171f7e377bee2393e0793d52bd627e48c32795
    • Instruction ID: 5774f756056be092d5a8fc3d378c0af919fc2b0baa68b37c2aaab1592edd1771
    • Opcode Fuzzy Hash: 0c6dfe2ec06aa096c16e209ab7171f7e377bee2393e0793d52bd627e48c32795
    • Instruction Fuzzy Hash: 2B014BB08142189ADB10AF6585542AEB6F4FF04308F4094BBE8C5772C0D3BC8AC2CF4E
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputs
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 2048754653-3449275089
    • Opcode ID: 6909de954d75b1833f98d5b1ea1b70870f492758e76391e0445647da7f28fb59
    • Instruction ID: 490daa02096f48aab2f75111c6693df089d9e6ff7dba39515b492bc6cc5c4459
    • Opcode Fuzzy Hash: 6909de954d75b1833f98d5b1ea1b70870f492758e76391e0445647da7f28fb59
    • Instruction Fuzzy Hash: 1F014BB08142189ADB10AF65855426EB6F4FF04308F4094BBE885772C0D3BC8AC1CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: fd3f3377e9f3ac896bcbcd1c4aba01398016d0d82d0eca1f15b95bba2f86bc26
    • Instruction ID: 2bbac2d265cffe4d4b5f007544c4c0b5a786ba5b319befc864b933c4dfb1eefc
    • Opcode Fuzzy Hash: fd3f3377e9f3ac896bcbcd1c4aba01398016d0d82d0eca1f15b95bba2f86bc26
    • Instruction Fuzzy Hash: 2501FBB09142149ADB11AF65C55436EB6F4BF04708F4194ABE8C5772C0D7BD8A85CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: 36b6cfdab4b6caf6258e1aa241e2b0381bb881a7e7e1876d00ccc1bc1e2f03c7
    • Instruction ID: a682a4ee320613bb60b6029833267ac603fc332cf8e1151341912a3fade513aa
    • Opcode Fuzzy Hash: 36b6cfdab4b6caf6258e1aa241e2b0381bb881a7e7e1876d00ccc1bc1e2f03c7
    • Instruction Fuzzy Hash: 0601FBB09142149ADB11AF65C55436EB6F4BF04708F4194ABE8C5772C0D7BD8A85CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: 8f23130042fc436d2fcb51acaa8329973e573a14db08277b88286dd96a63d375
    • Instruction ID: 53290adbedb1c2f306d26112c50f66ffc26c1f2680a88519671dcfc6d25ae959
    • Opcode Fuzzy Hash: 8f23130042fc436d2fcb51acaa8329973e573a14db08277b88286dd96a63d375
    • Instruction Fuzzy Hash: DA01FBB09142149ADB11AF65C5543AEB6F4BF04708F4194ABE8C5772C0D7BD8AC5CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: b132d53bdcec6985fbdaed6c8d14b7af25d278e22ebb54b44931284cee61b65f
    • Instruction ID: 7b29b7cfa8a9d19f8f382ae89b79bcb808dc92db72da637b23942cb53c076e9d
    • Opcode Fuzzy Hash: b132d53bdcec6985fbdaed6c8d14b7af25d278e22ebb54b44931284cee61b65f
    • Instruction Fuzzy Hash: 9F01FBB09142149ADB11AF65C55836EB6F4BF04708F4194ABE885772C0D7BD8A85CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputs
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 2048754653-3449275089
    • Opcode ID: 6add6516709ce74603398c04bc56f658b190f960394cf54ed59b19ddb15c87d7
    • Instruction ID: 9405a2d59052df95c3154639145d6b4446b2180e9bc5fd70743c5343feacdbbd
    • Opcode Fuzzy Hash: 6add6516709ce74603398c04bc56f658b190f960394cf54ed59b19ddb15c87d7
    • Instruction Fuzzy Hash: BB014BB08142189ADB10AF65855426EB6F4FF04308F4094BBE885772C0D3BC8AC1CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputs
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 2048754653-3449275089
    • Opcode ID: 1e4f7d98276bcb8ebce1590a85efb833bba0012ffd82d5e6fa9a74a002d64339
    • Instruction ID: eebc730db60f7d974b93435eec4ee3af8e50dccb6ea4980bf8b3c34b6bbcffe8
    • Opcode Fuzzy Hash: 1e4f7d98276bcb8ebce1590a85efb833bba0012ffd82d5e6fa9a74a002d64339
    • Instruction Fuzzy Hash: 58014BB08142149ADB10AF65855426EB6F4FF04308F4094BBE8C5772C0D3BD8AC1CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputs
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 2048754653-3449275089
    • Opcode ID: c465934981395556e1f960a3b1ca71b08dde416992b3e8aa0292f19aec675a36
    • Instruction ID: 2105b52a237bf63e12eab5226c6034ec46a82747ea7bbf4871e39264bd5c71ef
    • Opcode Fuzzy Hash: c465934981395556e1f960a3b1ca71b08dde416992b3e8aa0292f19aec675a36
    • Instruction Fuzzy Hash: 46014BB08142149ADB10AF65855426EB6F4FF04308F4094BBE8C5772C0D3BC8AC5CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: bf285d3372c82ee177acbe8c6f740bf3469bb672d1e19fd94f51e293c418b604
    • Instruction ID: 8c6627af20ba46ca7b0f1750ca9292f11f6342eb01706b68651616dc4c13f2d6
    • Opcode Fuzzy Hash: bf285d3372c82ee177acbe8c6f740bf3469bb672d1e19fd94f51e293c418b604
    • Instruction Fuzzy Hash: FE01FBB09142149ADB11AF65C55436EB6F4BF04708F4194ABE8C5772C0D7BD8A85CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: 2b4bda5d777c2a63d2fe3e3b5061bb1f27effb28b4c1de993f99c0bec6c3b6bc
    • Instruction ID: e097be8db0f26eb00243541e4c1ecac9628bab029d81d66d254b711e0efc8dc5
    • Opcode Fuzzy Hash: 2b4bda5d777c2a63d2fe3e3b5061bb1f27effb28b4c1de993f99c0bec6c3b6bc
    • Instruction Fuzzy Hash: 07014BB08142149ADB11AF65C55436EB6F4BF04308F4094ABE8C5772C0D7BC8A81CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: 188856c879bd43b05e7de01ca0158a22f012e395e4c8e2545d28155217e9d160
    • Instruction ID: 669814b3c05e283431542e46c1f5d5333504a7f8b11ac979b2964653c89fe850
    • Opcode Fuzzy Hash: 188856c879bd43b05e7de01ca0158a22f012e395e4c8e2545d28155217e9d160
    • Instruction Fuzzy Hash: B101FBB09142149ADB11AF65C55436EB6F4BF04708F4194ABE8C5772C0D7BD8A85CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: dde319cddbd57c3a1f2b8b53ce5276cb4428c06a6fb40dd6b41d48c190fd3303
    • Instruction ID: 1731ce42e54fa2d34a1295fe36b54f1de371bd7eea2dbaa9cfc211572d0538a4
    • Opcode Fuzzy Hash: dde319cddbd57c3a1f2b8b53ce5276cb4428c06a6fb40dd6b41d48c190fd3303
    • Instruction Fuzzy Hash: CD014BB08142149ADB11AF65C55836EB6F4BF04308F4094ABE885772C0D7BC8AC1CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputc
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 1739232185-3449275089
    • Opcode ID: b2b7905ab3a2044f10b9f7c92357a2a8dcc4bc2c3b08d8a37091d94526c9e783
    • Instruction ID: d0e25b1b40480ecd4b04aa9fa0bf47ca0c7ee8aa20ec5a5834b9211fc0e665cd
    • Opcode Fuzzy Hash: b2b7905ab3a2044f10b9f7c92357a2a8dcc4bc2c3b08d8a37091d94526c9e783
    • Instruction Fuzzy Hash: 5901FBB09142149ADB11AF65C55836EB6F4BF04708F4194ABE885772C0D7BD8A85CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputs
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 2048754653-3449275089
    • Opcode ID: 6b82937b9f176eb54f3eefb52382862be6d53efa933b10eb093a567c39d9ab9b
    • Instruction ID: a17e4cb8a2b7c8e7b4fbf449dbf2a570f3e92109764c59f57dc26c9a17d8dbc1
    • Opcode Fuzzy Hash: 6b82937b9f176eb54f3eefb52382862be6d53efa933b10eb093a567c39d9ab9b
    • Instruction Fuzzy Hash: 24014BB08142189ADB10AF65855426EB6F4FF04308F4094BBE885772C0D3BC8AC1DF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Strings
    • C:\Windows\system\mmtaskclean.log, xrefs: 00401390
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: AsyncSleepStatefclosefopenfputs
    • String ID: C:\Windows\system\mmtaskclean.log
    • API String ID: 2048754653-3449275089
    • Opcode ID: 500d8c9243821b033d239e5bf31f0782777779154986793cbf4bfe3b5854507b
    • Instruction ID: 280390993f757d25575f7996d264ad886e0d7db82683390e9225af69aa39806c
    • Opcode Fuzzy Hash: 500d8c9243821b033d239e5bf31f0782777779154986793cbf4bfe3b5854507b
    • Instruction Fuzzy Hash: 4B014BB08142149ADB10AF65855426EB6F4FF04308F4094BBE885772C0D3BC8AC1CF4A
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.611886858.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.611883109.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000405000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.0000000000409000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611886858.000000000040B000.00000040.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611909376.000000000040C000.00000080.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000003.00000002.611914490.000000000040D000.00000004.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_wupdmgr.jbxd
    Similarity
    • API ID: signal
    • String ID:
    • API String ID: 1946981877-0
    • Opcode ID: 14cc91f79a868fa5af5b86b73c44b9dc16c8217c0fafb5dc3352c50613790230
    • Instruction ID: c0f33cbba5e8f7795166467dc0fbed1cb1802adcb0908299083486a0d0c231ea
    • Opcode Fuzzy Hash: 14cc91f79a868fa5af5b86b73c44b9dc16c8217c0fafb5dc3352c50613790230
    • Instruction Fuzzy Hash: BA213E70A043409BD720AF68C58071EB6A1AB09724F11867FE9D5B77E2C67D9DC0879A
    Uniqueness

    Uniqueness Score: -1.00%