Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ruXU7wj3X9.dll

Overview

General Information

Sample name:ruXU7wj3X9.dll
renamed because original name is a hash value
Original sample name:d907672759069af4824b0354e9170285.dll
Analysis ID:1591362
MD5:d907672759069af4824b0354e9170285
SHA1:d995544a19032e9cebdd6d76c03580a89bd7a330
SHA256:4ad2a09b3c99f31faf5f46b2298dcf2e9c5b84a96732bffea2fcf4e2c2aa791e
Tags:dllexeuser-mentality
Infos:

Detection

Wannacry
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Wannacry ransomware
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6512 cmdline: loaddll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 3660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1736 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 3832 cmdline: rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • mssecsvr.exe (PID: 5944 cmdline: C:\WINDOWS\mssecsvr.exe MD5: B15FB425B628062A7BB0F11DBAECF4AC)
    • rundll32.exe (PID: 4992 cmdline: rundll32.exe C:\Users\user\Desktop\ruXU7wj3X9.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6780 cmdline: rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
      • mssecsvr.exe (PID: 6720 cmdline: C:\WINDOWS\mssecsvr.exe MD5: B15FB425B628062A7BB0F11DBAECF4AC)
        • tasksche.exe (PID: 3456 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 41C0E22D28973F312DE789C027E61D0C)
          • WerFault.exe (PID: 4992 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 604 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • mssecsvr.exe (PID: 6552 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: B15FB425B628062A7BB0F11DBAECF4AC)
  • svchost.exe (PID: 3148 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 2888 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3456 -ip 3456 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 3628 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
WannaCryptor, WannaCry, WannaCrypt
  • Lazarus Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ruXU7wj3X9.dllJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    ruXU7wj3X9.dllWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0x45604:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0x353d0:$x3: tasksche.exe
    • 0x455e0:$x3: tasksche.exe
    • 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0x45634:$x5: WNcry@2ol7
    • 0x353a8:$x8: C:\%s\qeriuwjhrf
    • 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0x3014:$s1: C:\%s\%s
    • 0x12098:$s1: C:\%s\%s
    • 0x1b39c:$s1: C:\%s\%s
    • 0x353bc:$s1: C:\%s\%s
    • 0x45534:$s3: cmd.exe /c "%s"
    • 0x77a88:$s4: msg/m_portuguese.wnry
    • 0x326f0:$s5: \\192.168.56.20\IPC$
    • 0x1fae5:$s6: \\172.16.99.5\IPC$
    • 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
    • 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
    • 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
    ruXU7wj3X9.dllwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\tasksche.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      C:\Windows\tasksche.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
      • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
      • 0xf4d8:$x3: tasksche.exe
      • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
      • 0xf52c:$x5: WNcry@2ol7
      • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
      • 0xf42c:$s3: cmd.exe /c "%s"
      • 0x41980:$s4: msg/m_portuguese.wnry
      C:\Windows\tasksche.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
      • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
      • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
      C:\Windows\mssecsvr.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        C:\Windows\mssecsvr.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
        • 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
        • 0x3136c:$x3: tasksche.exe
        • 0x4157c:$x3: tasksche.exe
        • 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
        • 0x415d0:$x5: WNcry@2ol7
        • 0x31344:$x8: C:\%s\qeriuwjhrf
        • 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
        • 0xe034:$s1: C:\%s\%s
        • 0x17338:$s1: C:\%s\%s
        • 0x31358:$s1: C:\%s\%s
        • 0x414d0:$s3: cmd.exe /c "%s"
        • 0x73a24:$s4: msg/m_portuguese.wnry
        • 0x2e68c:$s5: \\192.168.56.20\IPC$
        • 0x1ba81:$s6: \\172.16.99.5\IPC$
        • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
        • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
        • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
        Click to see the 2 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000008.00000002.2223330577.000000000042E000.00000004.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
          0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmpwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
          • 0xf0d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
          • 0xf100:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
          0000000A.00000002.1584683802.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
            0000000B.00000000.1584094306.0000000000401000.00000020.00000001.01000000.00000007.sdmpwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
            • 0xf0d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
            • 0xf100:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
            0000000A.00000000.1562813019.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
              Click to see the 22 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.2.mssecsvr.exe.22738c8.9.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
              • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
              • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
              8.2.mssecsvr.exe.1d4a084.5.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
              • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
              • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
              8.0.mssecsvr.exe.7100a4.1.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
              • 0xe8d8:$x3: tasksche.exe
              • 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
              • 0xe92c:$x5: WNcry@2ol7
              • 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
              • 0xe82c:$s3: cmd.exe /c "%s"
              8.0.mssecsvr.exe.7100a4.1.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
              • 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
              • 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
              8.2.mssecsvr.exe.1d7c128.3.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
              • 0xe8d8:$x3: tasksche.exe
              • 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
              • 0xe92c:$x5: WNcry@2ol7
              • 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
              • 0xe82c:$s3: cmd.exe /c "%s"
              Click to see the 91 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 3148, ProcessName: svchost.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-14T22:42:30.076941+010028033043Unknown Traffic192.168.2.849707103.224.212.21580TCP
              2025-01-14T22:42:32.744988+010028033043Unknown Traffic192.168.2.849709103.224.212.21580TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-14T22:42:29.157189+010028300181A Network Trojan was detected192.168.2.8492561.1.1.153UDP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: ruXU7wj3X9.dllAvira: detected
              Antivirus detection for URL or domain
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/.Avira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3096-a478-d7c464a3f0caAvira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/pAvira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-32cc-b361-86c8884a5eAvira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3207-bd07-6551d63508Avira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-32cc-b361-86c8884a5eafAvira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3096-a478-d7c464a3f0Avira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3207-bd07-6551d635081dAvira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/8Avira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Avira URL Cloud: Label: malware
              Antivirus detection for dropped file
              Source: C:\Windows\mssecsvr.exeAvira: detection malicious, Label: TR/Ransom.Gen
              Source: C:\Windows\tasksche.exeAvira: detection malicious, Label: TR/Patched.Gen
              Multi AV Scanner detection for submitted file
              Source: ruXU7wj3X9.dllVirustotal: Detection: 88%Perma Link
              Source: ruXU7wj3X9.dllReversingLabs: Detection: 89%
              Machine Learning detection for dropped file
              Source: C:\Windows\mssecsvr.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: ruXU7wj3X9.dllJoe Sandbox ML: detected

              Exploits

              barindex
              Connects to many different private IPs (likely to spread or exploit)
              Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
              Connects to many different private IPs via SMB (likely to spread or exploit)
              Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
              Source: Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: mssecsvr.exe, 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000B.00000000.1584131463.000000000042A000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmp, ruXU7wj3X9.dll, mssecsvr.exe.3.dr, tasksche.exe.10.dr
              Source: C:\Windows\tasksche.exeCode function: 11_2_00409476 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,11_2_00409476

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.8:49256 -> 1.1.1.1:53
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0842-3096-a478-d7c464a3f0ca HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736890950.7011300
              Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0842-32cc-b361-86c8884a5eaf HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=215a8bf8-0e2d-4579-a9e0-ffb15187690d
              Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0842-3207-bd07-6551d635081d HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49709 -> 103.224.212.215:80
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49707 -> 103.224.212.215:80
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.13
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.13
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.13
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.1
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.13
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.1
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.1
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.1
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.1
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.1
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.1
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.70
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.70
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.70
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.1
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.70
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.1
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.1
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.1
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.1
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.1
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.1
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.94
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.94
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.94
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.1
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.94
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.1
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.1
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.1
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.1
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.1
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.1
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.45
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.45
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.45
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.1
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.45
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.1
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.1
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.1
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.1
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.1
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.1
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0842-3096-a478-d7c464a3f0ca HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736890950.7011300
              Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0842-32cc-b361-86c8884a5eaf HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=215a8bf8-0e2d-4579-a9e0-ffb15187690d
              Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0842-3207-bd07-6551d635081d HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
              Source: global trafficDNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
              Source: svchost.exe, 0000000F.00000002.2797577121.000001F22C43D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633985081.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1621897874.000001F22BF53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797552361.000001F22C415000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1600032519.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633985081.000001F22BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
              Source: svchost.exe, 0000000F.00000002.2797031764.000001F22B681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
              Source: svchost.exe, 0000000F.00000002.2797577121.000001F22C43D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
              Source: svchost.exe, 0000000F.00000002.2797577121.000001F22C43D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_k
              Source: svchost.exe, 0000000F.00000002.2797122115.000001F22B6C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: svchost.exe, 0000000F.00000002.2797552361.000001F22C415000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.15.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
              Source: svchost.exe, 0000000F.00000003.1645563508.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1620706961.000001F22BF32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1621411496.000001F22BF58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797393464.000001F22BF30000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1620595444.000001F22BF30000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633412468.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1620524966.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633951055.000001F22BF33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
              Source: svchost.exe, 0000000F.00000003.1633412468.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1620524966.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633951055.000001F22BF33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdpe
              Source: svchost.exe, 0000000F.00000002.2797031764.000001F22B681000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797658785.000001F22C47D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
              Source: svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
              Source: svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scken
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
              Source: svchost.exe, 0000000F.00000003.1633985081.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1621897874.000001F22BF53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633985081.000001F22BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustbc
              Source: svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustm
              Source: Amcache.hve.14.drString found in binary or memory: http://upx.sf.net
              Source: mssecsvr.exe, 00000006.00000002.1584053188.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
              Source: mssecsvr.exe, 00000006.00000002.1584053188.0000000000A9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/.
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/8
              Source: mssecsvr.exe, 00000006.00000002.1584053188.0000000000A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3096-a478-d7c464a3f0
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2225441842.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.1584037651.0000000000A9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3207-bd07-6551d63508
              Source: mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A79000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-32cc-b361-86c8884a5e
              Source: mssecsvr.exe, 00000006.00000002.1584053188.0000000000A9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/p
              Source: mssecsvr.exe.3.drString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
              Source: mssecsvr.exe, 00000006.00000002.1584053188.0000000000A66000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1584053188.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000003.1583298451.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A37000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2XJ
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/X
              Source: mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/b
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/s
              Source: mssecsvr.exe, 00000008.00000002.2222517608.000000000019D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
              Source: mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comO
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comgs
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
              Source: svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
              Source: svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599048340.000001F22BF57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.ecur
              Source: svchost.exe, 0000000F.00000002.2797068737.000001F22B6A5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796933895.000001F22B62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
              Source: svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
              Source: svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf53457
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
              Source: svchost.exe, 0000000F.00000002.2797031764.000001F22B698000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797658785.000001F22C47D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
              Source: svchost.exe, 0000000F.00000002.2797577121.000001F22C43D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srfDM
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
              Source: svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srfice
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600UE
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796933895.000001F22B62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
              Source: svchost.exe, 0000000F.00000003.1598718329.000001F22BF2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
              Source: svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
              Source: svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806044
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599048340.000001F22BF57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796933895.000001F22B62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598817104.000001F22BF5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
              Source: svchost.exe, 0000000F.00000002.2797031764.000001F22B681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srfm
              Source: svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
              Source: svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
              Source: svchost.exe, 0000000F.00000002.2797122115.000001F22B6BF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797161373.000001F22B6D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
              Source: svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspxice
              Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Yara detected Wannacry ransomware
              Source: Yara matchFile source: ruXU7wj3X9.dll, type: SAMPLE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.1d7c128.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.1d59104.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.227e8e8.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.1d550a4.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.2282948.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.2223330577.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1584683802.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.1562813019.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1583712259.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.1534389465.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.1560048220.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2223913366.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1583843452.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.1562935692.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 5944, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 6552, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 6720, type: MEMORYSTR
              Source: Yara matchFile source: C:\Windows\tasksche.exe, type: DROPPED
              Source: Yara matchFile source: C:\Windows\mssecsvr.exe, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: ruXU7wj3X9.dll, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: ruXU7wj3X9.dll, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.22738c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.1d4a084.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.1d7c128.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.1d7c128.3.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.22a596c.8.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.22a596c.8.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.1d7c128.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.1d7c128.3.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.1d59104.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.1d59104.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.227e8e8.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.227e8e8.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.1d550a4.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.1d550a4.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.2282948.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.2282948.6.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000000B.00000000.1584094306.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000002.2223913366.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000006.00000002.1583843452.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000000A.00000000.1562935692.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\tasksche.exeCode function: 11_2_0040690A: __EH_prolog,_wcslen,_wcscpy,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,_wcscpy,_wcscpy,_wcscpy,_wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,11_2_0040690A
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\WINDOWS\mssecsvr.exeJump to behavior
              Source: C:\Windows\mssecsvr.exeFile created: C:\WINDOWS\tasksche.exeJump to behavior
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041B0D911_2_0041B0D9
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041B8B911_2_0041B8B9
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041494611_2_00414946
              Source: C:\Windows\tasksche.exeCode function: 11_2_0040498611_2_00404986
              Source: C:\Windows\tasksche.exeCode function: 11_2_0042924111_2_00429241
              Source: C:\Windows\tasksche.exeCode function: 11_2_0042727C11_2_0042727C
              Source: C:\Windows\tasksche.exeCode function: 11_2_004283FC11_2_004283FC
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041AC0411_2_0041AC04
              Source: C:\Windows\tasksche.exeCode function: 11_2_00416C3F11_2_00416C3F
              Source: C:\Windows\tasksche.exeCode function: 11_2_00401CC111_2_00401CC1
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041F4D411_2_0041F4D4
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041BCD911_2_0041BCD9
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041B4AD11_2_0041B4AD
              Source: C:\Windows\tasksche.exeCode function: 11_2_00417D7811_2_00417D78
              Source: C:\Windows\tasksche.exeCode function: 11_2_00427D0411_2_00427D04
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041450F11_2_0041450F
              Source: C:\Windows\tasksche.exeCode function: 11_2_0040FDFA11_2_0040FDFA
              Source: C:\Windows\tasksche.exeCode function: 11_2_00415D9A11_2_00415D9A
              Source: C:\Windows\tasksche.exeCode function: 11_2_0040561011_2_00405610
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041462B11_2_0041462B
              Source: C:\Windows\tasksche.exeCode function: 11_2_00413EE311_2_00413EE3
              Source: C:\Windows\tasksche.exeCode function: 11_2_0040FEF011_2_0040FEF0
              Source: C:\Windows\tasksche.exeCode function: 11_2_00402F2C11_2_00402F2C
              Source: C:\Windows\tasksche.exeCode function: 11_2_004277C011_2_004277C0
              Source: C:\Windows\tasksche.exeCode function: String function: 0041FA9C appears 38 times
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3456 -ip 3456
              Source: mssecsvr.exe.3.drStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
              Source: mssecsvr.exe.3.drStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
              Source: ruXU7wj3X9.dll, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: ruXU7wj3X9.dll, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.22738c8.9.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.1d4a084.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.1d7c128.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.1d7c128.3.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.22a596c.8.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.22a596c.8.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.1d7c128.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.1d7c128.3.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.1d59104.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.1d59104.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.227e8e8.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.227e8e8.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.1d550a4.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.1d550a4.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.2282948.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.2282948.6.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000000B.00000000.1584094306.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000002.2223913366.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000006.00000002.1583843452.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000000A.00000000.1562935692.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Diagnosis
              Source: tasksche.exe.10.drBinary string: ]\Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtxp
              Source: mssecsvr.exe.3.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\usbohci.sys
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\ega.cpiKF
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\localspl.dll
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\sensrsvc.dll
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
              Source: tasksche.exe.10.drBinary string: @\Device\HarddiskVolume2\Windows\System32\ru-RU\WinSATAPI.dll.mui
              Source: tasksche.exe.10.drBinary string: b\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sysT
              Source: tasksche.exe.10.drBinary string: Z\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe#
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\powercfg.exep
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\fveui.dll
              Source: tasksche.exe.10.drBinary string: @\Device\HarddiskVolume2\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf\p
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\wercplsupport.dll
              Source: tasksche.exe.10.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Locationp
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\GAGP30KX.SYS
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\QAGENTRT.DLL
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netmscli.PNFC
              Source: tasksche.exe.10.drBinary string: .\Device\HarddiskVolume2\Windows\inf\netip6.PNF
              Source: tasksche.exe.10.drBinary string: 1\Device\HarddiskVolume2\Windows\ehome\ehrecvr.exe
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\SCardSvr.dll
              Source: mssecsvr.exe.3.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\umpass.sysdd
              Source: tasksche.exe.10.drBinary string: V\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\NV_AGP.SYS
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\Prefetch\VPROT.EXE-D7ED8096.pf [
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\acpipmi.sysH
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\VMBusHID.sys&
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABCO
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\amdsbs.sys\S
              Source: tasksche.exe.10.drBinary string: T\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16rp
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\volsnap.inf_loc
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\BrSerId.sys
              Source: mssecsvr.exe.3.drBinary string: +\Device\HarddiskVolume2\Windows\System32\ru_PTC
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\crcdisk.sys?
              Source: tasksche.exe.10.drBinary string: [\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\keyboard.inf_loc
              Source: mssecsvr.exe.3.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\net
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\mskssrv.sys
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\MTConfig.sys
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\timedate.cplp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adpu320.sysH;
              Source: tasksche.exe.10.drBinary string: F\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Shell
              Source: tasksche.exe.10.drBinary string: t\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sys@
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\umrdp.dllSTRP
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\sppsvc.exer
              Source: tasksche.exe.10.drBinary string: -\Device\HarddiskVolume2\Windows\inf\mshdc.PNFp
              Source: tasksche.exe.10.drBinary string: I\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netip6.inf_locp
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\FXSSVC.exe
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sfloppy.sysR_
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\dxgkrnl.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\megasas.sys
              Source: mssecsvr.exe.3.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLsCPU1
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\ULIAGPKX.SYS
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\ru-RU\runonce.exe.mui+
              Source: tasksche.exe.10.drBinary string: \Device\Harddisk0\DR0p
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\ndiscap.PNF
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\bthserv.dll
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\amdk8.syslump
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvraid.sys=\(
              Source: tasksche.exe.10.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft$Hp
              Source: mssecsvr.exe.3.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\vds.exeH
              Source: tasksche.exe.10.drBinary string: j\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgsched.log.lock
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\intelide.sys
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\tdtcp.sys|$P@
              Source: mssecsvr.exe.3.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\TsUsbGD.sys
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\shredlog.cfgp
              Source: tasksche.exe.10.drBinary string: A\Device\HarddiskVolume2\Windows\System32\appidpolicyconverter.exe
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\Apphlpdm.dllp
              Source: tasksche.exe.10.drBinary string: H\Device\HarddiskVolume2\Windows\System32\SystemPropertiesPerformance.exe
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\tapisrv.dllID
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\SISAGP.SYS3
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\krnlapi.cfgp
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\rdpdr.sysGtn
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\VIAAGP.SYS.
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\errdev.sys1
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\flpydisk.sys
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\gptext.dll
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\ListSvc.dll
              Source: tasksche.exe.10.drBinary string: ~\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Caches\{7CD55808-3D38-4DD5-90C9-62F0E6EE60D4}.2.ver0x0000000000000001.db
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\wcncsvc.dll^/
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\StateData\RacDatabase.sdf
              Source: tasksche.exe.10.drBinary string: U\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\fdeploy.dllW
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netserv.inf_locLNKD
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\vhdmp.sys
              Source: tasksche.exe.10.drBinary string: ?\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623\icudtl.datp
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\mshidkmdf.sysDC2
              Source: tasksche.exe.10.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\PeerDistSvc.dll/
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\amdide.sysp
              Source: tasksche.exe.10.drBinary string: @\Device\HarddiskVolume2\Windows\Prefetch\SVCHOST.EXE-80F4A784.pfMp
              Source: tasksche.exe.10.drBinary string: F\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\AppIDp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\drmkaud.sysCP
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\errdev.sys
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\nettcpip.PNFS
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netavpnt.PNF
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\MegaSR.sysDC2
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\usbohci.sys3
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\drmkaud.sys
              Source: tasksche.exe.10.drBinary string: [\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatformU3
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\WsmSvc.dll
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\ehome\ehprivjob.exe
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\csllog.cfgLL
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\ql40xx.sys
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\lsi_scsi.sys
              Source: tasksche.exe.10.drBinary string: m\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Myp
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\wbem\WmiApSrv.exe
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\fsdepends.sysd0`p
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\evbdx.sys
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\certprop.dll
              Source: tasksche.exe.10.drBinary string: p\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\NV_AGP.SYS\S
              Source: tasksche.exe.10.drBinary string: W\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netrass.inf_loc
              Source: tasksche.exe.10.drBinary string: -\Device\HarddiskVolume2\Windows\inf\input.PNFp
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\hidir.sysalH
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\w32time.dllBU
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sisraid2.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\ru-RU\duser.dll.muiIOp
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\ssdpsrv.dllTD
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvstor.sys2\
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\rasauto.dll_S
              Source: tasksche.exe.10.drBinary string: -\Device\HarddiskVolume2\Windows\inf\oem10.PNFp
              Source: tasksche.exe.10.drBinary string: L\Device\HarddiskVolume2\Program Files\Remote Access Host\RemoteSoundServ.exei
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\battery.inf_loc
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\MultimediaR_CPp
              Source: tasksche.exe.10.drBinary string: +\Device\HarddiskVolume2\Windows\System32\ru1
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netsstpt.inf_locBFFRp
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\parvdm.sys1
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-2c059045-004a-4137-b301-6c3064f40275.tmpp
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\hcw85cir.sys
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\Tasks\WPD\$
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\bdesvc.dll^BN
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\PLA\System
              Source: mssecsvr.exe.3.drBinary string: +\Device\HarddiskVolume2\Windows\System32\en_CPU
              Source: tasksche.exe.10.drBinary string: O\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
              Source: tasksche.exe.10.drBinary string: +\Device\HarddiskVolume2\ProgramData\Avg\log
              Source: tasksche.exe.10.drBinary string: {\Device\HarddiskVolume2\Windows\Performance\WinSAT\DataStore\2016-02-02 17.08.06.946 Formal.Assessment (Initial).WinSAT.xml
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-2c059045-004a-4137-b301-6c3064f40275.tmpb
              Source: tasksche.exe.10.drBinary string: D\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Ras
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\ipnat.sys
              Source: tasksche.exe.10.drBinary string: .\Device\HarddiskVolume2\Windows\inf\rspndr.PNFQ0pIRp
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\Globalization\Sortingp
              Source: tasksche.exe.10.drBinary string: 9\Device\HarddiskVolume2\Windows\System32\drivers\mpio.sys
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\iirsp.sys
              Source: tasksche.exe.10.drBinary string: F\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\cpu.inf_locCC
              Source: tasksche.exe.10.drBinary string: -\Device\HarddiskVolume2\Windows\Globalization
              Source: tasksche.exe.10.drBinary string: u\Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtxp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ndiscap.sysS,
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\Resources\Themes\Aero
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\circlass.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\lsi_sas.sysM
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\ehome\ehrec.exe
              Source: tasksche.exe.10.drBinary string: Y\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\lsi_sas2.sys
              Source: tasksche.exe.10.drBinary string: i\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update
              Source: tasksche.exe.10.drBinary string: @\Device\HarddiskVolume2\Windows\Prefetch\DLLHOST.EXE-766398D2.pf_Tp
              Source: tasksche.exe.10.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\WinSATAPI.dllp
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\iscsiexe.dll
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\nslog.cfgS
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\tdpipe.sys
              Source: tasksche.exe.10.drBinary string: ?\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sysS1
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\wuaueng.dll
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\1394ohci.sys
              Source: tasksche.exe.10.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows Defender
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netsstpt.PNFwnp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\lsi_sas.sys
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\termsrv.dll
              Source: tasksche.exe.10.drBinary string: H\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\mshdc.inf_loc
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrUsbSer.sys
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\filetrace.sysp}
              Source: mssecsvr.exe.3.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\WUDFRd.sys
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wersvc.dllTV
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-7e9df016-cbcc-4646-838e-02461299762d.tmp
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\irenum.sys
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wscsvc.dllLNKD
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\ipfltdrv.sys
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\publog.cfgk
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\ehome\mcupdate.exe
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_ru-ru_a13dea73a92ad990\comctl32.dll.muiME
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\schedlog.cfgp
              Source: tasksche.exe.10.drBinary string: ;\Device\Hardd
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\KMSVC.DLLVID3PP
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\gpprnext.dll
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adpahci.sys
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\ndisuio.PNFT`
              Source: tasksche.exe.10.drBinary string: h\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgemc.log.lockA
              Source: tasksche.exe.10.drBinary string: q\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Contentp
              Source: tasksche.exe.10.drBinary string: -\Device\HarddiskVolume2\Windows\inf\netnb.PNFp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\dxgkrnl.sysT
              Source: tasksche.exe.10.drBinary string: m\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\ndisuio.inf_loc
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\wbengine.exe&
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\b57nd60x.sysp
              Source: tasksche.exe.10.drBinary string: 7\Device\HarddiskVolume2\Program Files\AVG\Av\avg_ru.lng>"
              Source: tasksche.exe.10.drBinary string: D\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\MUI
              Source: tasksche.exe.10.drBinary string: .\Device\HarddiskVolume2\Windows\inf\wfplwf.PNF
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\$Extend
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\nfrd960.sys
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\WebClnt.dllG
              Source: tasksche.exe.10.drBinary string: Q\Device\HarddiskVolume2\Windows\Temp\avg-3778490c-65ff-4631-9fd1-8f2e97842712.tmp
              Source: mssecsvr.exe.3.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\vhdmp.sysskV
              Source: mssecsvr.exe.3.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\viac7.sys\\._PR
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\fdPHost.dll
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\bthmodem.sys
              Source: tasksche.exe.10.drBinary string: Q\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance(
              Source: mssecsvr.exe.3.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\VIAAGP.SYSi\
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\HpSAMD.sys01CP
              Source: tasksche.exe.10.drBinary string: T\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\hidbth.sys$H
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\gpprefcl.dll
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\megasas.sysPD
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\evbdx.sysC
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wpcsvc.dll
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\emclog.cfgH
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\stexstor.sys
              Source: tasksche.exe.10.drBinary string: 9\Device\HarddiskVolume2\Windows\System32\drivers\udfs.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vsmraid.sysp
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\rasmans.dll
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adp94xx.sys
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\usbmon.dll
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\netrasa.PNFMPARp
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netnwifi.inf_locPCF
              Source: mssecsvr.exe.3.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs1
              Source: tasksche.exe.10.drBinary string: X\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Windows Error ReportingPU
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sermouse.sys
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\vmbus.sysg\M
              Source: tasksche.exe.10.drBinary string: ,\Device\HarddiskVolume2\Windows\inf\disk.PNFH
              Source: tasksche.exe.10.drBinary string: T\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16p
              Source: tasksche.exe.10.drBinary string: E\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\UPnPp
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\msdtc.exe}SDTL
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\aelupsvc.dll
              Source: tasksche.exe.10.drBinary string: F\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Tcpip
              Source: tasksche.exe.10.drBinary string: D\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\RACU5
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avg-7167c74e-f403-416d-93ad-1632477e850e.tmpp
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\netrass.PNFRCBAp
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\tssecsrv.sys
              Source: tasksche.exe.10.drBinary string: A\Device\HarddiskVolume2\Windows\System32\Speech\SpeechUX\sapi.cpl
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\modem.sysTEMPb
              Source: tasksche.exe.10.drBinary string: X\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vms3cap.sysST
              Source: tasksche.exe.10.drBinary string: @\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sbp2port.sys
              Source: tasksche.exe.10.drBinary string: l\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\fmw1\commonpriv.log.lockUF$
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\cmdide.sysLNKH
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\FntCache.dll
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvraid.sys
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\msdtckrm.dll
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\elxstor.sysPT
              Source: tasksche.exe.10.drBinary string: A\Device\HarddiskVolume2\Windows\Prefetch\WERFAULT.EXE-E69F695A.pfp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\iaStorV.sys
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\serenum.sysCT
              Source: tasksche.exe.10.drBinary string: O\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\StateData\RacWmiEventData.dat
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-49fb6b11-545c-406d-a9bb-da1ce541e50e.tmp
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\bxvbdx.sys
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\appmgmts.dll
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\regsvc.dll
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\HdAudio.sys
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\RTSndMgr.cpl
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\mprdim.dll
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\aliide.sysH
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avg-7167c74e-f403-416d-93ad-1632477e850e.tmp`
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\auditcse.dll
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\tbssvc.dllSTE
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\wacompen.sys
              Source: tasksche.exe.10.drBinary string: I\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\lltdio.inf_locp
              Source: tasksche.exe.10.drBinary string: 7\Device\HarddiskVolume2\Windows\System32\drivers\wd.sys
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\Fonts\segoeuii.ttfp
              Source: tasksche.exe.10.drBinary string: M\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Task Manager
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\DriverStore\en-USC
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wecsvc.dll
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\modem.sysCu|
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\TabSvc.dll
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netpacer.PNF
              Source: tasksche.exe.10.drBinary string: Q\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\p2pcollab.dllp
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\lsi_scsi.sysp
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\tdh.dllp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\history.xml
              Source: tasksche.exe.10.drBinary string: A\Device\HarddiskVolume2\ProgramData\Avg\AV\Chjw\avgpsi.db-journal
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\DFDWiz.exe
              Source: tasksche.exe.10.drBinary string: N\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow CHPD p
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\netserv.PNFTMP8p
              Source: tasksche.exe.10.drBinary string: 1\Device\HarddiskVolume2\Windows\ehome\ehsched.exe
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\volsnap.PNFR07
              Source: tasksche.exe.10.drBinary string: 9\Device\HarddiskVolume2\Windows\System32\sqlceoledb30.dll
              Source: tasksche.exe.10.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\MobilePC
              Source: tasksche.exe.10.drBinary string: @\Device\HarddiskVolume2\Program Files\Windows Defender\MpSvc.dll
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\rasacd.sys
              Source: tasksche.exe.10.drBinary string: A\Device\HarddiskVolume2\Windows\Prefetch\TASKHOST.EXE-7238F31D.pf
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\qwavedrv.sys
              Source: tasksche.exe.10.drBinary string: E\Device\HarddiskVolume2\Windows\System32\drivers\rdpvideominiport.sys
              Source: tasksche.exe.10.drBinary string: A\Device\HarddiskVolume2\ProgramData\Avg\AV\Chjw\avgpsi.db-journalp
              Source: mssecsvr.exe.3.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\VMBusHID.sys
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\hidserv.PNF
              Source: tasksche.exe.10.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\drivers\arc.sys
              Source: tasksche.exe.10.drBinary string: S\Device\HarddiskVolume2\$Recycle.Bin\S-1-5-21-1870734524-1274666089-2119431859-1000
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\usbuhci.sys
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\asyncmac.sys
              Source: mssecsvr.exe.3.drBinary string: N\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netvwififlt.inf_locCPU1AP
              Source: mssecsvr.exe.3.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\wmiacpi.sys
              Source: tasksche.exe.10.drBinary string: c\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgemc.log
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\SessEnv.dllB_p
              Source: tasksche.exe.10.drBinary string: N\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\mshidkmdf.sysA
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: #\Device\HarddiskVolume2\Windows\infS
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\mrxdav.sysD
              Source: tasksche.exe.10.drBinary string: q\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrSerWdm.sys
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\pnrpsvc.dllO
              Source: tasksche.exe.10.drBinary string: z\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\AxInstSv.dll
              Source: mssecsvr.exe.3.drBinary string: >\Device\HarddiskVolume2\Windows\servicing\TrustedInstaller.exeAP7PDC
              Source: tasksche.exe.10.drBinary string: k\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
              Source: mssecsvr.exe.3.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\wbengine.exe
              Source: mssecsvr.exe.3.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\VSSVC.exeSU
              Source: tasksche.exe.10.drBinary string: h\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgidpdrv.log.2H
              Source: tasksche.exe.10.drBinary string: 1\Device\HarddiskVolume2\Windows\System32\pots.dllp
              Source: tasksche.exe.10.drBinary string: z\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
              Source: tasksche.exe.10.drBinary string: \\Device\HarddiskVolume2\Windows\System32\ru-RU\microsoft-windows-kernel-power-events.dll.mui
              Source: tasksche.exe.10.drBinary string: L\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Maintenance
              Source: tasksche.exe.10.drBinary string: k\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exeta
              Source: tasksche.exe.10.drBinary string: ]\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\AMDAGP.SYS
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\dot3svc.dllPN
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\rdpdr.sysw
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\UAGP35.SYS0H
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\pnrpauto.dll
              Source: tasksche.exe.10.drBinary string: U\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\gpscript.dll
              Source: tasksche.exe.10.drBinary string: S\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: 1\Device\HarddiskVolume2\Windows\System32\qmgr.dll
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\scfilter.sys
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\filetrace.sys
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\upnphost.dll
              Source: mssecsvr.exe.3.drBinary string: S\Device\HarddiskVolume2\Program Files\Common Files\AV\avast! Antivirus\userdata.cab0_TS
              Source: tasksche.exe.10.drBinary string: .\Device\HarddiskVolume2\Windows\System32\RTCOMX
              Source: tasksche.exe.10.drBinary string: Q\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\FDResPub.dll
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\winspool.drvp
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\terminpt.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\hidbatt.sysL
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\IPMIDrv.sysm
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_ru-ru_a13dea73a92ad990
              Source: tasksche.exe.10.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\defragsvc.dll
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\lpremove.exep
              Source: tasksche.exe.10.drBinary string: i\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\fmw1\avgmsgdisp.log.2
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\viaide.systo
              Source: tasksche.exe.10.drBinary string: i\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\fmw1\avgmsgdisp.log.3
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\hidbth.sys<\
              Source: tasksche.exe.10.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\IPBusEnum.dll
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\gatherNetworkInfo.vbs1
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\swprv.dllHM
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\qwave.dllP03HPS
              Source: mssecsvr.exe.3.drBinary string: P\Device\HarddiskVolume2\Program Files\Common Files\AV\AVG AntiVirus Free EditionU4
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\FXSMON.dll
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\djsvs.sysD
              Source: tasksche.exe.10.drBinary string: h\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgidpdrv.log.3
              Source: mssecsvr.exe.3.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\vmbus.sys
              Source: tasksche.exe.10.drBinary string: S\Device\HarddiskVolume3\$RECYCLE.BIN\S-1-5-21-1870734524-1274666089-2119431859-1000H
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sysA\_^
              Source: tasksche.exe.10.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\sppuinotify.dll
              Source: tasksche.exe.10.drBinary string: l\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: 1\Device\HarddiskVolume2\Windows\System32\msra.exe
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vms3cap.sys
              Source: mssecsvr.exe.3.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\viaide.sys
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\HpSAMD.sys
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\ru-RU\rascfg.dll.mui
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\amdsata.syso
              Source: tasksche.exe.10.drBinary string: e\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgshred.logp
              Source: tasksche.exe.10.drBinary string: U\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\User Profile Service
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\isapnp.sys
              Source: tasksche.exe.10.drBinary string: H\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Autochk
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrUsbMdm.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\IPMIDrv.sys
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\Mcx2Svc.dll
              Source: tasksche.exe.10.drBinary string: V\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\TextServicesFrameworkDR
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netnwifi.PNF
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mspqm.syst
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\ru-RU\racengn.dll.muiH
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\dskquota.dll
              Source: tasksche.exe.10.drBinary string: G\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\DefragRe
              Source: tasksche.exe.10.drBinary string: Q\Device\HarddiskVolume2\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\AGP440.sys;
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\hidserv.inf_locp}
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wersvc.dll
              Source: tasksche.exe.10.drBinary string: 7\Device\HarddiskVolume2\Windows\System32\dot3gpclnt.dll
              Source: mssecsvr.exe.3.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ws2ifsl.sys._
              Source: tasksche.exe.10.drBinary string: N\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netvwififlt.inf_loc
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\wimmount.sys
              Source: tasksche.exe.10.drBinary string: ?\Device\HarddiskVolume2\Windows\System32\drivers\Synth3dVsc.sys
              Source: tasksche.exe.10.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs:
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\netrast.PNFp
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\usbport.inf_locD5
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\Defrag.exe
              Source: mssecsvr.exe.3.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vsmraid.sys
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\fsdepends.sysSB_PADp
              Source: mssecsvr.exe.3.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\tdtcp.sys
              Source: tasksche.exe.10.drBinary string: A\Device\HarddiskVolume2\Windows\Prefetch\AVGUIRNX.EXE-006CD133.pfp
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\tcpmon.dll
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\inf\netvwififlt.PNFF4
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sffdisk.sys0
              Source: mssecsvr.exe.3.drBinary string: Y\Device\HarddiskVolume2\Windows\System32\Macromed\Flash\FlashUtil32_25_0_0_148_pepper.exe
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mstee.sysP
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\appidsvc.dll
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Bluetoothp
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\p2psvc.dll
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\machine.inf_loc3
              Source: tasksche.exe.10.drBinary string: D\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\PLA_S
              Source: tasksche.exe.10.drBinary string: 9\Device\HarddiskVolume2\Windows\System32\drivers\cdfs.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\USBSTOR.SYS
              Source: mssecsvr.exe.3.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\usbuhci.sysS
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\SyncCenter;PBI
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mstee.sys
              Source: tasksche.exe.10.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\NetTrace
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\runonce.exe
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\seclogon.dll
              Source: tasksche.exe.10.drBinary string: 1\Device\HarddiskVolume2\ProgramData\Avg\AV\cfgall
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\storvsc.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sfloppy.sysH
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\serial.sys
              Source: mssecsvr.exe.3.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\fveui.dllPR_CPU
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\display.inf_loc DDL3 p
              Source: tasksche.exe.10.drBinary string: e\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgsched.logh
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\vds.exe
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\PerfTrackYS
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\VSSVC.exe
              Source: tasksche.exe.10.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaDataI
              Source: tasksche.exe.10.drBinary string: h\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgpal.log.lock
              Source: mssecsvr.exe.3.drBinary string: T\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\alg.exe_
              Source: tasksche.exe.10.drBinary string: S\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\WindowsColorSystemH
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\RacRules.xml
              Source: tasksche.exe.10.drBinary string: S\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\StateData\RacWmiDataBookmarks.dat
              Source: tasksche.exe.10.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\drivers\fdc.sys
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RUrdd
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\ru-RU\mprmsg.dll.muip
              Source: tasksche.exe.10.drBinary string: 9\Device\HarddiskVolume2\Program Files\AVG\Av\avgmfapx.exe
              Source: tasksche.exe.10.drBinary string: V\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing
              Source: mssecsvr.exe.3.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\SISAGP.SYSU0CS
              Source: tasksche.exe.10.drBinary string: 6\Device\HarddiskVolume2\ProgramData\Avg\AV\DB\stats.db\/
              Source: tasksche.exe.10.drBinary string: W\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Application Experience'B
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\nettcpip.inf_loc
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\servicing\TrustedInstaller.exe
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sffp_sd.sysU6
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrFiltUp.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\elxstor.sys
              Source: tasksche.exe.10.drBinary string: j\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgshred.log.lockNOT
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\processr.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\iaStorV.sysX[
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\wmiacpi.sys@A
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\ql40xx.sys\
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\pciide.sys
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netmscli.inf_loc
              Source: mssecsvr.exe.3.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\sppsvc.exe
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\usbport.PNF
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\DriverStoreop
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\ndiscap.inf_loc
              Source: tasksche.exe.10.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvstor.sysD
              Source: tasksche.exe.10.drBinary string: .\Device\HarddiskVolume2\Windows\inf\lltdio.PNFS
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\lltdsvc.dll
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\WcsPlugInService.dll
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\TsUsbGD.sys$
              Source: tasksche.exe.10.drBinary string: N\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\WindowsBackup$XH
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\sdrsvc.dll
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\arcsas.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\msiscsi.sysH
              Source: tasksche.exe.10.drBinary string: c\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgpal.logPS['`
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\raserver.exe
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\serenum.sys2
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\pla.dll
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\crcdisk.sys
              Source: tasksche.exe.10.drBinary string: X\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtectionPM
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sffp_sd.syst+
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\cmdide.sys
              Source: tasksche.exe.10.drBinary string: 7\Device\HarddiskVolume2\Program Files\AVG\Av\fixcfg.exes\p
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\parvdm.sys
              Source: tasksche.exe.10.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\bthudtask.exe
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netrast.inf_loc
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\lsi_fc.sysgr
              Source: tasksche.exe.10.drBinary string: G\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\disk.inf_locD$XHp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\mskssrv.sysDC
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\Locator.exe
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\lsi_fc.sysX
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\ql2300.sys
              Source: tasksche.exe.10.drBinary string: +\Device\HarddiskVolume2\Windows\System32\enp
              Source: tasksche.exe.10.drBinary string: g\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\fmw1\commonpriv.log
              Source: tasksche.exe.10.drBinary string: j\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
              Source: mssecsvr.exe.3.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\tdpipe.sys1APP
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\mspclock.sys
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netpacer.inf_locNKA
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ndiscap.sys,
              Source: mssecsvr.exe.3.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\USBSTOR.SYSW
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sffp_mmc.sys
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wermgr.exeP80D
              Source: mssecsvr.exe, 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ruXU7wj3X9.dll, mssecsvr.exe.3.dr, tasksche.exe.10.drBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
              Source: classification engineClassification label: mal100.rans.expl.evad.winDLL@25/11@2/100
              Source: C:\Windows\tasksche.exeCode function: 11_2_00406553 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_00406553
              Source: C:\Windows\mssecsvr.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00407C40
              Source: C:\Windows\mssecsvr.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,8_2_00407C40
              Source: C:\Windows\tasksche.exeCode function: 11_2_00419BB0 CoCreateInstance,11_2_00419BB0
              Source: C:\Windows\mssecsvr.exeCode function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,6_2_00407CE0
              Source: C:\Windows\mssecsvr.exeCode function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00407C40
              Source: C:\Windows\mssecsvr.exeCode function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,6_2_00408090
              Source: C:\Windows\mssecsvr.exeCode function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,8_2_00408090
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:2888:64:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3456
              Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\079e2700-0cda-4fda-a92a-4c4572cca49dJump to behavior
              Source: C:\Windows\tasksche.exeCommand line argument: @CB11_2_00424290
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ruXU7wj3X9.dll,PlayGame
              Source: ruXU7wj3X9.dllVirustotal: Detection: 88%
              Source: ruXU7wj3X9.dllReversingLabs: Detection: 89%
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll"
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ruXU7wj3X9.dll,PlayGame
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
              Source: unknownProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",PlayGame
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
              Source: C:\Windows\mssecsvr.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3456 -ip 3456
              Source: C:\Windows\tasksche.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 604
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ruXU7wj3X9.dll,PlayGameJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",PlayGameJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exeJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /iJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3456 -ip 3456Jump to behavior
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 604Jump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\tasksche.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\tasksche.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\tasksche.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\tasksche.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\tasksche.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: ruXU7wj3X9.dllStatic file information: File size 5267459 > 1048576
              Source: Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: mssecsvr.exe, 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000B.00000000.1584131463.000000000042A000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmp, ruXU7wj3X9.dll, mssecsvr.exe.3.dr, tasksche.exe.10.dr
              Source: C:\Windows\tasksche.exeCode function: 11_2_00425715 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,11_2_00425715
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041FAE1 push ecx; ret 11_2_0041FAF4
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041A4DC push eax; ret 11_2_0041A4FA

              Persistence and Installation Behavior

              barindex
              Drops executables to the windows directory (C:\Windows) and starts them
              Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\WINDOWS\mssecsvr.exeJump to behavior
              Source: C:\Windows\mssecsvr.exeExecutable created and started: C:\WINDOWS\tasksche.exeJump to behavior
              Source: C:\Windows\mssecsvr.exeFile created: C:\Windows\tasksche.exeJump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvr.exeJump to dropped file
              Source: C:\Windows\mssecsvr.exeFile created: C:\Windows\tasksche.exeJump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvr.exeJump to dropped file
              Source: C:\Windows\mssecsvr.exeCode function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00407C40
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\tasksche.exeCode function: 11_2_0040CC10 sldt word ptr [eax]11_2_0040CC10
              Source: C:\Windows\mssecsvr.exeThread delayed: delay time: 86400000Jump to behavior
              Source: C:\Windows\tasksche.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_11-15265
              Source: C:\Windows\tasksche.exeAPI coverage: 3.5 %
              Source: C:\Windows\mssecsvr.exe TID: 6496Thread sleep count: 92 > 30Jump to behavior
              Source: C:\Windows\mssecsvr.exe TID: 6496Thread sleep time: -184000s >= -30000sJump to behavior
              Source: C:\Windows\mssecsvr.exe TID: 2452Thread sleep count: 131 > 30Jump to behavior
              Source: C:\Windows\mssecsvr.exe TID: 2452Thread sleep count: 38 > 30Jump to behavior
              Source: C:\Windows\mssecsvr.exe TID: 6496Thread sleep time: -86400000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\tasksche.exeCode function: 11_2_00409476 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,11_2_00409476
              Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
              Source: C:\Windows\mssecsvr.exeThread delayed: delay time: 86400000Jump to behavior
              Source: Amcache.hve.14.drBinary or memory string: VMware
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.1584037651.0000000000A9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWCQ\
              Source: Amcache.hve.14.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.14.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
              Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.14.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.14.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.14.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.14.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: mssecsvr.exe, 00000006.00000002.1584053188.0000000000A66000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1584053188.0000000000AA7000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2225441842.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.1584037651.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797122115.000001F22B6C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Amcache.hve.14.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.14.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: svchost.exe, 0000000F.00000002.2796933895.000001F22B62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
              Source: Amcache.hve.14.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.14.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXx
              Source: Amcache.hve.14.drBinary or memory string: vmci.sys
              Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.14.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.14.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: svchost.exe, 0000000F.00000002.2797577121.000001F22C457000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
              Source: Amcache.hve.14.drBinary or memory string: VMware20,1
              Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.14.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.14.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.14.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.14.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.14.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.14.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.14.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.14.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\tasksche.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\tasksche.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041E6DE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0041E6DE
              Source: C:\Windows\tasksche.exeCode function: 11_2_00425715 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,11_2_00425715
              Source: C:\Windows\tasksche.exeCode function: 11_2_004234CE SetUnhandledExceptionFilter,11_2_004234CE
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041E6DE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0041E6DE
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041FFDB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0041FFDB
              Source: C:\Windows\tasksche.exeCode function: 11_2_00423F89 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,11_2_00423F89
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1Jump to behavior
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3456 -ip 3456Jump to behavior
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 604Jump to behavior
              Source: C:\Windows\tasksche.exeCode function: 11_2_00410E50 cpuid 11_2_00410E50
              Source: C:\Windows\tasksche.exeCode function: GetLocaleInfoA,11_2_00425EF0
              Source: C:\Windows\tasksche.exeCode function: 11_2_00411393 GetSystemTime,SystemTimeToFileTime,11_2_00411393
              Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.14.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.14.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
              Source: mssecsvr.exe, 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe.3.dr, tasksche.exe.10.drBinary or memory string: 2\Device\HarddiskVolume2\Windows\ehome\mcupdate.exe
              Source: Amcache.hve.14.drBinary or memory string: MsMpEng.exe

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		4
              Windows Service              		1
              Access Token Manipulation              		12
              Masquerading              		OS Credential Dumping1
              Network Share Discovery              		Remote Services1
              Archive Collected Data              		12
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Service Execution              		1
              DLL Side-Loading              		4
              Windows Service              		41
              Virtualization/Sandbox Evasion              		LSASS Memory1
              System Time Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Native API              		Logon Script (Windows)11
              Process Injection              		1
              Access Token Manipulation              		Security Account Manager31
              Security Software Discovery              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		11
              Process Injection              		NTDS1
              Process Discovery              		Distributed Component Object ModelInput Capture3
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets41
              Virtualization/Sandbox Evasion              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Obfuscated Files or Information              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Rundll32              		DCSync22
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591362 Sample: ruXU7wj3X9.dll Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 49 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->49 51 ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->51 53 77026.bodis.com 2->53 63 Suricata IDS alerts for network traffic 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 4 other signatures 2->69 10 loaddll32.exe 1 2->10         started        12 mssecsvr.exe 12 2->12         started        16 svchost.exe 8 2->16         started        18 svchost.exe 2 1 2->18         started        signatures3 process4 dnsIp5 20 rundll32.exe 10->20         started        23 cmd.exe 1 10->23         started        25 rundll32.exe 1 10->25         started        28 conhost.exe 10->28         started        55 192.168.2.102 unknown unknown 12->55 57 192.168.2.103 unknown unknown 12->57 59 98 other IPs or domains 12->59 77 Connects to many different private IPs via SMB (likely to spread or exploit) 12->77 79 Connects to many different private IPs (likely to spread or exploit) 12->79 30 WerFault.exe 2 16->30         started        signatures6 process7 file8 71 Drops executables to the windows directory (C:\Windows) and starts them 20->71 32 mssecsvr.exe 13 20->32         started        36 rundll32.exe 23->36         started        47 C:\Windows\mssecsvr.exe, PE32 25->47 dropped signatures9 process10 file11 45 C:\Windows\tasksche.exe, PE32 32->45 dropped 61 Drops executables to the windows directory (C:\Windows) and starts them 32->61 38 tasksche.exe 32->38         started        41 mssecsvr.exe 12 36->41         started        signatures12 process13 signatures14 43 WerFault.exe 19 16 38->43         started        73 Antivirus detection for dropped file 41->73 75 Machine Learning detection for dropped file 41->75 process15

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ruXU7wj3X9.dll89%VirustotalBrowse
              ruXU7wj3X9.dll89%ReversingLabsWin32.Ransomware.WannaCry
              ruXU7wj3X9.dll100%AviraTR/AD.DPulsarShellcode.uvbfu
              ruXU7wj3X9.dll100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Windows\mssecsvr.exe100%AviraTR/Ransom.Gen
              C:\Windows\tasksche.exe100%AviraTR/Patched.Gen
              C:\Windows\mssecsvr.exe100%Joe Sandbox ML

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/.100%Avira URL Cloudmalware
              http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3096-a478-d7c464a3f0ca100%Avira URL Cloudmalware
              http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/p100%Avira URL Cloudmalware
              http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-32cc-b361-86c8884a5e100%Avira URL Cloudmalware
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comgs0%Avira URL Cloudsafe
              http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3207-bd07-6551d63508100%Avira URL Cloudmalware
              http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-32cc-b361-86c8884a5eaf100%Avira URL Cloudmalware
              http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3096-a478-d7c464a3f0100%Avira URL Cloudmalware
              http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3207-bd07-6551d635081d100%Avira URL Cloudmalware
              http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/8100%Avira URL Cloudmalware
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ0%Avira URL Cloudsafe
              http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/100%Avira URL Cloudmalware
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comO0%Avira URL Cloudsafe
              https://login.ecur0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              77026.bodis.com
              		199.59.243.228
              		truefalse
                		high
                www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                		103.224.212.215
                		truefalse
                  		high
                  ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                  		unknown
                  		unknownfalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-32cc-b361-86c8884a5eaffalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/false
                      		high
                      http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3096-a478-d7c464a3f0cafalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3207-bd07-6551d635081dfalse
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/8mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdpesvchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/.mssecsvr.exe, 00000006.00000002.1584053188.0000000000A9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 0000000F.00000002.2797480723.000001F22BF5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comgsmssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://Passport.NET/STSsvchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/02/trustbcsvchost.exe, 0000000F.00000002.2797480723.000001F22BF5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/bmssecsvr.exe, 0000000A.00000002.1585287821.0000000000A37000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://login.microsoftonline.com/ppsecure/devicechangecredential.srfsvchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/sckensvchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://Passport.NET/tbsvchost.exe, 0000000F.00000002.2797577121.000001F22C43D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633985081.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1621897874.000001F22BF53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797552361.000001F22C415000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1600032519.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633985081.000001F22BF59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 0000000F.00000003.1633412468.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1620524966.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633951055.000001F22BF33000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Xmssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://signup.live.com/signup.aspxsvchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://Passport.NET/tb_svchost.exe, 0000000F.00000002.2797577121.000001F22C43D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-32cc-b361-86c8884a5emssecsvr.exe, 0000000A.00000002.1585287821.0000000000A79000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A6C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 0000000F.00000002.2797480723.000001F22BF5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3096-a478-d7c464a3f0mssecsvr.exe, 00000006.00000002.1584053188.0000000000A80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3207-bd07-6551d63508mssecsvr.exe, 00000008.00000002.2225441842.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2225441842.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.1584037651.0000000000A9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: malware
                                                                            		unknown
                                                                            http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.commssecsvr.exe.3.drfalse
                                                                              		high
                                                                              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2XJmssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJsvchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/pmssecsvr.exe, 00000006.00000002.1584053188.0000000000A9A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: malware
                                                                                    		unknown
                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://account.live.com/msangcwamsvchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599048340.000001F22BF57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfsvchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://crl.ver)svchost.exe, 0000000F.00000002.2797122115.000001F22B6C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://passport.net/tbsvchost.exe, 0000000F.00000002.2797031764.000001F22B681000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797658785.000001F22C47D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://upx.sf.netAmcache.hve.14.drfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/Issueuesvchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdssvchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 0000000F.00000003.1633985081.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1621897874.000001F22BF53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633985081.000001F22BF59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/smssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfsvchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 0000000F.00000002.2797480723.000001F22BF5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/mssecsvr.exe, 00000006.00000002.1584053188.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: malware
                                                                                                                  		unknown
                                                                                                                  http://Passport.NET/tb_ksvchost.exe, 0000000F.00000002.2797577121.000001F22C43D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comOmssecsvr.exe, 0000000A.00000002.1585287821.0000000000A37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfsvchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://Passport.NET/tb:ppsvchost.exe, 0000000F.00000002.2797031764.000001F22B681000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJmssecsvr.exe, 00000008.00000002.2222517608.000000000019D000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://login.ecursvchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trustmsvchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://signup.live.com/signup.aspxicesvchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsvchost.exe, 0000000F.00000003.1645563508.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1620706961.000001F22BF32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1621411496.000001F22BF58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797393464.000001F22BF30000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1620595444.000001F22BF30000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633412468.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1620524966.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633951055.000001F22BF33000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high

                                                                                                                                      World Map of Contacted IPs

                                                                                                                                      • No. of IPs < 25%
                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                      • 75% < No. of IPs

                                                                                                                                      Public IPs

                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                      56.59.202.1
                                                                                                                                      		unknownUnited States
                                                                                                                                      		2686ATGS-MMD-ASUSfalse
                                                                                                                                      197.208.96.1
                                                                                                                                      		unknownSudan
                                                                                                                                      		36998SDN-MOBITELSDfalse
                                                                                                                                      207.219.89.51
                                                                                                                                      		unknownCanada
                                                                                                                                      		852ASN852CAfalse
                                                                                                                                      63.85.204.70
                                                                                                                                      		unknownUnited States
                                                                                                                                      		40234RAPIDPARTSUSfalse
                                                                                                                                      90.207.146.1
                                                                                                                                      		unknownUnited Kingdom
                                                                                                                                      		5607BSKYB-BROADBAND-ASGBfalse
                                                                                                                                      150.245.56.1
                                                                                                                                      		unknownUnited States
                                                                                                                                      		766REDIRISRedIRISAutonomousSystemESfalse
                                                                                                                                      121.134.74.2
                                                                                                                                      		unknownKorea Republic of
                                                                                                                                      		4766KIXS-AS-KRKoreaTelecomKRfalse
                                                                                                                                      121.134.74.1
                                                                                                                                      		unknownKorea Republic of
                                                                                                                                      		4766KIXS-AS-KRKoreaTelecomKRfalse
                                                                                                                                      124.35.234.1
                                                                                                                                      		unknownJapan17506UCOMARTERIANetworksCorporationJPfalse
                                                                                                                                      27.108.78.45
                                                                                                                                      		unknownPhilippines
                                                                                                                                      		6648BAYAN-TELECOMMUNICATIONSBayanTelecommunicationsIncPHfalse
                                                                                                                                      119.38.196.2
                                                                                                                                      		unknownChina
                                                                                                                                      		38367CNNIC-ULICNET-APUnionLifeInsuranceCoLtdCNfalse
                                                                                                                                      142.195.63.24
                                                                                                                                      		unknownCanada
                                                                                                                                      		64258DESJARDINSCAfalse
                                                                                                                                      119.38.196.1
                                                                                                                                      		unknownChina
                                                                                                                                      		38367CNNIC-ULICNET-APUnionLifeInsuranceCoLtdCNfalse
                                                                                                                                      119.38.196.13
                                                                                                                                      		unknownChina
                                                                                                                                      		38367CNNIC-ULICNET-APUnionLifeInsuranceCoLtdCNfalse
                                                                                                                                      158.206.214.1
                                                                                                                                      		unknownJapan2522PPP-EXPJapanNetworkInformationCenterJPfalse
                                                                                                                                      221.5.28.201
                                                                                                                                      		unknownChina
                                                                                                                                      		17816CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovifalse
                                                                                                                                      90.207.146.203
                                                                                                                                      		unknownUnited Kingdom
                                                                                                                                      		5607BSKYB-BROADBAND-ASGBfalse
                                                                                                                                      27.219.109.201
                                                                                                                                      		unknownChina
                                                                                                                                      		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                                                                                      158.206.214.229
                                                                                                                                      		unknownJapan2522PPP-EXPJapanNetworkInformationCenterJPfalse
                                                                                                                                      129.31.49.100
                                                                                                                                      		unknownUnited Kingdom
                                                                                                                                      		786JANETJiscServicesLimitedGBfalse

                                                                                                                                      Private

                                                                                                                                      IP
                                                                                                                                      192.168.2.148
                                                                                                                                      192.168.2.149
                                                                                                                                      192.168.2.146
                                                                                                                                      192.168.2.147
                                                                                                                                      192.168.2.140
                                                                                                                                      192.168.2.141
                                                                                                                                      192.168.2.144
                                                                                                                                      192.168.2.145
                                                                                                                                      192.168.2.142
                                                                                                                                      192.168.2.143
                                                                                                                                      192.168.2.159
                                                                                                                                      192.168.2.157
                                                                                                                                      192.168.2.158
                                                                                                                                      192.168.2.151
                                                                                                                                      192.168.2.152
                                                                                                                                      192.168.2.150
                                                                                                                                      192.168.2.155
                                                                                                                                      192.168.2.156
                                                                                                                                      192.168.2.153
                                                                                                                                      192.168.2.154
                                                                                                                                      192.168.2.126
                                                                                                                                      192.168.2.247
                                                                                                                                      192.168.2.127
                                                                                                                                      192.168.2.248
                                                                                                                                      192.168.2.124
                                                                                                                                      192.168.2.245
                                                                                                                                      192.168.2.125
                                                                                                                                      192.168.2.246
                                                                                                                                      192.168.2.128
                                                                                                                                      192.168.2.249
                                                                                                                                      192.168.2.129
                                                                                                                                      192.168.2.240
                                                                                                                                      192.168.2.122
                                                                                                                                      192.168.2.243
                                                                                                                                      192.168.2.123
                                                                                                                                      192.168.2.244
                                                                                                                                      192.168.2.120
                                                                                                                                      192.168.2.241
                                                                                                                                      192.168.2.121
                                                                                                                                      192.168.2.242
                                                                                                                                      192.168.2.97
                                                                                                                                      192.168.2.137
                                                                                                                                      192.168.2.96
                                                                                                                                      192.168.2.138
                                                                                                                                      192.168.2.99
                                                                                                                                      192.168.2.135
                                                                                                                                      192.168.2.98
                                                                                                                                      192.168.2.136
                                                                                                                                      192.168.2.139
                                                                                                                                      192.168.2.250
                                                                                                                                      192.168.2.130
                                                                                                                                      192.168.2.251
                                                                                                                                      192.168.2.91
                                                                                                                                      192.168.2.90
                                                                                                                                      192.168.2.93
                                                                                                                                      192.168.2.133
                                                                                                                                      192.168.2.254
                                                                                                                                      192.168.2.92
                                                                                                                                      192.168.2.134
                                                                                                                                      192.168.2.95
                                                                                                                                      192.168.2.131
                                                                                                                                      192.168.2.252
                                                                                                                                      192.168.2.94
                                                                                                                                      192.168.2.132
                                                                                                                                      192.168.2.253
                                                                                                                                      192.168.2.104
                                                                                                                                      192.168.2.225
                                                                                                                                      192.168.2.105
                                                                                                                                      192.168.2.226
                                                                                                                                      192.168.2.102
                                                                                                                                      192.168.2.223
                                                                                                                                      192.168.2.103
                                                                                                                                      192.168.2.224
                                                                                                                                      192.168.2.108
                                                                                                                                      192.168.2.229
                                                                                                                                      192.168.2.109
                                                                                                                                      192.168.2.106
                                                                                                                                      192.168.2.227
                                                                                                                                      192.168.2.107
                                                                                                                                      192.168.2.228

                                                                                                                                      General Information

                                                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                                                      Analysis ID:1591362
                                                                                                                                      Start date and time:2025-01-14 22:41:16 +01:00
                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                      Overall analysis duration:0h 6m 24s
                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                      Report type:full
                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                      Number of analysed new started processes analysed:20
                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                      Technologies:
                                                                                                                                      • HCA enabled
                                                                                                                                      • EGA enabled
                                                                                                                                      • AMSI enabled
                                                                                                                                      Analysis Mode:default
                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                      Sample name:ruXU7wj3X9.dll
                                                                                                                                      renamed because original name is a hash value
                                                                                                                                      Original Sample Name:d907672759069af4824b0354e9170285.dll
                                                                                                                                      Detection:MAL
                                                                                                                                      Classification:mal100.rans.expl.evad.winDLL@25/11@2/100
                                                                                                                                      EGA Information:
                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                      HCA Information:Failed
                                                                                                                                      Cookbook Comments:
                                                                                                                                      • Found application associated with file extension: .dll

                                                                                                                                      Warnings

                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                      • Excluded IPs from analysis (whitelisted): 40.126.32.76, 40.126.32.134, 20.190.160.22, 20.190.160.14, 40.126.32.133, 40.126.32.138, 40.126.32.136, 40.126.32.72, 88.221.110.91, 2.16.100.168, 2.23.77.188, 20.189.173.21, 172.202.163.200, 13.107.246.45
                                                                                                                                      • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                      Simulations

                                                                                                                                      Behavior and APIs

                                                                                                                                      TimeTypeDescription
                                                                                                                                      16:42:30API Interceptor1x Sleep call for process: loaddll32.exe modified
                                                                                                                                      16:42:38API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                      16:43:06API Interceptor112x Sleep call for process: mssecsvr.exe modified

                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                      IPs

                                                                                                                                      No context

                                                                                                                                      Domains

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                      77026.bodis.comeIZi481eP6.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 199.59.243.228
                                                                                                                                      m9oUIFauYl.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 199.59.243.228
                                                                                                                                      sUlHfYQxNw.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 199.59.243.228
                                                                                                                                      6qqWn6eIGG.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 199.59.243.228
                                                                                                                                      mlfk8sYaiy.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 199.59.243.228
                                                                                                                                      jgd5ZGl1vA.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 199.59.243.228
                                                                                                                                      8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                      • 199.59.243.227
                                                                                                                                      7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                      • 199.59.243.227
                                                                                                                                      UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                      • 199.59.243.227
                                                                                                                                      1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                      • 199.59.243.227
                                                                                                                                      www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comeIZi481eP6.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 103.224.212.215
                                                                                                                                      m9oUIFauYl.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 103.224.212.215
                                                                                                                                      sUlHfYQxNw.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 103.224.212.215
                                                                                                                                      6qqWn6eIGG.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 103.224.212.215
                                                                                                                                      mlfk8sYaiy.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 103.224.212.215
                                                                                                                                      jgd5ZGl1vA.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 103.224.212.215
                                                                                                                                      LisectAVT_2403002A_327.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 103.224.212.215
                                                                                                                                      yrBA01LVo2.exeGet hashmaliciousWannacryBrowse
                                                                                                                                      • 103.224.212.215

                                                                                                                                      ASNs

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                      SDN-MOBITELSDmeth9.elfGet hashmaliciousMiraiBrowse
                                                                                                                                      • 41.240.40.16
                                                                                                                                      elitebotnet.sh4.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                      • 154.98.154.65
                                                                                                                                      4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 197.208.232.126
                                                                                                                                      6.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 41.241.171.237
                                                                                                                                      3.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 41.241.171.247
                                                                                                                                      3.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 41.95.229.209
                                                                                                                                      6.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 41.95.189.166
                                                                                                                                      5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 41.95.189.164
                                                                                                                                      6.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 41.241.199.3
                                                                                                                                      3.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 41.95.146.6
                                                                                                                                      ATGS-MMD-ASUSYZJG8NuHEP.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 51.209.245.1
                                                                                                                                      http://monitor.linkwhat.com/tl4tl4726Qz107cK770xR10599lj360px17lb07468gl70015oV95328Kn41253VG39381FP5605427918==aru2826664Get hashmaliciousPhisherBrowse
                                                                                                                                      • 34.149.158.220
                                                                                                                                      hsmSW6Eifl.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 34.1.98.1
                                                                                                                                      FjSrGs0AE2.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 51.243.90.42
                                                                                                                                      m9oUIFauYl.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 34.177.88.1
                                                                                                                                      5Q6ffmX9tQ.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 48.82.13.223
                                                                                                                                      jpXNd6Kt8z.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 33.222.99.200
                                                                                                                                      527.zipGet hashmaliciousUnknownBrowse
                                                                                                                                      • 34.160.144.191
                                                                                                                                      527.zipGet hashmaliciousUnknownBrowse
                                                                                                                                      • 34.160.144.191
                                                                                                                                      Fantazy.arm4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 34.43.158.177
                                                                                                                                      ASN852CAm9oUIFauYl.dllGet hashmaliciousWannacryBrowse
                                                                                                                                      • 209.29.139.1
                                                                                                                                      i686.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 209.171.55.67
                                                                                                                                      spc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 104.205.84.120
                                                                                                                                      arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 50.93.119.96
                                                                                                                                      x86_64.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 199.126.116.113
                                                                                                                                      i486.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 154.5.159.104
                                                                                                                                      mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 199.175.181.117
                                                                                                                                      mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 205.206.219.230
                                                                                                                                      3.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 208.38.43.109
                                                                                                                                      res.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                      • 207.216.32.185

                                                                                                                                      JA3 Fingerprints

                                                                                                                                      No context

                                                                                                                                      Dropped Files

                                                                                                                                      No context

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tasksche.exe_67e7eb82189942524dcddca9cff151bf703b53fe_5f6e30d1_6d9fd5b3-2b52-4574-9c7c-6c700609d9ed\Report.wer

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):65536
                                                                                                                                      Entropy (8bit):0.8301359728241963
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:BQ1fvIKS6C0BU/KmkjeT0TzuiFnZ24IO8iw6:CfAKS6JBU/Kmkje0zuiFnY4IO8iw
                                                                                                                                      MD5:FF8CA67A988E19A48A5782BD4ABFE614
                                                                                                                                      SHA1:48B67BBC92148D98FB5DDC81C387BC9E8986C253
                                                                                                                                      SHA-256:1444820D750812EC0572049144672A441B5CBA5625FFA4E4558A3223274EC866
                                                                                                                                      SHA-512:0EA7B06DC4D83803E374B75BCA32B25688A360A919CCD7DC97F8119FD7D03FF4753D9F2D1A4F884048213D21C51C79C56515B78D97C8697CB49499BDFE46D36C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.3.6.4.5.5.3.0.7.6.0.7.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.3.6.4.5.5.3.7.7.9.1.8.9.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.9.f.d.5.b.3.-.2.b.5.2.-.4.5.7.4.-.9.c.7.c.-.6.c.7.0.0.6.0.9.d.9.e.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.c.9.b.1.5.e.-.3.1.5.5.-.4.3.2.9.-.8.8.4.1.-.5.8.0.9.0.9.f.a.f.5.7.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.a.s.k.s.c.h.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.8.0.-.0.0.0.1.-.0.0.1.4.-.e.0.4.f.-.9.9.3.7.c.d.6.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.a.f.7.5.0.4.c.e.4.c.c.7.1.0.3.a.c.6.3.0.3.1.1.c.0.1.6.c.2.e.7.0.0.0.0.f.f.f.f.!.0.0.0.0.1.9.3.f.7.4.1.3.9.6.1.3.2.4.e.d.a.1.f.3.f.8.c.d.0.f.6.0.1.0.f.c.b.7.3.0.2.8.e.c.!.t.a.s.k.s.c.h.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER734C.tmp.dmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Tue Jan 14 21:42:33 2025, 0x1205a4 type
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):38730
                                                                                                                                      Entropy (8bit):2.0442894261407027
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:2/dRcS4yeAO5HtilBvXGap9S8ZNSn+S9z/ZSgXX:aLct5HklBNvDO+2/ZZ
                                                                                                                                      MD5:20395ABFD51E9DC88B90D238954F5F13
                                                                                                                                      SHA1:ABDCE351BE5BA323D57F7D3DC43A7AE33F456CFC
                                                                                                                                      SHA-256:EDE2CC8E1BD9354161D23D03FD3087D021253315EADC289CCF1DE7C6BFB6F07F
                                                                                                                                      SHA-512:36AE9F201C2944D37FAD54E2E13B0B503421F717A61C6872212BDA5DC8E53166A9B9CAAE682C73B82773E833C0B329ECD63446195EDCB64F555F98BF4C4D7FFE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:MDMP..a..... .......I.g.........................................&..........T.......8...........T...............z.......................x...............................................................................eJ..............GenuineIntel............T...........H.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER74A4.tmp.WERInternalMetadata.xml

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):6264
                                                                                                                                      Entropy (8bit):3.7175468913336216
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:RSIU6o7wVetbtj36bLYyK+QE/qiv5aM4Uw89bWcsfJQSm:R6l7wVeJtj363YyK+9prw89bWcsfJQSm
                                                                                                                                      MD5:A298B843447458EDEC83BFDCB2E647F3
                                                                                                                                      SHA1:1C87E49498D4847C2D25F5C1C4228F20AF253DB8
                                                                                                                                      SHA-256:F03D0B0D21462D6C1F1C71B79AC6D48DD31757CC63DAD95AA1EE3DE90651F8CA
                                                                                                                                      SHA-512:0C4542FBB7920693A132463339A9F6A310F24EF97A82BF910DC1C592973E2BCC8DAF3F24A7856247F48981FDF74C575355DE8FAB1047E8D9C282D0862D0ED39E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.5.6.<./.P.i.

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER74F2.tmp.csv

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):86900
                                                                                                                                      Entropy (8bit):3.0785853189877406
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:Fa43zsD+lU2rFz57PUr272+TA+atraKcSvmPNbP:Fa43zsD+lU2rFz57PUr272+TANtraKct
                                                                                                                                      MD5:572186AB799296F2ACC9C9EE01EF33EC
                                                                                                                                      SHA1:9A04B0E261CBE5CA333B68EB4217536AEE9D19D8
                                                                                                                                      SHA-256:59C7E6A2622626F1932C7C22C930D9016441E11A7BE1F87E0CF4150786F4E6A4
                                                                                                                                      SHA-512:101312B5E2C6CCDA14E68E0FE6BA34AF4276B0A34212777F524DDFAB3FD2D3B6F182F0A9538E76227CF702B19D4C8548B0CD81900FD7FECB9A525AF77516E50B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER74F4.tmp.xml

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4565
                                                                                                                                      Entropy (8bit):4.437414937199768
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:cvIwWl8zsBJg77aI9iNWpW8VY63Ym8M4Jh/iZFH+q8dguGr68jiQd:uIjfTI7c87VNqJliDMfGr6ciQd
                                                                                                                                      MD5:4AA5D461F6AB029078DDE63AD8E3AA46
                                                                                                                                      SHA1:41B82B7AA781D593ECCDFE5089F041A163E8F5B4
                                                                                                                                      SHA-256:62CA4B47397CDCD23764D39D1DCE7FA5BC502FDA79DFE5C3A5D3A4E21483BB16
                                                                                                                                      SHA-512:D38516480C384576EC431C450DEBFDE1EB7E0D34D43D9204F1D16B3C51842A89EADAAAE975F281A2AD39FC8C36756829A4C3436CA4746EF63316A2D6EE634FE9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="676125" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7570.tmp.txt

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):13340
                                                                                                                                      Entropy (8bit):2.6843861499051624
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TiZYWhNK/a6FYYYFDW2HKYEZNltk0ibE/SxwOTn4akadMdiXI6+w3:2ZDL+fI8gsakadMdi46+w3
                                                                                                                                      MD5:99F0DFF9544529F84344F3253587A364
                                                                                                                                      SHA1:AEF60091641C1FDB70DE1DCC5A11B96C69783550
                                                                                                                                      SHA-256:49D55EE2B3D20D61A9028772C02545D448A3E00CD2D403D2281E089041D46544
                                                                                                                                      SHA-512:6CF55881692A25BE3AB955FD967C74F2C024BE5D5D7CD720654E034DD71C0DB9F7589EC7AA6E381734F55EC1B935CB7EA8714EE9971853707DCA09DD99A129FB
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4761
                                                                                                                                      Entropy (8bit):7.945585251880973
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
                                                                                                                                      MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
                                                                                                                                      SHA1:9E98ACE72BD2AB931341427A856EF4CEA6FAF806
                                                                                                                                      SHA-256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
                                                                                                                                      SHA-512:3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....*E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%*.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.*|.....VQ....<.*.......... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):340
                                                                                                                                      Entropy (8bit):3.155913334944608
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:kKRkU5+7DYUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:hLkPlE99SCQl2DUeXJlOA
                                                                                                                                      MD5:4A5DFB652B01165673850A31AD5A1AA1
                                                                                                                                      SHA1:E5F5DD0A9A1173E08A61D6E8018CEF257E3A889B
                                                                                                                                      SHA-256:9D04243460A6B8A3F20D04951848F6B99493F85EDED488777060F4165AC3D70B
                                                                                                                                      SHA-512:735CA344BE8A0A2354AA5AB16004B0E1120C6337DECE4CD75AA9539B6DE24192CD5662A197ADD8B15B350B9429EBE7FBCECF6F1883A3147CD53FA6911EDFD7C8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:p...... ........y.z9.f..(....................................................... ........~..MG......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1835008
                                                                                                                                      Entropy (8bit):4.371968148323026
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:cFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNiiL:sV1QyWWI/glMM6kF7kq
                                                                                                                                      MD5:A074F1BA614A40B8E5898FADF7F304D1
                                                                                                                                      SHA1:D2088489435DB2430529EEB541404F1EE77B2134
                                                                                                                                      SHA-256:AFAE0088E32A5C12FAE987C477B6696287CCB68E2B957199B3155B7DBA948D1E
                                                                                                                                      SHA-512:6BC44D7B64FDF42615296799D717451AFFA8E6F1267AF5879474A17F116F3C23D4FFE5108A943C2F06BEF824A986FAD135645CB60BFF9C11191CA46959DF4090
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...7.f...............................................................................................................................................................................................................................................................................................................................................=..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\mssecsvr.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2281472
                                                                                                                                      Entropy (8bit):7.613854014709872
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:QnVENPbcBVQej/1INRx+TSqTdX1HkQo6SAAw:QVOoBhz1aRxcSUDk36SAz
                                                                                                                                      MD5:B15FB425B628062A7BB0F11DBAECF4AC
                                                                                                                                      SHA1:016EBB19FB4A8D125867D63FAA200E77DF1273E7
                                                                                                                                      SHA-256:EBE31FD906BDF28945926CEE334266ABD14C7A81390C13867D1ABFDC1DC8F540
                                                                                                                                      SHA-512:0DB0B74354A5444D0A6134FAA4DDE79750AC110FEE116235B5BB908988868F171B63966D5E2ACB28319EA2138880777F284515520A5D1A945C163E35DB98EF4C
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvr.exe, Author: Joe Security
                                                                                                                                      • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (with the help of binar.ly)
                                                                                                                                      • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (based on rule by US CERT)
                                                                                                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvr.exe, Author: us-cert code analysis team
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....L......................"...................@...........................P......................................................1..z...........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc.........1...... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Windows\tasksche.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\mssecsvr.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2061938
                                                                                                                                      Entropy (8bit):7.714028216833752
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:DENPbcBVQej/1INRx+TSqTdX1HkQo6SAAW:DOoBhz1aRxcSUDk36SAp
                                                                                                                                      MD5:41C0E22D28973F312DE789C027E61D0C
                                                                                                                                      SHA1:193F7413961324EDA1F3F8CD0F6010FCB73028EC
                                                                                                                                      SHA-256:282AFB52E37BFB69D3016E1BB99E11AA9D6D9CB7759BA02279E44EEB9F504A9B
                                                                                                                                      SHA-512:D4196D39077E6F7AD8E402762FAD33B3CE74558FD8C34B412DDA96A118BB421927CEC5816C6D5728DE79288DFECCBA066630211043B35C16C1A165A4BEC19A37
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security
                                                                                                                                      • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly)
                                                                                                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:
                                                                                                                                      Entropy (8bit):4.0536849397765025
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 98.32%
                                                                                                                                      • Windows Screen Saver (13104/52) 1.29%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                      • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                      File name:ruXU7wj3X9.dll
                                                                                                                                      File size:5'267'459 bytes
                                                                                                                                      MD5:d907672759069af4824b0354e9170285
                                                                                                                                      SHA1:d995544a19032e9cebdd6d76c03580a89bd7a330
                                                                                                                                      SHA256:4ad2a09b3c99f31faf5f46b2298dcf2e9c5b84a96732bffea2fcf4e2c2aa791e
                                                                                                                                      SHA512:4b95745fd90589bc154ca7a22bd5dd625332d0f7bf9a87db198e8253012871b7fb108793d7372658515ad2b4cdd12c5047ff06120d43c1de673e8e3b6d5ad6bd
                                                                                                                                      SSDEEP:49152:RnVENPbcBVQej/1INRx+TSqTdX1HkQo6SAA:1VOoBhz1aRxcSUDk36SA
                                                                                                                                      TLSH:3236F115A1E86B74E6F31EB2217B871047797E45899B928E1760A04F0C33F5CDEB2F29
                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:7ae282899bbab082

                                                                                                                                      Network Behavior

                                                                                                                                      Suricata IDS Alerts

                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                      2025-01-14T22:42:29.157189+01002830018ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)1192.168.2.8492561.1.1.153UDP
                                                                                                                                      2025-01-14T22:42:30.076941+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.849707103.224.212.21580TCP
                                                                                                                                      2025-01-14T22:42:32.744988+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.849709103.224.212.21580TCP

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Jan 14, 2025 22:42:22.743256092 CET49673443192.168.2.823.206.229.226
                                                                                                                                      Jan 14, 2025 22:42:22.993379116 CET4967780192.168.2.8192.229.211.108
                                                                                                                                      Jan 14, 2025 22:42:23.102567911 CET49672443192.168.2.823.206.229.226
                                                                                                                                      Jan 14, 2025 22:42:29.472105980 CET4970780192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:29.476869106 CET8049707103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:29.476953983 CET4970780192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:29.477104902 CET4970780192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:29.481851101 CET8049707103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:30.076818943 CET8049707103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:30.076941013 CET4970780192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:30.076944113 CET8049707103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:30.076999903 CET4970780192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:30.186610937 CET4970780192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:30.191502094 CET8049707103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:30.382056952 CET4970880192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:30.386847973 CET8049708199.59.243.228192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:30.386920929 CET4970880192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:30.387044907 CET4970880192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:30.391828060 CET8049708199.59.243.228192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:30.843998909 CET8049708199.59.243.228192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:30.844014883 CET8049708199.59.243.228192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:30.844077110 CET4970880192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:30.851619005 CET4970880192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:30.851646900 CET4970880192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:31.001969099 CET4970980192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:31.276201010 CET4971080192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:32.008810997 CET4970980192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:32.108027935 CET8049709103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:32.108186007 CET4970980192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:32.108426094 CET4970980192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:32.108772993 CET8049710103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:32.108855963 CET4971080192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:32.109003067 CET4971080192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:32.111476898 CET8049709103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:32.111541986 CET4970980192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:32.113292933 CET8049709103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:32.113867998 CET8049710103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:32.352576971 CET49673443192.168.2.823.206.229.226
                                                                                                                                      Jan 14, 2025 22:42:32.711926937 CET49672443192.168.2.823.206.229.226
                                                                                                                                      Jan 14, 2025 22:42:32.733532906 CET8049710103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:32.734180927 CET8049710103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:32.734302044 CET4971080192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:32.737009048 CET4971080192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:32.738771915 CET4971180192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:32.742980957 CET8049710103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:32.743735075 CET8049711199.59.243.228192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:32.743946075 CET4971180192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:32.743974924 CET4971180192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:32.744865894 CET8049709103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:32.744904041 CET8049709103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:32.744987965 CET4970980192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:32.747610092 CET4970980192.168.2.8103.224.212.215
                                                                                                                                      Jan 14, 2025 22:42:32.748569012 CET4971280192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:32.748707056 CET8049711199.59.243.228192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:32.752418041 CET8049709103.224.212.215192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:32.753444910 CET8049712199.59.243.228192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:32.753618002 CET4971280192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:32.753730059 CET4971280192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:32.758558989 CET8049712199.59.243.228192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:33.219224930 CET8049711199.59.243.228192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:33.219248056 CET8049711199.59.243.228192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:33.219417095 CET4971180192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:33.226250887 CET4971180192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:33.226250887 CET4971180192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:33.227669001 CET8049712199.59.243.228192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:33.227699041 CET8049712199.59.243.228192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:33.227763891 CET4971280192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:33.227763891 CET4971280192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:33.236411095 CET4971280192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:33.236479044 CET4971280192.168.2.8199.59.243.228
                                                                                                                                      Jan 14, 2025 22:42:33.292421103 CET49713445192.168.2.8119.38.196.13
                                                                                                                                      Jan 14, 2025 22:42:33.297233105 CET44549713119.38.196.13192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:33.297314882 CET49713445192.168.2.8119.38.196.13
                                                                                                                                      Jan 14, 2025 22:42:33.298320055 CET49713445192.168.2.8119.38.196.13
                                                                                                                                      Jan 14, 2025 22:42:33.299484015 CET49714445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:42:33.303210020 CET44549713119.38.196.13192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:33.303308964 CET49713445192.168.2.8119.38.196.13
                                                                                                                                      Jan 14, 2025 22:42:33.304287910 CET44549714119.38.196.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:33.304363012 CET49714445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:42:33.304433107 CET49714445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:42:33.306497097 CET49715445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:42:33.309293032 CET44549714119.38.196.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:33.309355974 CET49714445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:42:33.311327934 CET44549715119.38.196.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:33.311394930 CET49715445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:42:33.311465979 CET49715445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:42:33.316257000 CET44549715119.38.196.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:34.431449890 CET4434970623.206.229.226192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:34.431567907 CET49706443192.168.2.823.206.229.226
                                                                                                                                      Jan 14, 2025 22:42:35.291994095 CET49739445192.168.2.863.85.204.70
                                                                                                                                      Jan 14, 2025 22:42:35.298962116 CET4454973963.85.204.70192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:35.299077034 CET49739445192.168.2.863.85.204.70
                                                                                                                                      Jan 14, 2025 22:42:35.305435896 CET49739445192.168.2.863.85.204.70
                                                                                                                                      Jan 14, 2025 22:42:35.307518959 CET49740445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:42:35.310302973 CET4454973963.85.204.70192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:35.310700893 CET49739445192.168.2.863.85.204.70
                                                                                                                                      Jan 14, 2025 22:42:35.312323093 CET4454974063.85.204.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:35.312493086 CET49740445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:42:35.312493086 CET49740445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:42:35.313864946 CET49741445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:42:35.317435980 CET4454974063.85.204.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:35.317548037 CET49740445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:42:35.318679094 CET4454974163.85.204.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:35.318764925 CET49741445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:42:35.318808079 CET49741445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:42:35.323606968 CET4454974163.85.204.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:37.307153940 CET49767445192.168.2.883.249.153.94
                                                                                                                                      Jan 14, 2025 22:42:37.312043905 CET4454976783.249.153.94192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:37.312500000 CET49767445192.168.2.883.249.153.94
                                                                                                                                      Jan 14, 2025 22:42:37.312624931 CET49767445192.168.2.883.249.153.94
                                                                                                                                      Jan 14, 2025 22:42:37.312872887 CET49768445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:42:37.317617893 CET4454976783.249.153.94192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:37.317809105 CET4454976883.249.153.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:37.317853928 CET49767445192.168.2.883.249.153.94
                                                                                                                                      Jan 14, 2025 22:42:37.317889929 CET49768445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:42:37.317955017 CET49768445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:42:37.319468975 CET49769445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:42:37.322813034 CET4454976883.249.153.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:37.322854996 CET49768445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:42:37.324244976 CET4454976983.249.153.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:37.324492931 CET49769445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:42:37.324601889 CET49769445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:42:37.329355001 CET4454976983.249.153.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:39.322803974 CET49793445192.168.2.827.108.78.45
                                                                                                                                      Jan 14, 2025 22:42:39.327682972 CET4454979327.108.78.45192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:39.328563929 CET49793445192.168.2.827.108.78.45
                                                                                                                                      Jan 14, 2025 22:42:39.328681946 CET49793445192.168.2.827.108.78.45
                                                                                                                                      Jan 14, 2025 22:42:39.328926086 CET49794445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:42:39.333594084 CET4454979327.108.78.45192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:39.333735943 CET4454979427.108.78.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:39.333817959 CET49793445192.168.2.827.108.78.45
                                                                                                                                      Jan 14, 2025 22:42:39.333846092 CET49794445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:42:39.333950043 CET49794445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:42:39.335338116 CET49795445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:42:39.339889050 CET4454979427.108.78.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:39.340543985 CET49794445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:42:39.340759993 CET4454979527.108.78.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:39.340868950 CET49795445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:42:39.340910912 CET49795445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:42:39.346446991 CET4454979527.108.78.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:41.338747025 CET49818445192.168.2.8121.134.74.17
                                                                                                                                      Jan 14, 2025 22:42:41.343611002 CET44549818121.134.74.17192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:41.343710899 CET49818445192.168.2.8121.134.74.17
                                                                                                                                      Jan 14, 2025 22:42:41.343775034 CET49818445192.168.2.8121.134.74.17
                                                                                                                                      Jan 14, 2025 22:42:41.344027042 CET49819445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:42:41.348721027 CET44549818121.134.74.17192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:41.348783970 CET49818445192.168.2.8121.134.74.17
                                                                                                                                      Jan 14, 2025 22:42:41.348824978 CET44549819121.134.74.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:41.348929882 CET49819445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:42:41.349015951 CET49819445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:42:41.349956036 CET49820445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:42:41.353862047 CET44549819121.134.74.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:41.354048014 CET49819445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:42:41.354722023 CET44549820121.134.74.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:41.354792118 CET49820445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:42:41.354851007 CET49820445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:42:41.359628916 CET44549820121.134.74.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:43.354171038 CET49842445192.168.2.839.85.39.22
                                                                                                                                      Jan 14, 2025 22:42:43.359077930 CET4454984239.85.39.22192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:43.359184027 CET49842445192.168.2.839.85.39.22
                                                                                                                                      Jan 14, 2025 22:42:43.359220028 CET49842445192.168.2.839.85.39.22
                                                                                                                                      Jan 14, 2025 22:42:43.359427929 CET49843445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:42:43.364145041 CET4454984239.85.39.22192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:43.364216089 CET4454984339.85.39.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:43.364217043 CET49842445192.168.2.839.85.39.22
                                                                                                                                      Jan 14, 2025 22:42:43.364280939 CET49843445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:42:43.364387989 CET49843445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:42:43.365808964 CET49844445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:42:43.371370077 CET4454984339.85.39.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:43.371391058 CET4454984439.85.39.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:43.371464968 CET49843445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:42:43.371490002 CET49844445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:42:43.371525049 CET49844445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:42:43.376852989 CET4454984439.85.39.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:45.368608952 CET49865445192.168.2.8209.76.99.172
                                                                                                                                      Jan 14, 2025 22:42:45.373445988 CET44549865209.76.99.172192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:45.373544931 CET49865445192.168.2.8209.76.99.172
                                                                                                                                      Jan 14, 2025 22:42:45.373579025 CET49865445192.168.2.8209.76.99.172
                                                                                                                                      Jan 14, 2025 22:42:45.373779058 CET49866445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:42:45.378429890 CET44549865209.76.99.172192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:45.378566027 CET44549865209.76.99.172192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:45.378609896 CET44549866209.76.99.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:45.378612041 CET49865445192.168.2.8209.76.99.172
                                                                                                                                      Jan 14, 2025 22:42:45.378674030 CET49866445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:42:45.378755093 CET49866445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:42:45.379065990 CET49867445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:42:45.383572102 CET44549866209.76.99.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:45.383646011 CET49866445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:42:45.383862019 CET44549867209.76.99.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:45.383939028 CET49867445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:42:45.384035110 CET49867445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:42:45.388811111 CET44549867209.76.99.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:47.388128042 CET49890445192.168.2.86.99.0.142
                                                                                                                                      Jan 14, 2025 22:42:47.392997026 CET445498906.99.0.142192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:47.393085003 CET49890445192.168.2.86.99.0.142
                                                                                                                                      Jan 14, 2025 22:42:47.393146992 CET49890445192.168.2.86.99.0.142
                                                                                                                                      Jan 14, 2025 22:42:47.393289089 CET49891445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:42:47.398102999 CET445498916.99.0.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:47.398169994 CET445498906.99.0.142192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:47.398197889 CET49891445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:42:47.398221016 CET49890445192.168.2.86.99.0.142
                                                                                                                                      Jan 14, 2025 22:42:47.398324966 CET49891445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:42:47.398610115 CET49892445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:42:47.403136015 CET445498916.99.0.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:47.403228998 CET49891445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:42:47.403347969 CET445498926.99.0.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:47.403409004 CET49892445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:42:47.404326916 CET49892445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:42:47.409096003 CET445498926.99.0.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:49.399918079 CET49915445192.168.2.8169.120.240.150
                                                                                                                                      Jan 14, 2025 22:42:49.404701948 CET44549915169.120.240.150192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:49.404797077 CET49915445192.168.2.8169.120.240.150
                                                                                                                                      Jan 14, 2025 22:42:49.404849052 CET49915445192.168.2.8169.120.240.150
                                                                                                                                      Jan 14, 2025 22:42:49.405033112 CET49916445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:42:49.409749985 CET44549915169.120.240.150192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:49.409806013 CET44549916169.120.240.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:49.409823895 CET49915445192.168.2.8169.120.240.150
                                                                                                                                      Jan 14, 2025 22:42:49.409882069 CET49916445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:42:49.409919024 CET49916445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:42:49.410211086 CET49917445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:42:49.414932013 CET44549917169.120.240.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:49.415062904 CET49917445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:42:49.415134907 CET49917445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:42:49.415143013 CET44549916169.120.240.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:49.415215969 CET49916445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:42:49.419868946 CET44549917169.120.240.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:51.415570974 CET49938445192.168.2.860.253.184.204
                                                                                                                                      Jan 14, 2025 22:42:51.420428038 CET4454993860.253.184.204192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:51.420515060 CET49938445192.168.2.860.253.184.204
                                                                                                                                      Jan 14, 2025 22:42:51.420593023 CET49938445192.168.2.860.253.184.204
                                                                                                                                      Jan 14, 2025 22:42:51.420752048 CET49939445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:42:51.425441980 CET4454993860.253.184.204192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:51.425501108 CET49938445192.168.2.860.253.184.204
                                                                                                                                      Jan 14, 2025 22:42:51.425508976 CET4454993960.253.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:51.425565004 CET49939445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:42:51.425621033 CET49939445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:42:51.425899982 CET49940445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:42:51.430686951 CET4454993960.253.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:51.430697918 CET4454994060.253.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:51.430732965 CET49939445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:42:51.430763006 CET49940445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:42:51.430775881 CET49940445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:42:51.435580969 CET4454994060.253.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:53.449594021 CET49963445192.168.2.8128.38.222.36
                                                                                                                                      Jan 14, 2025 22:42:53.454562902 CET44549963128.38.222.36192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:53.454677105 CET49963445192.168.2.8128.38.222.36
                                                                                                                                      Jan 14, 2025 22:42:53.458292961 CET49963445192.168.2.8128.38.222.36
                                                                                                                                      Jan 14, 2025 22:42:53.458530903 CET49964445192.168.2.8128.38.222.1
                                                                                                                                      Jan 14, 2025 22:42:53.463229895 CET44549963128.38.222.36192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:53.463318110 CET49963445192.168.2.8128.38.222.36
                                                                                                                                      Jan 14, 2025 22:42:53.463829994 CET44549964128.38.222.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:53.463891983 CET49964445192.168.2.8128.38.222.1
                                                                                                                                      Jan 14, 2025 22:42:53.466407061 CET49964445192.168.2.8128.38.222.1
                                                                                                                                      Jan 14, 2025 22:42:53.466713905 CET49965445192.168.2.8128.38.222.1
                                                                                                                                      Jan 14, 2025 22:42:53.471190929 CET44549964128.38.222.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:53.471254110 CET49964445192.168.2.8128.38.222.1
                                                                                                                                      Jan 14, 2025 22:42:53.471592903 CET44549965128.38.222.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:53.471651077 CET49965445192.168.2.8128.38.222.1
                                                                                                                                      Jan 14, 2025 22:42:53.483705997 CET49965445192.168.2.8128.38.222.1
                                                                                                                                      Jan 14, 2025 22:42:53.488482952 CET44549965128.38.222.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:54.699763060 CET44549715119.38.196.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:54.699894905 CET49715445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:42:54.699966908 CET49715445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:42:54.700041056 CET49715445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:42:54.704720974 CET44549715119.38.196.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:54.704772949 CET44549715119.38.196.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:55.462621927 CET49987445192.168.2.878.135.150.7
                                                                                                                                      Jan 14, 2025 22:42:55.467592001 CET4454998778.135.150.7192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:55.468570948 CET49987445192.168.2.878.135.150.7
                                                                                                                                      Jan 14, 2025 22:42:55.468626022 CET49987445192.168.2.878.135.150.7
                                                                                                                                      Jan 14, 2025 22:42:55.468755960 CET49988445192.168.2.878.135.150.1
                                                                                                                                      Jan 14, 2025 22:42:55.473618031 CET4454998878.135.150.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:55.473645926 CET4454998778.135.150.7192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:55.473731041 CET49987445192.168.2.878.135.150.7
                                                                                                                                      Jan 14, 2025 22:42:55.473768950 CET49988445192.168.2.878.135.150.1
                                                                                                                                      Jan 14, 2025 22:42:55.474112034 CET49989445192.168.2.878.135.150.1
                                                                                                                                      Jan 14, 2025 22:42:55.478672028 CET4454998878.135.150.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:55.478996038 CET4454998978.135.150.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:55.479055882 CET49988445192.168.2.878.135.150.1
                                                                                                                                      Jan 14, 2025 22:42:55.479094982 CET49989445192.168.2.878.135.150.1
                                                                                                                                      Jan 14, 2025 22:42:55.479161978 CET49989445192.168.2.878.135.150.1
                                                                                                                                      Jan 14, 2025 22:42:55.483944893 CET4454998978.135.150.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:56.678915977 CET4454974163.85.204.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:56.679022074 CET49741445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:42:56.679078102 CET49741445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:42:56.679151058 CET49741445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:42:56.683830023 CET4454974163.85.204.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:56.683896065 CET4454974163.85.204.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:57.478501081 CET50010445192.168.2.863.102.247.7
                                                                                                                                      Jan 14, 2025 22:42:57.483283043 CET4455001063.102.247.7192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:57.483366013 CET50010445192.168.2.863.102.247.7
                                                                                                                                      Jan 14, 2025 22:42:57.483510971 CET50011445192.168.2.863.102.247.1
                                                                                                                                      Jan 14, 2025 22:42:57.484476089 CET50010445192.168.2.863.102.247.7
                                                                                                                                      Jan 14, 2025 22:42:57.488312006 CET4455001163.102.247.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:57.488495111 CET50011445192.168.2.863.102.247.1
                                                                                                                                      Jan 14, 2025 22:42:57.488694906 CET50011445192.168.2.863.102.247.1
                                                                                                                                      Jan 14, 2025 22:42:57.489208937 CET50012445192.168.2.863.102.247.1
                                                                                                                                      Jan 14, 2025 22:42:57.489341021 CET4455001063.102.247.7192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:57.489402056 CET50010445192.168.2.863.102.247.7
                                                                                                                                      Jan 14, 2025 22:42:57.493753910 CET4455001163.102.247.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:57.493807077 CET50011445192.168.2.863.102.247.1
                                                                                                                                      Jan 14, 2025 22:42:57.494013071 CET4455001263.102.247.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:57.494266987 CET50012445192.168.2.863.102.247.1
                                                                                                                                      Jan 14, 2025 22:42:57.494266987 CET50012445192.168.2.863.102.247.1
                                                                                                                                      Jan 14, 2025 22:42:57.499159098 CET4455001263.102.247.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:57.712408066 CET50016445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:42:57.717168093 CET44550016119.38.196.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:57.717262030 CET50016445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:42:57.717262030 CET50016445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:42:57.722028971 CET44550016119.38.196.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:58.819148064 CET4454976983.249.153.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:58.819370031 CET49769445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:42:58.819370031 CET49769445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:42:58.819415092 CET49769445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:42:58.824239016 CET4454976983.249.153.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:58.824295998 CET4454976983.249.153.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:59.495774984 CET50019445192.168.2.8129.31.49.100
                                                                                                                                      Jan 14, 2025 22:42:59.500869989 CET44550019129.31.49.100192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:59.500942945 CET50019445192.168.2.8129.31.49.100
                                                                                                                                      Jan 14, 2025 22:42:59.501049995 CET50019445192.168.2.8129.31.49.100
                                                                                                                                      Jan 14, 2025 22:42:59.502146006 CET50020445192.168.2.8129.31.49.1
                                                                                                                                      Jan 14, 2025 22:42:59.506006002 CET44550019129.31.49.100192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:59.506072998 CET50019445192.168.2.8129.31.49.100
                                                                                                                                      Jan 14, 2025 22:42:59.506989002 CET44550020129.31.49.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:59.507333994 CET50020445192.168.2.8129.31.49.1
                                                                                                                                      Jan 14, 2025 22:42:59.507333994 CET50020445192.168.2.8129.31.49.1
                                                                                                                                      Jan 14, 2025 22:42:59.507369041 CET50021445192.168.2.8129.31.49.1
                                                                                                                                      Jan 14, 2025 22:42:59.512209892 CET44550021129.31.49.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:59.512304068 CET50021445192.168.2.8129.31.49.1
                                                                                                                                      Jan 14, 2025 22:42:59.512327909 CET44550020129.31.49.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:59.512370110 CET50021445192.168.2.8129.31.49.1
                                                                                                                                      Jan 14, 2025 22:42:59.512475014 CET50020445192.168.2.8129.31.49.1
                                                                                                                                      Jan 14, 2025 22:42:59.517194986 CET44550021129.31.49.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:59.685143948 CET50022445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:42:59.689985991 CET4455002263.85.204.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:59.690169096 CET50022445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:42:59.693145037 CET50022445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:42:59.697933912 CET4455002263.85.204.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:00.697938919 CET4454979527.108.78.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:00.698725939 CET49795445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:43:00.699286938 CET49795445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:43:00.699286938 CET49795445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:43:00.704108953 CET4454979527.108.78.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:00.704118967 CET4454979527.108.78.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:01.509377956 CET50023445192.168.2.825.106.82.231
                                                                                                                                      Jan 14, 2025 22:43:01.514144897 CET4455002325.106.82.231192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:01.514238119 CET50023445192.168.2.825.106.82.231
                                                                                                                                      Jan 14, 2025 22:43:01.514298916 CET50023445192.168.2.825.106.82.231
                                                                                                                                      Jan 14, 2025 22:43:01.514543056 CET50024445192.168.2.825.106.82.1
                                                                                                                                      Jan 14, 2025 22:43:01.519211054 CET4455002325.106.82.231192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:01.519273996 CET50023445192.168.2.825.106.82.231
                                                                                                                                      Jan 14, 2025 22:43:01.519316912 CET4455002425.106.82.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:01.519376993 CET50024445192.168.2.825.106.82.1
                                                                                                                                      Jan 14, 2025 22:43:01.519397020 CET50024445192.168.2.825.106.82.1
                                                                                                                                      Jan 14, 2025 22:43:01.519671917 CET50025445192.168.2.825.106.82.1
                                                                                                                                      Jan 14, 2025 22:43:01.524410009 CET4455002525.106.82.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:01.524475098 CET50025445192.168.2.825.106.82.1
                                                                                                                                      Jan 14, 2025 22:43:01.524516106 CET50025445192.168.2.825.106.82.1
                                                                                                                                      Jan 14, 2025 22:43:01.524985075 CET4455002425.106.82.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:01.525039911 CET50024445192.168.2.825.106.82.1
                                                                                                                                      Jan 14, 2025 22:43:01.529295921 CET4455002525.106.82.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:01.821621895 CET50026445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:43:01.826486111 CET4455002683.249.153.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:01.826631069 CET50026445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:43:01.826631069 CET50026445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:43:01.831573009 CET4455002683.249.153.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:02.731112957 CET44549820121.134.74.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:02.731178999 CET49820445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:43:02.762329102 CET49820445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:43:02.762415886 CET49820445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:43:02.767086029 CET44549820121.134.74.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:02.767200947 CET44549820121.134.74.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:03.524970055 CET50027445192.168.2.8157.193.184.198
                                                                                                                                      Jan 14, 2025 22:43:03.529881954 CET44550027157.193.184.198192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:03.532555103 CET50027445192.168.2.8157.193.184.198
                                                                                                                                      Jan 14, 2025 22:43:03.532572985 CET50027445192.168.2.8157.193.184.198
                                                                                                                                      Jan 14, 2025 22:43:03.532741070 CET50028445192.168.2.8157.193.184.1
                                                                                                                                      Jan 14, 2025 22:43:03.537583113 CET44550028157.193.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:03.537702084 CET44550027157.193.184.198192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:03.537775040 CET50027445192.168.2.8157.193.184.198
                                                                                                                                      Jan 14, 2025 22:43:03.537827015 CET50028445192.168.2.8157.193.184.1
                                                                                                                                      Jan 14, 2025 22:43:03.537985086 CET50028445192.168.2.8157.193.184.1
                                                                                                                                      Jan 14, 2025 22:43:03.538367033 CET50029445192.168.2.8157.193.184.1
                                                                                                                                      Jan 14, 2025 22:43:03.543148994 CET44550029157.193.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:03.544609070 CET50029445192.168.2.8157.193.184.1
                                                                                                                                      Jan 14, 2025 22:43:03.544609070 CET50029445192.168.2.8157.193.184.1
                                                                                                                                      Jan 14, 2025 22:43:03.546406984 CET44550028157.193.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:03.549474955 CET44550029157.193.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:03.566020012 CET44550028157.193.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:03.568550110 CET50028445192.168.2.8157.193.184.1
                                                                                                                                      Jan 14, 2025 22:43:03.712429047 CET50030445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:43:03.717330933 CET4455003027.108.78.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:03.717420101 CET50030445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:43:03.717475891 CET50030445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:43:03.722278118 CET4455003027.108.78.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:04.757915020 CET4454984439.85.39.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:04.758055925 CET49844445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:43:04.758183002 CET49844445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:43:04.758270025 CET49844445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:43:04.762937069 CET4454984439.85.39.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:04.763010979 CET4454984439.85.39.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:05.541675091 CET50031445192.168.2.8223.39.125.12
                                                                                                                                      Jan 14, 2025 22:43:05.546627045 CET44550031223.39.125.12192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:05.546698093 CET50031445192.168.2.8223.39.125.12
                                                                                                                                      Jan 14, 2025 22:43:05.546899080 CET50031445192.168.2.8223.39.125.12
                                                                                                                                      Jan 14, 2025 22:43:05.547142029 CET50032445192.168.2.8223.39.125.1
                                                                                                                                      Jan 14, 2025 22:43:05.551949978 CET44550032223.39.125.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:05.552058935 CET50032445192.168.2.8223.39.125.1
                                                                                                                                      Jan 14, 2025 22:43:05.552170038 CET50032445192.168.2.8223.39.125.1
                                                                                                                                      Jan 14, 2025 22:43:05.552818060 CET50033445192.168.2.8223.39.125.1
                                                                                                                                      Jan 14, 2025 22:43:05.554439068 CET44550031223.39.125.12192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:05.557687044 CET44550033223.39.125.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:05.557771921 CET50033445192.168.2.8223.39.125.1
                                                                                                                                      Jan 14, 2025 22:43:05.557926893 CET50033445192.168.2.8223.39.125.1
                                                                                                                                      Jan 14, 2025 22:43:05.558387995 CET44550032223.39.125.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:05.562807083 CET44550033223.39.125.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:05.567413092 CET44550031223.39.125.12192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:05.567492962 CET50031445192.168.2.8223.39.125.12
                                                                                                                                      Jan 14, 2025 22:43:05.567903996 CET44550032223.39.125.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:05.568006039 CET50032445192.168.2.8223.39.125.1
                                                                                                                                      Jan 14, 2025 22:43:05.777009010 CET50034445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:43:05.781907082 CET44550034121.134.74.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:05.782110929 CET50034445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:43:05.782190084 CET50034445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:43:05.786998034 CET44550034121.134.74.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:06.772443056 CET44549867209.76.99.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:06.772742033 CET49867445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:43:06.772778034 CET49867445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:43:06.772857904 CET49867445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:43:06.777576923 CET44549867209.76.99.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:06.777587891 CET44549867209.76.99.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:07.556395054 CET50035445192.168.2.8152.201.76.41
                                                                                                                                      Jan 14, 2025 22:43:07.561239958 CET44550035152.201.76.41192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:07.561372995 CET50035445192.168.2.8152.201.76.41
                                                                                                                                      Jan 14, 2025 22:43:07.561614990 CET50035445192.168.2.8152.201.76.41
                                                                                                                                      Jan 14, 2025 22:43:07.561748028 CET50036445192.168.2.8152.201.76.1
                                                                                                                                      Jan 14, 2025 22:43:07.566689014 CET44550036152.201.76.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:07.566833019 CET50036445192.168.2.8152.201.76.1
                                                                                                                                      Jan 14, 2025 22:43:07.566906929 CET50036445192.168.2.8152.201.76.1
                                                                                                                                      Jan 14, 2025 22:43:07.567244053 CET50037445192.168.2.8152.201.76.1
                                                                                                                                      Jan 14, 2025 22:43:07.567650080 CET44550035152.201.76.41192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:07.567725897 CET50035445192.168.2.8152.201.76.41
                                                                                                                                      Jan 14, 2025 22:43:07.571760893 CET44550036152.201.76.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:07.571839094 CET50036445192.168.2.8152.201.76.1
                                                                                                                                      Jan 14, 2025 22:43:07.572137117 CET44550037152.201.76.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:07.572222948 CET50037445192.168.2.8152.201.76.1
                                                                                                                                      Jan 14, 2025 22:43:07.572242022 CET50037445192.168.2.8152.201.76.1
                                                                                                                                      Jan 14, 2025 22:43:07.577065945 CET44550037152.201.76.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:07.759145021 CET50038445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:43:07.764090061 CET4455003839.85.39.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:07.764220953 CET50038445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:43:07.764375925 CET50038445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:43:07.769177914 CET4455003839.85.39.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:08.776225090 CET445498926.99.0.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:08.776294947 CET49892445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:43:08.776343107 CET49892445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:43:08.776391029 CET49892445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:43:08.781255007 CET445498926.99.0.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:08.781287909 CET445498926.99.0.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:09.431324005 CET50039445192.168.2.871.121.162.168
                                                                                                                                      Jan 14, 2025 22:43:09.436212063 CET4455003971.121.162.168192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:09.436316967 CET50039445192.168.2.871.121.162.168
                                                                                                                                      Jan 14, 2025 22:43:09.436459064 CET50039445192.168.2.871.121.162.168
                                                                                                                                      Jan 14, 2025 22:43:09.436651945 CET50040445192.168.2.871.121.162.1
                                                                                                                                      Jan 14, 2025 22:43:09.441270113 CET4455003971.121.162.168192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:09.441447973 CET50039445192.168.2.871.121.162.168
                                                                                                                                      Jan 14, 2025 22:43:09.441457987 CET4455004071.121.162.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:09.441540956 CET50040445192.168.2.871.121.162.1
                                                                                                                                      Jan 14, 2025 22:43:09.441601038 CET50040445192.168.2.871.121.162.1
                                                                                                                                      Jan 14, 2025 22:43:09.441891909 CET50041445192.168.2.871.121.162.1
                                                                                                                                      Jan 14, 2025 22:43:09.446338892 CET4455004071.121.162.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:09.446615934 CET4455004071.121.162.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:09.446666956 CET50040445192.168.2.871.121.162.1
                                                                                                                                      Jan 14, 2025 22:43:09.446700096 CET4455004171.121.162.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:09.446770906 CET50041445192.168.2.871.121.162.1
                                                                                                                                      Jan 14, 2025 22:43:09.446822882 CET50041445192.168.2.871.121.162.1
                                                                                                                                      Jan 14, 2025 22:43:09.451567888 CET4455004171.121.162.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:09.774668932 CET50042445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:43:09.779575109 CET44550042209.76.99.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:09.779745102 CET50042445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:43:09.779745102 CET50042445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:43:09.784522057 CET44550042209.76.99.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:10.788081884 CET44549917169.120.240.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:10.788196087 CET49917445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:43:10.788255930 CET49917445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:43:10.788301945 CET49917445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:43:10.793116093 CET44549917169.120.240.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:10.793128967 CET44549917169.120.240.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:11.184539080 CET50043445192.168.2.857.79.44.38
                                                                                                                                      Jan 14, 2025 22:43:11.189423084 CET4455004357.79.44.38192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:11.189486980 CET50043445192.168.2.857.79.44.38
                                                                                                                                      Jan 14, 2025 22:43:11.192765951 CET50043445192.168.2.857.79.44.38
                                                                                                                                      Jan 14, 2025 22:43:11.192956924 CET50044445192.168.2.857.79.44.1
                                                                                                                                      Jan 14, 2025 22:43:11.197626114 CET4455004357.79.44.38192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:11.197709084 CET50043445192.168.2.857.79.44.38
                                                                                                                                      Jan 14, 2025 22:43:11.197799921 CET4455004457.79.44.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:11.197855949 CET50044445192.168.2.857.79.44.1
                                                                                                                                      Jan 14, 2025 22:43:11.201491117 CET50044445192.168.2.857.79.44.1
                                                                                                                                      Jan 14, 2025 22:43:11.202003956 CET50045445192.168.2.857.79.44.1
                                                                                                                                      Jan 14, 2025 22:43:11.206373930 CET4455004457.79.44.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:11.206429958 CET50044445192.168.2.857.79.44.1
                                                                                                                                      Jan 14, 2025 22:43:11.206749916 CET4455004557.79.44.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:11.206809998 CET50045445192.168.2.857.79.44.1
                                                                                                                                      Jan 14, 2025 22:43:11.209949970 CET50045445192.168.2.857.79.44.1
                                                                                                                                      Jan 14, 2025 22:43:11.214699030 CET4455004557.79.44.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:11.790290117 CET50046445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:43:11.795121908 CET445500466.99.0.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:11.795242071 CET50046445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:43:11.795242071 CET50046445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:43:11.800052881 CET445500466.99.0.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:12.773339987 CET4454994060.253.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:12.773514032 CET49940445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:43:12.773514032 CET49940445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:43:12.773600101 CET49940445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:43:12.778361082 CET4454994060.253.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:12.778373003 CET4454994060.253.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:12.822021008 CET50047445192.168.2.890.207.146.203
                                                                                                                                      Jan 14, 2025 22:43:12.826874018 CET4455004790.207.146.203192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:12.826957941 CET50047445192.168.2.890.207.146.203
                                                                                                                                      Jan 14, 2025 22:43:12.827008009 CET50047445192.168.2.890.207.146.203
                                                                                                                                      Jan 14, 2025 22:43:12.827224016 CET50048445192.168.2.890.207.146.1
                                                                                                                                      Jan 14, 2025 22:43:12.831847906 CET4455004790.207.146.203192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:12.831901073 CET50047445192.168.2.890.207.146.203
                                                                                                                                      Jan 14, 2025 22:43:12.831996918 CET4455004890.207.146.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:12.832082033 CET50048445192.168.2.890.207.146.1
                                                                                                                                      Jan 14, 2025 22:43:12.832155943 CET50048445192.168.2.890.207.146.1
                                                                                                                                      Jan 14, 2025 22:43:12.832504988 CET50049445192.168.2.890.207.146.1
                                                                                                                                      Jan 14, 2025 22:43:12.837119102 CET4455004890.207.146.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:12.837241888 CET50048445192.168.2.890.207.146.1
                                                                                                                                      Jan 14, 2025 22:43:12.837280989 CET4455004990.207.146.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:12.837332964 CET50049445192.168.2.890.207.146.1
                                                                                                                                      Jan 14, 2025 22:43:12.837368011 CET50049445192.168.2.890.207.146.1
                                                                                                                                      Jan 14, 2025 22:43:12.842937946 CET4455004990.207.146.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:13.790340900 CET50050445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:43:13.795190096 CET44550050169.120.240.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:13.795269966 CET50050445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:43:13.795488119 CET50050445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:43:13.800254107 CET44550050169.120.240.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:14.356185913 CET50051445192.168.2.8197.208.96.223
                                                                                                                                      Jan 14, 2025 22:43:14.361082077 CET44550051197.208.96.223192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:14.361146927 CET50051445192.168.2.8197.208.96.223
                                                                                                                                      Jan 14, 2025 22:43:14.364845991 CET50051445192.168.2.8197.208.96.223
                                                                                                                                      Jan 14, 2025 22:43:14.364973068 CET50052445192.168.2.8197.208.96.1
                                                                                                                                      Jan 14, 2025 22:43:14.369678974 CET44550051197.208.96.223192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:14.369754076 CET44550052197.208.96.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:14.369808912 CET50052445192.168.2.8197.208.96.1
                                                                                                                                      Jan 14, 2025 22:43:14.369941950 CET50051445192.168.2.8197.208.96.223
                                                                                                                                      Jan 14, 2025 22:43:14.373955011 CET50052445192.168.2.8197.208.96.1
                                                                                                                                      Jan 14, 2025 22:43:14.374411106 CET50053445192.168.2.8197.208.96.1
                                                                                                                                      Jan 14, 2025 22:43:14.378720045 CET44550052197.208.96.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:14.378774881 CET50052445192.168.2.8197.208.96.1
                                                                                                                                      Jan 14, 2025 22:43:14.379170895 CET44550053197.208.96.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:14.379226923 CET50053445192.168.2.8197.208.96.1
                                                                                                                                      Jan 14, 2025 22:43:14.385257006 CET50053445192.168.2.8197.208.96.1
                                                                                                                                      Jan 14, 2025 22:43:14.390424013 CET44550053197.208.96.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:14.872504950 CET44549965128.38.222.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:14.872843027 CET49965445192.168.2.8128.38.222.1
                                                                                                                                      Jan 14, 2025 22:43:14.872843027 CET49965445192.168.2.8128.38.222.1
                                                                                                                                      Jan 14, 2025 22:43:14.872843027 CET49965445192.168.2.8128.38.222.1
                                                                                                                                      Jan 14, 2025 22:43:14.877671957 CET44549965128.38.222.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:14.878523111 CET44549965128.38.222.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:15.774732113 CET50054445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:43:15.775006056 CET50055445192.168.2.8142.195.63.24
                                                                                                                                      Jan 14, 2025 22:43:15.779700994 CET4455005460.253.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:15.779788971 CET50054445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:43:15.779800892 CET44550055142.195.63.24192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:15.779831886 CET50054445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:43:15.779860020 CET50055445192.168.2.8142.195.63.24
                                                                                                                                      Jan 14, 2025 22:43:15.779967070 CET50055445192.168.2.8142.195.63.24
                                                                                                                                      Jan 14, 2025 22:43:15.781677961 CET50056445192.168.2.8142.195.63.1
                                                                                                                                      Jan 14, 2025 22:43:15.784604073 CET4455005460.253.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:15.785072088 CET44550055142.195.63.24192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:15.785125971 CET50055445192.168.2.8142.195.63.24
                                                                                                                                      Jan 14, 2025 22:43:15.786470890 CET44550056142.195.63.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:15.786880970 CET50057445192.168.2.8142.195.63.1
                                                                                                                                      Jan 14, 2025 22:43:15.787337065 CET50056445192.168.2.8142.195.63.1
                                                                                                                                      Jan 14, 2025 22:43:15.787337065 CET50056445192.168.2.8142.195.63.1
                                                                                                                                      Jan 14, 2025 22:43:15.791810036 CET44550057142.195.63.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:15.791906118 CET50057445192.168.2.8142.195.63.1
                                                                                                                                      Jan 14, 2025 22:43:15.791906118 CET50057445192.168.2.8142.195.63.1
                                                                                                                                      Jan 14, 2025 22:43:15.792290926 CET44550056142.195.63.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:15.795341969 CET50056445192.168.2.8142.195.63.1
                                                                                                                                      Jan 14, 2025 22:43:15.796698093 CET44550057142.195.63.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:16.882267952 CET4454998978.135.150.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:16.882327080 CET49989445192.168.2.878.135.150.1
                                                                                                                                      Jan 14, 2025 22:43:16.882365942 CET49989445192.168.2.878.135.150.1
                                                                                                                                      Jan 14, 2025 22:43:16.882574081 CET49989445192.168.2.878.135.150.1
                                                                                                                                      Jan 14, 2025 22:43:16.887171030 CET4454998978.135.150.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:16.887397051 CET4454998978.135.150.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:17.104010105 CET50058445192.168.2.8109.225.95.186
                                                                                                                                      Jan 14, 2025 22:43:17.108810902 CET44550058109.225.95.186192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:17.108896971 CET50058445192.168.2.8109.225.95.186
                                                                                                                                      Jan 14, 2025 22:43:17.111520052 CET50058445192.168.2.8109.225.95.186
                                                                                                                                      Jan 14, 2025 22:43:17.111643076 CET50059445192.168.2.8109.225.95.1
                                                                                                                                      Jan 14, 2025 22:43:17.116363049 CET44550058109.225.95.186192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:17.116437912 CET50058445192.168.2.8109.225.95.186
                                                                                                                                      Jan 14, 2025 22:43:17.116472006 CET44550059109.225.95.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:17.116523027 CET50059445192.168.2.8109.225.95.1
                                                                                                                                      Jan 14, 2025 22:43:17.119647980 CET50059445192.168.2.8109.225.95.1
                                                                                                                                      Jan 14, 2025 22:43:17.119929075 CET50060445192.168.2.8109.225.95.1
                                                                                                                                      Jan 14, 2025 22:43:17.124429941 CET44550059109.225.95.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:17.124489069 CET50059445192.168.2.8109.225.95.1
                                                                                                                                      Jan 14, 2025 22:43:17.124644995 CET44550060109.225.95.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:17.124690056 CET50060445192.168.2.8109.225.95.1
                                                                                                                                      Jan 14, 2025 22:43:17.127367973 CET50060445192.168.2.8109.225.95.1
                                                                                                                                      Jan 14, 2025 22:43:17.132153034 CET44550060109.225.95.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:17.884134054 CET50061445192.168.2.8128.38.222.1
                                                                                                                                      Jan 14, 2025 22:43:17.888933897 CET44550061128.38.222.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:17.889017105 CET50061445192.168.2.8128.38.222.1
                                                                                                                                      Jan 14, 2025 22:43:17.889044046 CET50061445192.168.2.8128.38.222.1
                                                                                                                                      Jan 14, 2025 22:43:17.893872023 CET44550061128.38.222.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:18.353245974 CET50062445192.168.2.8158.206.214.229
                                                                                                                                      Jan 14, 2025 22:43:18.358093977 CET44550062158.206.214.229192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:18.358200073 CET50062445192.168.2.8158.206.214.229
                                                                                                                                      Jan 14, 2025 22:43:18.358227968 CET50062445192.168.2.8158.206.214.229
                                                                                                                                      Jan 14, 2025 22:43:18.358860970 CET50063445192.168.2.8158.206.214.1
                                                                                                                                      Jan 14, 2025 22:43:18.363157034 CET44550062158.206.214.229192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:18.363209963 CET50062445192.168.2.8158.206.214.229
                                                                                                                                      Jan 14, 2025 22:43:18.363689899 CET44550063158.206.214.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:18.363759995 CET50063445192.168.2.8158.206.214.1
                                                                                                                                      Jan 14, 2025 22:43:18.363759995 CET50063445192.168.2.8158.206.214.1
                                                                                                                                      Jan 14, 2025 22:43:18.364125013 CET50064445192.168.2.8158.206.214.1
                                                                                                                                      Jan 14, 2025 22:43:18.369707108 CET44550064158.206.214.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:18.369864941 CET44550063158.206.214.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:18.369884968 CET50064445192.168.2.8158.206.214.1
                                                                                                                                      Jan 14, 2025 22:43:18.369884968 CET50064445192.168.2.8158.206.214.1
                                                                                                                                      Jan 14, 2025 22:43:18.370011091 CET50063445192.168.2.8158.206.214.1
                                                                                                                                      Jan 14, 2025 22:43:18.375333071 CET44550064158.206.214.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:18.850236893 CET4455001263.102.247.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:18.850387096 CET50012445192.168.2.863.102.247.1
                                                                                                                                      Jan 14, 2025 22:43:18.850387096 CET50012445192.168.2.863.102.247.1
                                                                                                                                      Jan 14, 2025 22:43:18.850450039 CET50012445192.168.2.863.102.247.1
                                                                                                                                      Jan 14, 2025 22:43:18.855204105 CET4455001263.102.247.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:18.855214119 CET4455001263.102.247.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.100716114 CET44550016119.38.196.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.100852013 CET50016445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:43:19.100920916 CET50016445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:43:19.100989103 CET50016445192.168.2.8119.38.196.1
                                                                                                                                      Jan 14, 2025 22:43:19.105657101 CET44550016119.38.196.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.105717897 CET44550016119.38.196.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.165419102 CET50065445192.168.2.8119.38.196.2
                                                                                                                                      Jan 14, 2025 22:43:19.170238972 CET44550065119.38.196.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.170322895 CET50065445192.168.2.8119.38.196.2
                                                                                                                                      Jan 14, 2025 22:43:19.170361042 CET50065445192.168.2.8119.38.196.2
                                                                                                                                      Jan 14, 2025 22:43:19.170809031 CET50066445192.168.2.8119.38.196.2
                                                                                                                                      Jan 14, 2025 22:43:19.175359011 CET44550065119.38.196.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.175415039 CET50065445192.168.2.8119.38.196.2
                                                                                                                                      Jan 14, 2025 22:43:19.175582886 CET44550066119.38.196.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.175645113 CET50066445192.168.2.8119.38.196.2
                                                                                                                                      Jan 14, 2025 22:43:19.175668955 CET50066445192.168.2.8119.38.196.2
                                                                                                                                      Jan 14, 2025 22:43:19.180423021 CET44550066119.38.196.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.509430885 CET50067445192.168.2.827.219.109.201
                                                                                                                                      Jan 14, 2025 22:43:19.514378071 CET4455006727.219.109.201192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.514523029 CET50067445192.168.2.827.219.109.201
                                                                                                                                      Jan 14, 2025 22:43:19.514636993 CET50067445192.168.2.827.219.109.201
                                                                                                                                      Jan 14, 2025 22:43:19.514878988 CET50068445192.168.2.827.219.109.1
                                                                                                                                      Jan 14, 2025 22:43:19.519471884 CET4455006727.219.109.201192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.519562006 CET50067445192.168.2.827.219.109.201
                                                                                                                                      Jan 14, 2025 22:43:19.519619942 CET4455006827.219.109.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.519741058 CET50068445192.168.2.827.219.109.1
                                                                                                                                      Jan 14, 2025 22:43:19.520107031 CET50069445192.168.2.827.219.109.1
                                                                                                                                      Jan 14, 2025 22:43:19.520153999 CET50068445192.168.2.827.219.109.1
                                                                                                                                      Jan 14, 2025 22:43:19.524885893 CET4455006927.219.109.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.524933100 CET4455006827.219.109.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.524955988 CET50069445192.168.2.827.219.109.1
                                                                                                                                      Jan 14, 2025 22:43:19.524997950 CET50068445192.168.2.827.219.109.1
                                                                                                                                      Jan 14, 2025 22:43:19.525016069 CET50069445192.168.2.827.219.109.1
                                                                                                                                      Jan 14, 2025 22:43:19.529742002 CET4455006927.219.109.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.885798931 CET50071445192.168.2.878.135.150.1
                                                                                                                                      Jan 14, 2025 22:43:19.890726089 CET4455007178.135.150.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:19.890825033 CET50071445192.168.2.878.135.150.1
                                                                                                                                      Jan 14, 2025 22:43:19.952756882 CET50071445192.168.2.878.135.150.1
                                                                                                                                      Jan 14, 2025 22:43:19.957748890 CET4455007178.135.150.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:20.587611914 CET50072445192.168.2.8200.251.213.139
                                                                                                                                      Jan 14, 2025 22:43:20.592597008 CET44550072200.251.213.139192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:20.592722893 CET50072445192.168.2.8200.251.213.139
                                                                                                                                      Jan 14, 2025 22:43:20.592775106 CET50072445192.168.2.8200.251.213.139
                                                                                                                                      Jan 14, 2025 22:43:20.593003988 CET50073445192.168.2.8200.251.213.1
                                                                                                                                      Jan 14, 2025 22:43:20.597871065 CET44550073200.251.213.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:20.597943068 CET50073445192.168.2.8200.251.213.1
                                                                                                                                      Jan 14, 2025 22:43:20.597965002 CET50073445192.168.2.8200.251.213.1
                                                                                                                                      Jan 14, 2025 22:43:20.598095894 CET44550072200.251.213.139192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:20.598156929 CET50072445192.168.2.8200.251.213.139
                                                                                                                                      Jan 14, 2025 22:43:20.598216057 CET50074445192.168.2.8200.251.213.1
                                                                                                                                      Jan 14, 2025 22:43:20.603032112 CET44550074200.251.213.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:20.603092909 CET50074445192.168.2.8200.251.213.1
                                                                                                                                      Jan 14, 2025 22:43:20.603123903 CET50074445192.168.2.8200.251.213.1
                                                                                                                                      Jan 14, 2025 22:43:20.603343964 CET44550073200.251.213.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:20.603396893 CET50073445192.168.2.8200.251.213.1
                                                                                                                                      Jan 14, 2025 22:43:20.607940912 CET44550074200.251.213.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:20.903846025 CET44550021129.31.49.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:20.903934002 CET50021445192.168.2.8129.31.49.1
                                                                                                                                      Jan 14, 2025 22:43:20.903934002 CET50021445192.168.2.8129.31.49.1
                                                                                                                                      Jan 14, 2025 22:43:20.904002905 CET50021445192.168.2.8129.31.49.1
                                                                                                                                      Jan 14, 2025 22:43:20.908787012 CET44550021129.31.49.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:20.908797979 CET44550021129.31.49.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.055855036 CET4455002263.85.204.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.055912018 CET50022445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:43:21.055994987 CET50022445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:43:21.056129932 CET50022445192.168.2.863.85.204.1
                                                                                                                                      Jan 14, 2025 22:43:21.060936928 CET4455002263.85.204.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.061266899 CET4455002263.85.204.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.118716002 CET50075445192.168.2.863.85.204.2
                                                                                                                                      Jan 14, 2025 22:43:21.123610020 CET4455007563.85.204.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.126759052 CET50075445192.168.2.863.85.204.2
                                                                                                                                      Jan 14, 2025 22:43:21.126796961 CET50075445192.168.2.863.85.204.2
                                                                                                                                      Jan 14, 2025 22:43:21.127161026 CET50076445192.168.2.863.85.204.2
                                                                                                                                      Jan 14, 2025 22:43:21.131772041 CET4455007563.85.204.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.132044077 CET4455007663.85.204.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.132102013 CET50075445192.168.2.863.85.204.2
                                                                                                                                      Jan 14, 2025 22:43:21.132143021 CET50076445192.168.2.863.85.204.2
                                                                                                                                      Jan 14, 2025 22:43:21.132258892 CET50076445192.168.2.863.85.204.2
                                                                                                                                      Jan 14, 2025 22:43:21.136981964 CET4455007663.85.204.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.603666067 CET50077445192.168.2.8207.219.89.51
                                                                                                                                      Jan 14, 2025 22:43:21.608525991 CET44550077207.219.89.51192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.608639002 CET50077445192.168.2.8207.219.89.51
                                                                                                                                      Jan 14, 2025 22:43:21.608639002 CET50077445192.168.2.8207.219.89.51
                                                                                                                                      Jan 14, 2025 22:43:21.608750105 CET50078445192.168.2.8207.219.89.1
                                                                                                                                      Jan 14, 2025 22:43:21.613532066 CET44550078207.219.89.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.613609076 CET50078445192.168.2.8207.219.89.1
                                                                                                                                      Jan 14, 2025 22:43:21.613677979 CET44550077207.219.89.51192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.613702059 CET50078445192.168.2.8207.219.89.1
                                                                                                                                      Jan 14, 2025 22:43:21.613883972 CET50077445192.168.2.8207.219.89.51
                                                                                                                                      Jan 14, 2025 22:43:21.613929033 CET50079445192.168.2.8207.219.89.1
                                                                                                                                      Jan 14, 2025 22:43:21.618750095 CET44550078207.219.89.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.618762970 CET44550079207.219.89.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.618808031 CET50078445192.168.2.8207.219.89.1
                                                                                                                                      Jan 14, 2025 22:43:21.618837118 CET50079445192.168.2.8207.219.89.1
                                                                                                                                      Jan 14, 2025 22:43:21.618865967 CET50079445192.168.2.8207.219.89.1
                                                                                                                                      Jan 14, 2025 22:43:21.623627901 CET44550079207.219.89.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.852842093 CET50080445192.168.2.863.102.247.1
                                                                                                                                      Jan 14, 2025 22:43:21.857683897 CET4455008063.102.247.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:21.860563040 CET50080445192.168.2.863.102.247.1
                                                                                                                                      Jan 14, 2025 22:43:21.860594988 CET50080445192.168.2.863.102.247.1
                                                                                                                                      Jan 14, 2025 22:43:21.865351915 CET4455008063.102.247.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:22.540555954 CET50081445192.168.2.8150.245.56.123
                                                                                                                                      Jan 14, 2025 22:43:22.545383930 CET44550081150.245.56.123192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:22.545504093 CET50081445192.168.2.8150.245.56.123
                                                                                                                                      Jan 14, 2025 22:43:22.545541048 CET50081445192.168.2.8150.245.56.123
                                                                                                                                      Jan 14, 2025 22:43:22.545698881 CET50082445192.168.2.8150.245.56.1
                                                                                                                                      Jan 14, 2025 22:43:22.550400972 CET44550081150.245.56.123192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:22.550534964 CET44550082150.245.56.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:22.550719023 CET50082445192.168.2.8150.245.56.1
                                                                                                                                      Jan 14, 2025 22:43:22.550745010 CET50082445192.168.2.8150.245.56.1
                                                                                                                                      Jan 14, 2025 22:43:22.551114082 CET50083445192.168.2.8150.245.56.1
                                                                                                                                      Jan 14, 2025 22:43:22.556463003 CET44550083150.245.56.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:22.556581020 CET50083445192.168.2.8150.245.56.1
                                                                                                                                      Jan 14, 2025 22:43:22.556581020 CET50083445192.168.2.8150.245.56.1
                                                                                                                                      Jan 14, 2025 22:43:22.558765888 CET44550082150.245.56.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:22.561563969 CET44550083150.245.56.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:22.567682028 CET44550081150.245.56.123192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:22.567806005 CET50081445192.168.2.8150.245.56.123
                                                                                                                                      Jan 14, 2025 22:43:22.567975998 CET44550082150.245.56.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:22.568025112 CET50082445192.168.2.8150.245.56.1
                                                                                                                                      Jan 14, 2025 22:43:22.882258892 CET4455002525.106.82.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:22.882390976 CET50025445192.168.2.825.106.82.1
                                                                                                                                      Jan 14, 2025 22:43:22.894073963 CET50025445192.168.2.825.106.82.1
                                                                                                                                      Jan 14, 2025 22:43:22.894128084 CET50025445192.168.2.825.106.82.1
                                                                                                                                      Jan 14, 2025 22:43:22.899141073 CET4455002525.106.82.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:22.899158955 CET4455002525.106.82.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.210807085 CET4455002683.249.153.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.210911036 CET50026445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:43:23.210982084 CET50026445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:43:23.211049080 CET50026445192.168.2.883.249.153.1
                                                                                                                                      Jan 14, 2025 22:43:23.215807915 CET4455002683.249.153.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.215847969 CET4455002683.249.153.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.274826050 CET50084445192.168.2.883.249.153.2
                                                                                                                                      Jan 14, 2025 22:43:23.279763937 CET4455008483.249.153.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.279874086 CET50084445192.168.2.883.249.153.2
                                                                                                                                      Jan 14, 2025 22:43:23.279961109 CET50084445192.168.2.883.249.153.2
                                                                                                                                      Jan 14, 2025 22:43:23.280291080 CET50085445192.168.2.883.249.153.2
                                                                                                                                      Jan 14, 2025 22:43:23.284852028 CET4455008483.249.153.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.284914017 CET50084445192.168.2.883.249.153.2
                                                                                                                                      Jan 14, 2025 22:43:23.285135984 CET4455008583.249.153.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.285201073 CET50085445192.168.2.883.249.153.2
                                                                                                                                      Jan 14, 2025 22:43:23.285240889 CET50085445192.168.2.883.249.153.2
                                                                                                                                      Jan 14, 2025 22:43:23.290044069 CET4455008583.249.153.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.416024923 CET50086445192.168.2.8221.5.28.201
                                                                                                                                      Jan 14, 2025 22:43:23.420882940 CET44550086221.5.28.201192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.420957088 CET50086445192.168.2.8221.5.28.201
                                                                                                                                      Jan 14, 2025 22:43:23.424184084 CET50086445192.168.2.8221.5.28.201
                                                                                                                                      Jan 14, 2025 22:43:23.424565077 CET50087445192.168.2.8221.5.28.1
                                                                                                                                      Jan 14, 2025 22:43:23.429425001 CET44550086221.5.28.201192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.429475069 CET50086445192.168.2.8221.5.28.201
                                                                                                                                      Jan 14, 2025 22:43:23.429737091 CET44550087221.5.28.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.429785967 CET50087445192.168.2.8221.5.28.1
                                                                                                                                      Jan 14, 2025 22:43:23.432369947 CET50087445192.168.2.8221.5.28.1
                                                                                                                                      Jan 14, 2025 22:43:23.437256098 CET44550087221.5.28.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.437333107 CET50087445192.168.2.8221.5.28.1
                                                                                                                                      Jan 14, 2025 22:43:23.440220118 CET50088445192.168.2.8221.5.28.1
                                                                                                                                      Jan 14, 2025 22:43:23.445069075 CET44550088221.5.28.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.445139885 CET50088445192.168.2.8221.5.28.1
                                                                                                                                      Jan 14, 2025 22:43:23.445347071 CET50088445192.168.2.8221.5.28.1
                                                                                                                                      Jan 14, 2025 22:43:23.450134993 CET44550088221.5.28.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.915503025 CET50089445192.168.2.8129.31.49.1
                                                                                                                                      Jan 14, 2025 22:43:23.920332909 CET44550089129.31.49.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:23.920428038 CET50089445192.168.2.8129.31.49.1
                                                                                                                                      Jan 14, 2025 22:43:23.920473099 CET50089445192.168.2.8129.31.49.1
                                                                                                                                      Jan 14, 2025 22:43:23.925302982 CET44550089129.31.49.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:24.243832111 CET50090445192.168.2.856.59.202.209
                                                                                                                                      Jan 14, 2025 22:43:24.248653889 CET4455009056.59.202.209192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:24.248724937 CET50090445192.168.2.856.59.202.209
                                                                                                                                      Jan 14, 2025 22:43:24.248749018 CET50090445192.168.2.856.59.202.209
                                                                                                                                      Jan 14, 2025 22:43:24.248867035 CET50091445192.168.2.856.59.202.1
                                                                                                                                      Jan 14, 2025 22:43:24.253608942 CET4455009156.59.202.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:24.253659964 CET50091445192.168.2.856.59.202.1
                                                                                                                                      Jan 14, 2025 22:43:24.253684998 CET50091445192.168.2.856.59.202.1
                                                                                                                                      Jan 14, 2025 22:43:24.254004002 CET4455009056.59.202.209192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:24.254013062 CET50092445192.168.2.856.59.202.1
                                                                                                                                      Jan 14, 2025 22:43:24.254045010 CET50090445192.168.2.856.59.202.209
                                                                                                                                      Jan 14, 2025 22:43:24.259433031 CET4455009156.59.202.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:24.259443998 CET4455009256.59.202.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:24.259486914 CET50091445192.168.2.856.59.202.1
                                                                                                                                      Jan 14, 2025 22:43:24.259512901 CET50092445192.168.2.856.59.202.1
                                                                                                                                      Jan 14, 2025 22:43:24.259546041 CET50092445192.168.2.856.59.202.1
                                                                                                                                      Jan 14, 2025 22:43:24.264401913 CET4455009256.59.202.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:24.946541071 CET44550029157.193.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:24.946605921 CET50029445192.168.2.8157.193.184.1
                                                                                                                                      Jan 14, 2025 22:43:24.946659088 CET50029445192.168.2.8157.193.184.1
                                                                                                                                      Jan 14, 2025 22:43:24.946707964 CET50029445192.168.2.8157.193.184.1
                                                                                                                                      Jan 14, 2025 22:43:24.951438904 CET44550029157.193.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:24.951450109 CET44550029157.193.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.009316921 CET50093445192.168.2.8124.35.234.12
                                                                                                                                      Jan 14, 2025 22:43:25.014229059 CET44550093124.35.234.12192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.014297962 CET50093445192.168.2.8124.35.234.12
                                                                                                                                      Jan 14, 2025 22:43:25.014321089 CET50093445192.168.2.8124.35.234.12
                                                                                                                                      Jan 14, 2025 22:43:25.014476061 CET50094445192.168.2.8124.35.234.1
                                                                                                                                      Jan 14, 2025 22:43:25.019243956 CET44550094124.35.234.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.019295931 CET50094445192.168.2.8124.35.234.1
                                                                                                                                      Jan 14, 2025 22:43:25.019320011 CET50094445192.168.2.8124.35.234.1
                                                                                                                                      Jan 14, 2025 22:43:25.019335032 CET44550093124.35.234.12192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.019375086 CET50093445192.168.2.8124.35.234.12
                                                                                                                                      Jan 14, 2025 22:43:25.019579887 CET50095445192.168.2.8124.35.234.1
                                                                                                                                      Jan 14, 2025 22:43:25.024257898 CET44550094124.35.234.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.024298906 CET50094445192.168.2.8124.35.234.1
                                                                                                                                      Jan 14, 2025 22:43:25.024338007 CET44550095124.35.234.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.024400949 CET50095445192.168.2.8124.35.234.1
                                                                                                                                      Jan 14, 2025 22:43:25.024507046 CET50095445192.168.2.8124.35.234.1
                                                                                                                                      Jan 14, 2025 22:43:25.029205084 CET44550095124.35.234.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.100310087 CET4455003027.108.78.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.100413084 CET50030445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:43:25.100467920 CET50030445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:43:25.100542068 CET50030445192.168.2.827.108.78.1
                                                                                                                                      Jan 14, 2025 22:43:25.105437040 CET4455003027.108.78.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.105448008 CET4455003027.108.78.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.165306091 CET50096445192.168.2.827.108.78.2
                                                                                                                                      Jan 14, 2025 22:43:25.170125961 CET4455009627.108.78.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.170195103 CET50096445192.168.2.827.108.78.2
                                                                                                                                      Jan 14, 2025 22:43:25.170234919 CET50096445192.168.2.827.108.78.2
                                                                                                                                      Jan 14, 2025 22:43:25.170555115 CET50097445192.168.2.827.108.78.2
                                                                                                                                      Jan 14, 2025 22:43:25.175180912 CET4455009627.108.78.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.175220013 CET50096445192.168.2.827.108.78.2
                                                                                                                                      Jan 14, 2025 22:43:25.175302029 CET4455009727.108.78.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.175396919 CET50097445192.168.2.827.108.78.2
                                                                                                                                      Jan 14, 2025 22:43:25.175424099 CET50097445192.168.2.827.108.78.2
                                                                                                                                      Jan 14, 2025 22:43:25.180182934 CET4455009727.108.78.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.917793036 CET50099445192.168.2.825.106.82.1
                                                                                                                                      Jan 14, 2025 22:43:25.922763109 CET4455009925.106.82.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:25.922857046 CET50099445192.168.2.825.106.82.1
                                                                                                                                      Jan 14, 2025 22:43:25.923300028 CET50099445192.168.2.825.106.82.1
                                                                                                                                      Jan 14, 2025 22:43:25.928128958 CET4455009925.106.82.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:26.929466963 CET44550033223.39.125.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:26.929649115 CET50033445192.168.2.8223.39.125.1
                                                                                                                                      Jan 14, 2025 22:43:26.929649115 CET50033445192.168.2.8223.39.125.1
                                                                                                                                      Jan 14, 2025 22:43:26.929717064 CET50033445192.168.2.8223.39.125.1
                                                                                                                                      Jan 14, 2025 22:43:26.934536934 CET44550033223.39.125.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:26.934568882 CET44550033223.39.125.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:27.179795027 CET44550034121.134.74.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:27.179997921 CET50034445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:43:27.179997921 CET50034445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:43:27.180085897 CET50034445192.168.2.8121.134.74.1
                                                                                                                                      Jan 14, 2025 22:43:27.184812069 CET44550034121.134.74.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:27.184859037 CET44550034121.134.74.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:27.246285915 CET50103445192.168.2.8121.134.74.2
                                                                                                                                      Jan 14, 2025 22:43:27.251231909 CET44550103121.134.74.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:27.251332045 CET50103445192.168.2.8121.134.74.2
                                                                                                                                      Jan 14, 2025 22:43:27.251389027 CET50103445192.168.2.8121.134.74.2
                                                                                                                                      Jan 14, 2025 22:43:27.251699924 CET50104445192.168.2.8121.134.74.2
                                                                                                                                      Jan 14, 2025 22:43:27.256308079 CET44550103121.134.74.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:27.256428003 CET50103445192.168.2.8121.134.74.2
                                                                                                                                      Jan 14, 2025 22:43:27.256500959 CET44550104121.134.74.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:27.256557941 CET50104445192.168.2.8121.134.74.2
                                                                                                                                      Jan 14, 2025 22:43:27.256580114 CET50104445192.168.2.8121.134.74.2
                                                                                                                                      Jan 14, 2025 22:43:27.261354923 CET44550104121.134.74.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:27.962464094 CET50107445192.168.2.8157.193.184.1
                                                                                                                                      Jan 14, 2025 22:43:27.967298031 CET44550107157.193.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:27.967466116 CET50107445192.168.2.8157.193.184.1
                                                                                                                                      Jan 14, 2025 22:43:27.967480898 CET50107445192.168.2.8157.193.184.1
                                                                                                                                      Jan 14, 2025 22:43:27.972260952 CET44550107157.193.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:28.950887918 CET44550037152.201.76.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:28.951020002 CET50037445192.168.2.8152.201.76.1
                                                                                                                                      Jan 14, 2025 22:43:28.951286077 CET50037445192.168.2.8152.201.76.1
                                                                                                                                      Jan 14, 2025 22:43:28.951399088 CET50037445192.168.2.8152.201.76.1
                                                                                                                                      Jan 14, 2025 22:43:28.956737041 CET44550037152.201.76.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:28.956753016 CET44550037152.201.76.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:29.132338047 CET4455003839.85.39.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:29.132512093 CET50038445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:43:29.132512093 CET50038445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:43:29.132882118 CET50038445192.168.2.839.85.39.1
                                                                                                                                      Jan 14, 2025 22:43:29.137398958 CET4455003839.85.39.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:29.137681007 CET4455003839.85.39.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:29.199228048 CET50116445192.168.2.839.85.39.2
                                                                                                                                      Jan 14, 2025 22:43:29.204109907 CET4455011639.85.39.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:29.204205990 CET50116445192.168.2.839.85.39.2
                                                                                                                                      Jan 14, 2025 22:43:29.204288960 CET50116445192.168.2.839.85.39.2
                                                                                                                                      Jan 14, 2025 22:43:29.205877066 CET50117445192.168.2.839.85.39.2
                                                                                                                                      Jan 14, 2025 22:43:29.209146023 CET4455011639.85.39.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:29.209207058 CET50116445192.168.2.839.85.39.2
                                                                                                                                      Jan 14, 2025 22:43:29.210680008 CET4455011739.85.39.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:29.210757971 CET50117445192.168.2.839.85.39.2
                                                                                                                                      Jan 14, 2025 22:43:29.210823059 CET50117445192.168.2.839.85.39.2
                                                                                                                                      Jan 14, 2025 22:43:29.215576887 CET4455011739.85.39.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:29.930965900 CET50124445192.168.2.8223.39.125.1
                                                                                                                                      Jan 14, 2025 22:43:29.935798883 CET44550124223.39.125.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:29.935957909 CET50124445192.168.2.8223.39.125.1
                                                                                                                                      Jan 14, 2025 22:43:29.936114073 CET50124445192.168.2.8223.39.125.1
                                                                                                                                      Jan 14, 2025 22:43:29.940907001 CET44550124223.39.125.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:30.836163998 CET4455004171.121.162.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:30.837260008 CET50041445192.168.2.871.121.162.1
                                                                                                                                      Jan 14, 2025 22:43:30.837296009 CET50041445192.168.2.871.121.162.1
                                                                                                                                      Jan 14, 2025 22:43:30.837317944 CET50041445192.168.2.871.121.162.1
                                                                                                                                      Jan 14, 2025 22:43:30.842070103 CET4455004171.121.162.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:30.842123032 CET4455004171.121.162.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:31.149635077 CET44550042209.76.99.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:31.149736881 CET50042445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:43:31.149771929 CET50042445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:43:31.149827003 CET50042445192.168.2.8209.76.99.1
                                                                                                                                      Jan 14, 2025 22:43:31.154689074 CET44550042209.76.99.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:31.154705048 CET44550042209.76.99.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:31.212253094 CET50138445192.168.2.8209.76.99.2
                                                                                                                                      Jan 14, 2025 22:43:31.217150927 CET44550138209.76.99.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:31.217252016 CET50138445192.168.2.8209.76.99.2
                                                                                                                                      Jan 14, 2025 22:43:31.217345953 CET50138445192.168.2.8209.76.99.2
                                                                                                                                      Jan 14, 2025 22:43:31.217725992 CET50139445192.168.2.8209.76.99.2
                                                                                                                                      Jan 14, 2025 22:43:31.222332001 CET44550138209.76.99.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:31.222404957 CET50138445192.168.2.8209.76.99.2
                                                                                                                                      Jan 14, 2025 22:43:31.222568989 CET44550139209.76.99.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:31.222626925 CET50139445192.168.2.8209.76.99.2
                                                                                                                                      Jan 14, 2025 22:43:31.222685099 CET50139445192.168.2.8209.76.99.2
                                                                                                                                      Jan 14, 2025 22:43:31.227449894 CET44550139209.76.99.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:31.962857008 CET50149445192.168.2.8152.201.76.1
                                                                                                                                      Jan 14, 2025 22:43:31.967767954 CET44550149152.201.76.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:31.967932940 CET50149445192.168.2.8152.201.76.1
                                                                                                                                      Jan 14, 2025 22:43:31.967932940 CET50149445192.168.2.8152.201.76.1
                                                                                                                                      Jan 14, 2025 22:43:31.972724915 CET44550149152.201.76.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:32.585344076 CET4455004557.79.44.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:32.585463047 CET50045445192.168.2.857.79.44.1
                                                                                                                                      Jan 14, 2025 22:43:32.585514069 CET50045445192.168.2.857.79.44.1
                                                                                                                                      Jan 14, 2025 22:43:32.585571051 CET50045445192.168.2.857.79.44.1
                                                                                                                                      Jan 14, 2025 22:43:32.590296030 CET4455004557.79.44.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:32.590318918 CET4455004557.79.44.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:33.196819067 CET445500466.99.0.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:33.196909904 CET50046445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:43:33.196949959 CET50046445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:43:33.197031975 CET50046445192.168.2.86.99.0.1
                                                                                                                                      Jan 14, 2025 22:43:33.201797009 CET445500466.99.0.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:33.201811075 CET445500466.99.0.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:33.259114981 CET50175445192.168.2.86.99.0.2
                                                                                                                                      Jan 14, 2025 22:43:33.263892889 CET445501756.99.0.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:33.263953924 CET50175445192.168.2.86.99.0.2
                                                                                                                                      Jan 14, 2025 22:43:33.263983011 CET50175445192.168.2.86.99.0.2
                                                                                                                                      Jan 14, 2025 22:43:33.264303923 CET50176445192.168.2.86.99.0.2
                                                                                                                                      Jan 14, 2025 22:43:33.268990040 CET445501756.99.0.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:33.269051075 CET50175445192.168.2.86.99.0.2
                                                                                                                                      Jan 14, 2025 22:43:33.269228935 CET445501766.99.0.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:33.269284010 CET50176445192.168.2.86.99.0.2
                                                                                                                                      Jan 14, 2025 22:43:33.269328117 CET50176445192.168.2.86.99.0.2
                                                                                                                                      Jan 14, 2025 22:43:33.274151087 CET445501766.99.0.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:33.853652000 CET50190445192.168.2.871.121.162.1
                                                                                                                                      Jan 14, 2025 22:43:33.859138012 CET4455019071.121.162.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:33.859273911 CET50190445192.168.2.871.121.162.1
                                                                                                                                      Jan 14, 2025 22:43:33.861896038 CET50190445192.168.2.871.121.162.1
                                                                                                                                      Jan 14, 2025 22:43:33.867568016 CET4455019071.121.162.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:34.214068890 CET4455004990.207.146.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:34.214133978 CET50049445192.168.2.890.207.146.1
                                                                                                                                      Jan 14, 2025 22:43:34.214174986 CET50049445192.168.2.890.207.146.1
                                                                                                                                      Jan 14, 2025 22:43:34.214212894 CET50049445192.168.2.890.207.146.1
                                                                                                                                      Jan 14, 2025 22:43:34.219007015 CET4455004990.207.146.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:34.219016075 CET4455004990.207.146.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:35.163651943 CET44550050169.120.240.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:35.164601088 CET50050445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:43:35.164640903 CET50050445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:43:35.164691925 CET50050445192.168.2.8169.120.240.1
                                                                                                                                      Jan 14, 2025 22:43:35.169518948 CET44550050169.120.240.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:35.169553995 CET44550050169.120.240.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:35.235527039 CET50241445192.168.2.8169.120.240.2
                                                                                                                                      Jan 14, 2025 22:43:35.241796970 CET44550241169.120.240.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:35.242800951 CET50241445192.168.2.8169.120.240.2
                                                                                                                                      Jan 14, 2025 22:43:35.243016958 CET50241445192.168.2.8169.120.240.2
                                                                                                                                      Jan 14, 2025 22:43:35.243428946 CET50243445192.168.2.8169.120.240.2
                                                                                                                                      Jan 14, 2025 22:43:35.248847008 CET44550241169.120.240.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:35.249519110 CET44550243169.120.240.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:35.249703884 CET50241445192.168.2.8169.120.240.2
                                                                                                                                      Jan 14, 2025 22:43:35.249747038 CET50243445192.168.2.8169.120.240.2
                                                                                                                                      Jan 14, 2025 22:43:35.249813080 CET50243445192.168.2.8169.120.240.2
                                                                                                                                      Jan 14, 2025 22:43:35.255364895 CET44550243169.120.240.2192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:35.587088108 CET50258445192.168.2.857.79.44.1
                                                                                                                                      Jan 14, 2025 22:43:35.592047930 CET4455025857.79.44.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:35.592178106 CET50258445192.168.2.857.79.44.1
                                                                                                                                      Jan 14, 2025 22:43:35.592195034 CET50258445192.168.2.857.79.44.1
                                                                                                                                      Jan 14, 2025 22:43:35.596952915 CET4455025857.79.44.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:35.756743908 CET44550053197.208.96.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:35.756820917 CET50053445192.168.2.8197.208.96.1
                                                                                                                                      Jan 14, 2025 22:43:35.756890059 CET50053445192.168.2.8197.208.96.1
                                                                                                                                      Jan 14, 2025 22:43:35.756928921 CET50053445192.168.2.8197.208.96.1
                                                                                                                                      Jan 14, 2025 22:43:35.761697054 CET44550053197.208.96.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:35.761708021 CET44550053197.208.96.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:37.148189068 CET4455005460.253.184.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:37.148241997 CET50054445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:43:37.148653984 CET44550057142.195.63.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:37.148694992 CET50057445192.168.2.8142.195.63.1
                                                                                                                                      Jan 14, 2025 22:43:38.478559017 CET44550060109.225.95.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:38.478612900 CET50060445192.168.2.8109.225.95.1
                                                                                                                                      Jan 14, 2025 22:43:38.556391001 CET50066445192.168.2.8119.38.196.2
                                                                                                                                      Jan 14, 2025 22:43:38.556435108 CET50085445192.168.2.883.249.153.2
                                                                                                                                      Jan 14, 2025 22:43:38.556458950 CET50076445192.168.2.863.85.204.2
                                                                                                                                      Jan 14, 2025 22:43:38.556498051 CET50104445192.168.2.8121.134.74.2
                                                                                                                                      Jan 14, 2025 22:43:38.556571007 CET50149445192.168.2.8152.201.76.1
                                                                                                                                      Jan 14, 2025 22:43:38.556610107 CET50139445192.168.2.8209.76.99.2
                                                                                                                                      Jan 14, 2025 22:43:38.556684017 CET50117445192.168.2.839.85.39.2
                                                                                                                                      Jan 14, 2025 22:43:38.556684017 CET50097445192.168.2.827.108.78.2
                                                                                                                                      Jan 14, 2025 22:43:38.556708097 CET50054445192.168.2.860.253.184.1
                                                                                                                                      Jan 14, 2025 22:43:38.556727886 CET50057445192.168.2.8142.195.63.1
                                                                                                                                      Jan 14, 2025 22:43:38.556747913 CET50060445192.168.2.8109.225.95.1
                                                                                                                                      Jan 14, 2025 22:43:38.556781054 CET50061445192.168.2.8128.38.222.1
                                                                                                                                      Jan 14, 2025 22:43:38.556806087 CET50064445192.168.2.8158.206.214.1
                                                                                                                                      Jan 14, 2025 22:43:38.556838036 CET50069445192.168.2.827.219.109.1
                                                                                                                                      Jan 14, 2025 22:43:38.556874037 CET50071445192.168.2.878.135.150.1
                                                                                                                                      Jan 14, 2025 22:43:38.556915998 CET50079445192.168.2.8207.219.89.1
                                                                                                                                      Jan 14, 2025 22:43:38.556919098 CET50074445192.168.2.8200.251.213.1
                                                                                                                                      Jan 14, 2025 22:43:38.556952953 CET50080445192.168.2.863.102.247.1
                                                                                                                                      Jan 14, 2025 22:43:38.556961060 CET50083445192.168.2.8150.245.56.1
                                                                                                                                      Jan 14, 2025 22:43:38.556983948 CET50088445192.168.2.8221.5.28.1
                                                                                                                                      Jan 14, 2025 22:43:38.557013988 CET50089445192.168.2.8129.31.49.1
                                                                                                                                      Jan 14, 2025 22:43:38.557039976 CET50092445192.168.2.856.59.202.1
                                                                                                                                      Jan 14, 2025 22:43:38.557069063 CET50095445192.168.2.8124.35.234.1
                                                                                                                                      Jan 14, 2025 22:43:38.557086945 CET50099445192.168.2.825.106.82.1
                                                                                                                                      Jan 14, 2025 22:43:38.557118893 CET50107445192.168.2.8157.193.184.1
                                                                                                                                      Jan 14, 2025 22:43:38.557146072 CET50124445192.168.2.8223.39.125.1
                                                                                                                                      Jan 14, 2025 22:43:38.557183981 CET50190445192.168.2.871.121.162.1
                                                                                                                                      Jan 14, 2025 22:43:38.557200909 CET50176445192.168.2.86.99.0.2
                                                                                                                                      Jan 14, 2025 22:43:38.557370901 CET50243445192.168.2.8169.120.240.2
                                                                                                                                      Jan 14, 2025 22:43:38.557478905 CET50258445192.168.2.857.79.44.1

                                                                                                                                      UDP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Jan 14, 2025 22:42:29.157188892 CET4925653192.168.2.81.1.1.1
                                                                                                                                      Jan 14, 2025 22:42:29.463646889 CET53492561.1.1.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:42:30.199434042 CET5433253192.168.2.81.1.1.1
                                                                                                                                      Jan 14, 2025 22:42:30.380831957 CET53543321.1.1.1192.168.2.8
                                                                                                                                      Jan 14, 2025 22:43:01.187864065 CET138138192.168.2.8192.168.2.255

                                                                                                                                      DNS Queries

                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                      Jan 14, 2025 22:42:29.157188892 CET192.168.2.81.1.1.10x897aStandard query (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comA (IP address)IN (0x0001)false
                                                                                                                                      Jan 14, 2025 22:42:30.199434042 CET192.168.2.81.1.1.10x76a6Standard query (0)ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comA (IP address)IN (0x0001)false

                                                                                                                                      DNS Answers

                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                      Jan 14, 2025 22:42:29.463646889 CET1.1.1.1192.168.2.80x897aNo error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com103.224.212.215A (IP address)IN (0x0001)false
                                                                                                                                      Jan 14, 2025 22:42:30.380831957 CET1.1.1.1192.168.2.80x76a6No error (0)ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com77026.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                      Jan 14, 2025 22:42:30.380831957 CET1.1.1.1192.168.2.80x76a6No error (0)77026.bodis.com199.59.243.228A (IP address)IN (0x0001)false

                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                      • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                                                                                                      • ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

                                                                                                                                      HTTP Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      0192.168.2.849707103.224.212.215805944C:\Windows\mssecsvr.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Jan 14, 2025 22:42:29.477104902 CET100OUTGET / HTTP/1.1
                                                                                                                                      Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Jan 14, 2025 22:42:30.076818943 CET365INHTTP/1.1 302 Found
                                                                                                                                      date: Tue, 14 Jan 2025 21:42:30 GMT
                                                                                                                                      server: Apache
                                                                                                                                      set-cookie: __tad=1736890950.7011300; expires=Fri, 12-Jan-2035 21:42:30 GMT; Max-Age=315360000
                                                                                                                                      location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3096-a478-d7c464a3f0ca
                                                                                                                                      content-length: 2
                                                                                                                                      content-type: text/html; charset=UTF-8
                                                                                                                                      connection: close
                                                                                                                                      Data Raw: 0a 0a
                                                                                                                                      Data Ascii:


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      1192.168.2.849708199.59.243.228805944C:\Windows\mssecsvr.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Jan 14, 2025 22:42:30.387044907 CET169OUTGET /?subid1=20250115-0842-3096-a478-d7c464a3f0ca HTTP/1.1
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Jan 14, 2025 22:42:30.843998909 CET1236INHTTP/1.1 200 OK
                                                                                                                                      date: Tue, 14 Jan 2025 21:42:30 GMT
                                                                                                                                      content-type: text/html; charset=utf-8
                                                                                                                                      content-length: 1262
                                                                                                                                      x-request-id: 215a8bf8-0e2d-4579-a9e0-ffb15187690d
                                                                                                                                      cache-control: no-store, max-age=0
                                                                                                                                      accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                      critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                      vary: sec-ch-prefers-color-scheme
                                                                                                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_K3y7p1ab8I+98kmYRIbWeLuzRY8iEMJ6IGUKN8ufGTs4Kv2r/0clZperG8XTr4m8ifXGlZMyl5d7DnDO0Vyrew==
                                                                                                                                      set-cookie: parking_session=215a8bf8-0e2d-4579-a9e0-ffb15187690d; expires=Tue, 14 Jan 2025 21:57:30 GMT; path=/
                                                                                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4b 33 79 37 70 31 61 62 38 49 2b 39 38 6b 6d 59 52 49 62 57 65 4c 75 7a 52 59 38 69 45 4d 4a 36 49 47 55 4b 4e 38 75 66 47 54 73 34 4b 76 32 72 2f 30 63 6c 5a 70 65 72 47 38 58 54 72 34 6d 38 69 66 58 47 6c 5a 4d 79 6c 35 64 37 44 6e 44 4f 30 56 79 72 65 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_K3y7p1ab8I+98kmYRIbWeLuzRY8iEMJ6IGUKN8ufGTs4Kv2r/0clZperG8XTr4m8ifXGlZMyl5d7DnDO0Vyrew==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
                                                                                                                                      Jan 14, 2025 22:42:30.844014883 CET696INData Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65
                                                                                                                                      Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjE1YThiZjgtMGUyZC00NTc5LWE5ZTAtZmZiMTUxODc2OTBkIiwicGFnZV90aW1lIjoxNzM2ODkwOTUwLCJwYWdlX3VybCI6I


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      2192.168.2.849709103.224.212.215806552C:\Windows\mssecsvr.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Jan 14, 2025 22:42:32.108426094 CET100OUTGET / HTTP/1.1
                                                                                                                                      Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Jan 14, 2025 22:42:32.744865894 CET365INHTTP/1.1 302 Found
                                                                                                                                      date: Tue, 14 Jan 2025 21:42:32 GMT
                                                                                                                                      server: Apache
                                                                                                                                      set-cookie: __tad=1736890952.3577693; expires=Fri, 12-Jan-2035 21:42:32 GMT; Max-Age=315360000
                                                                                                                                      location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3207-bd07-6551d635081d
                                                                                                                                      content-length: 2
                                                                                                                                      content-type: text/html; charset=UTF-8
                                                                                                                                      connection: close
                                                                                                                                      Data Raw: 0a 0a
                                                                                                                                      Data Ascii:


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      3192.168.2.849710103.224.212.215806720C:\Windows\mssecsvr.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Jan 14, 2025 22:42:32.109003067 CET134OUTGET / HTTP/1.1
                                                                                                                                      Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Cookie: __tad=1736890950.7011300
                                                                                                                                      Jan 14, 2025 22:42:32.733532906 CET269INHTTP/1.1 302 Found
                                                                                                                                      date: Tue, 14 Jan 2025 21:42:32 GMT
                                                                                                                                      server: Apache
                                                                                                                                      location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-32cc-b361-86c8884a5eaf
                                                                                                                                      content-length: 2
                                                                                                                                      content-type: text/html; charset=UTF-8
                                                                                                                                      connection: close
                                                                                                                                      Data Raw: 0a 0a
                                                                                                                                      Data Ascii:


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      4192.168.2.849711199.59.243.228806720C:\Windows\mssecsvr.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Jan 14, 2025 22:42:32.743974924 CET231OUTGET /?subid1=20250115-0842-32cc-b361-86c8884a5eaf HTTP/1.1
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Cookie: parking_session=215a8bf8-0e2d-4579-a9e0-ffb15187690d
                                                                                                                                      Jan 14, 2025 22:42:33.219224930 CET1236INHTTP/1.1 200 OK
                                                                                                                                      date: Tue, 14 Jan 2025 21:42:32 GMT
                                                                                                                                      content-type: text/html; charset=utf-8
                                                                                                                                      content-length: 1262
                                                                                                                                      x-request-id: 5daf90bf-4299-4e7e-9d5e-e1b15daf8828
                                                                                                                                      cache-control: no-store, max-age=0
                                                                                                                                      accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                      critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                      vary: sec-ch-prefers-color-scheme
                                                                                                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jmdmAvMt5r0bNYldCB/oebECAkGLoYQlpTX7KFxHupNuseYKwakVD5oAqLao6OOi5RkqKsmmt+MLV1MAqOgWpA==
                                                                                                                                      set-cookie: parking_session=215a8bf8-0e2d-4579-a9e0-ffb15187690d; expires=Tue, 14 Jan 2025 21:57:33 GMT
                                                                                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6a 6d 64 6d 41 76 4d 74 35 72 30 62 4e 59 6c 64 43 42 2f 6f 65 62 45 43 41 6b 47 4c 6f 59 51 6c 70 54 58 37 4b 46 78 48 75 70 4e 75 73 65 59 4b 77 61 6b 56 44 35 6f 41 71 4c 61 6f 36 4f 4f 69 35 52 6b 71 4b 73 6d 6d 74 2b 4d 4c 56 31 4d 41 71 4f 67 57 70 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jmdmAvMt5r0bNYldCB/oebECAkGLoYQlpTX7KFxHupNuseYKwakVD5oAqLao6OOi5RkqKsmmt+MLV1MAqOgWpA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
                                                                                                                                      Jan 14, 2025 22:42:33.219248056 CET688INData Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65
                                                                                                                                      Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjE1YThiZjgtMGUyZC00NTc5LWE5ZTAtZmZiMTUxODc2OTBkIiwicGFnZV90aW1lIjoxNzM2ODkwOTUzLCJwYWdlX3VybCI6Imh0dHA6L


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      5192.168.2.849712199.59.243.228806552C:\Windows\mssecsvr.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Jan 14, 2025 22:42:32.753730059 CET169OUTGET /?subid1=20250115-0842-3207-bd07-6551d635081d HTTP/1.1
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Jan 14, 2025 22:42:33.227669001 CET1236INHTTP/1.1 200 OK
                                                                                                                                      date: Tue, 14 Jan 2025 21:42:32 GMT
                                                                                                                                      content-type: text/html; charset=utf-8
                                                                                                                                      content-length: 1262
                                                                                                                                      x-request-id: 0efd4eba-f1fe-43cd-b341-8950f1c2846c
                                                                                                                                      cache-control: no-store, max-age=0
                                                                                                                                      accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                      critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                      vary: sec-ch-prefers-color-scheme
                                                                                                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_JDoOSsl0Nm7PqpZNOv/MvpkKi45P8YYFUxqfijWWma1bYVgb2w8TaB+3EYIlQV/egIdcIOBwpr03f8DuN3P3hg==
                                                                                                                                      set-cookie: parking_session=0efd4eba-f1fe-43cd-b341-8950f1c2846c; expires=Tue, 14 Jan 2025 21:57:33 GMT; path=/
                                                                                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4a 44 6f 4f 53 73 6c 30 4e 6d 37 50 71 70 5a 4e 4f 76 2f 4d 76 70 6b 4b 69 34 35 50 38 59 59 46 55 78 71 66 69 6a 57 57 6d 61 31 62 59 56 67 62 32 77 38 54 61 42 2b 33 45 59 49 6c 51 56 2f 65 67 49 64 63 49 4f 42 77 70 72 30 33 66 38 44 75 4e 33 50 33 68 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_JDoOSsl0Nm7PqpZNOv/MvpkKi45P8YYFUxqfijWWma1bYVgb2w8TaB+3EYIlQV/egIdcIOBwpr03f8DuN3P3hg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
                                                                                                                                      Jan 14, 2025 22:42:33.227699041 CET696INData Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65
                                                                                                                                      Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGVmZDRlYmEtZjFmZS00M2NkLWIzNDEtODk1MGYxYzI4NDZjIiwicGFnZV90aW1lIjoxNzM2ODkwOTUzLCJwYWdlX3VybCI6I


                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      General

                                                                                                                                      Target ID:0
                                                                                                                                      Start time:16:42:27
                                                                                                                                      Start date:14/01/2025
                                                                                                                                      Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:loaddll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll"
                                                                                                                                      Imagebase:0x3e0000
                                                                                                                                      File size:126'464 bytes
                                                                                                                                      MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:1
                                                                                                                                      Start time:16:42:27
                                                                                                                                      Start date:14/01/2025
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff6ee680000
                                                                                                                                      File size:862'208 bytes
                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:2
                                                                                                                                      Start time:16:42:27
                                                                                                                                      Start date:14/01/2025
                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1
                                                                                                                                      Imagebase:0xa40000
                                                                                                                                      File size:236'544 bytes
                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:3
                                                                                                                                      Start time:16:42:27
                                                                                                                                      Start date:14/01/2025
                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\ruXU7wj3X9.dll,PlayGame
                                                                                                                                      Imagebase:0x2c0000
                                                                                                                                      File size:61'440 bytes
                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:4
                                                                                                                                      Start time:16:42:27
                                                                                                                                      Start date:14/01/2025
                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1
                                                                                                                                      Imagebase:0x2c0000
                                                                                                                                      File size:61'440 bytes
                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:6
                                                                                                                                      Start time:16:42:27
                                                                                                                                      Start date:14/01/2025
                                                                                                                                      Path:C:\Windows\mssecsvr.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\WINDOWS\mssecsvr.exe
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:2'281'472 bytes
                                                                                                                                      MD5 hash:B15FB425B628062A7BB0F11DBAECF4AC
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1583712259.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1534389465.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1583843452.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.1583843452.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvr.exe, Author: Joe Security
                                                                                                                                      • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (with the help of binar.ly)
                                                                                                                                      • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (based on rule by US CERT)
                                                                                                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvr.exe, Author: us-cert code analysis team
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:8
                                                                                                                                      Start time:16:42:30
                                                                                                                                      Start date:14/01/2025
                                                                                                                                      Path:C:\Windows\mssecsvr.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\WINDOWS\mssecsvr.exe -m security
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:2'281'472 bytes
                                                                                                                                      MD5 hash:B15FB425B628062A7BB0F11DBAECF4AC
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2223330577.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1560048220.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2223913366.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2223913366.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:9
                                                                                                                                      Start time:16:42:30
                                                                                                                                      Start date:14/01/2025
                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",PlayGame
                                                                                                                                      Imagebase:0x2c0000
                                                                                                                                      File size:61'440 bytes
                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:10
                                                                                                                                      Start time:16:42:30
                                                                                                                                      Start date:14/01/2025
                                                                                                                                      Path:C:\Windows\mssecsvr.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\WINDOWS\mssecsvr.exe
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:2'281'472 bytes
                                                                                                                                      MD5 hash:B15FB425B628062A7BB0F11DBAECF4AC
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.1584683802.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.1562813019.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.1562935692.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000000.1562935692.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:11
                                                                                                                                      Start time:16:42:32
                                                                                                                                      Start date:14/01/2025
                                                                                                                                      Path:C:\Windows\tasksche.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\WINDOWS\tasksche.exe /i
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:2'061'938 bytes
                                                                                                                                      MD5 hash:41C0E22D28973F312DE789C027E61D0C
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
                                                                                                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000000.1584094306.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
                                                                                                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security
                                                                                                                                      • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly)
                                                                                                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:12
                                                                                                                                      Start time:16:42:32
                                                                                                                                      Start date:14/01/2025
                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                      Imagebase:0x7ff67e6d0000
                                                                                                                                      File size:55'320 bytes
                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:false

                                                                                                                                      General

                                                                                                                                      Target ID:13
                                                                                                                                      Start time:16:42:32
                                                                                                                                      Start date:14/01/2025
                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3456 -ip 3456
                                                                                                                                      Imagebase:0x7b0000
                                                                                                                                      File size:483'680 bytes
                                                                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:14
                                                                                                                                      Start time:16:42:32
                                                                                                                                      Start date:14/01/2025
                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 604
                                                                                                                                      Imagebase:0x7b0000
                                                                                                                                      File size:483'680 bytes
                                                                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:15
                                                                                                                                      Start time:16:42:33
                                                                                                                                      Start date:14/01/2025
                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                      Imagebase:0x7ff67e6d0000
                                                                                                                                      File size:55'320 bytes
                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:false

                                                                                                                                      Disassembly

                                                                                                                                      Reset < >

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:65.2%
                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                        Signature Coverage:63.2%
                                                                                                                                        Total number of Nodes:38
                                                                                                                                        Total number of Limit Nodes:8
                                                                                                                                        execution_graph 63 409a16 __set_app_type __p__fmode __p__commode 64 409a85 63->64 65 409a99 64->65 66 409a8d __setusermatherr 64->66 75 409b8c _controlfp 65->75 66->65 68 409a9e _initterm __getmainargs _initterm 69 409af2 GetStartupInfoA 68->69 71 409b26 GetModuleHandleA 69->71 76 408140 InternetOpenA InternetOpenUrlA 71->76 75->68 77 4081a7 InternetCloseHandle InternetCloseHandle 76->77 80 408090 GetModuleFileNameA __p___argc 77->80 79 4081b2 exit _XcptFilter 81 4080b0 80->81 82 4080b9 OpenSCManagerA 80->82 91 407f20 81->91 83 408101 StartServiceCtrlDispatcherA 82->83 84 4080cf OpenServiceA 82->84 83->79 86 4080fc CloseServiceHandle 84->86 87 4080ee 84->87 86->83 96 407fa0 ChangeServiceConfig2A 87->96 90 4080f6 CloseServiceHandle 90->86 108 407c40 sprintf OpenSCManagerA 91->108 93 407f25 97 407ce0 GetModuleHandleW 93->97 96->90 98 407d01 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 97->98 99 407f08 97->99 98->99 100 407d49 98->100 99->79 100->99 101 407d69 FindResourceA 100->101 101->99 102 407d84 LoadResource 101->102 102->99 103 407d94 LockResource 102->103 103->99 104 407da7 SizeofResource 103->104 104->99 105 407db9 sprintf sprintf MoveFileExA CreateFileA 104->105 105->99 106 407e54 WriteFile CloseHandle CreateProcessA 105->106 106->99 107 407ef2 CloseHandle CloseHandle 106->107 107->99 109 407c74 CreateServiceA 108->109 110 407cca 108->110 111 407cbb CloseServiceHandle 109->111 112 407cad StartServiceA CloseServiceHandle 109->112 110->93 111->93 112->111

                                                                                                                                        Callgraph

                                                                                                                                        Executed Functions

                                                                                                                                        Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175libraryloaderfileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F8D0EF0,?,00000000), ref: 00407CEF
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
                                                                                                                                        • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
                                                                                                                                        • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
                                                                                                                                        • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
                                                                                                                                        • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
                                                                                                                                        • sprintf.MSVCRT ref: 00407E01
                                                                                                                                        • sprintf.MSVCRT ref: 00407E18
                                                                                                                                        • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
                                                                                                                                        • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
                                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00407E61
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00407E68
                                                                                                                                        • CreateProcessA.KERNEL32 ref: 00407EE8
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00407EF7
                                                                                                                                        • CloseHandle.KERNEL32(08000000), ref: 00407F02
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.1583682879.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.1583670741.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583699901.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583712259.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583712259.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583748040.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583843452.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
                                                                                                                                        • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
                                                                                                                                        • API String ID: 4281112323-1507730452
                                                                                                                                        • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                                                                                                                        • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
                                                                                                                                        • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                                                                                                                        • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA
                                                                                                                                        Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.1583682879.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.1583670741.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583699901.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583712259.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583712259.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583748040.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583843452.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 801014965-0
                                                                                                                                        • Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                                                                                                                        • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
                                                                                                                                        • Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                                                                                                                        • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59
                                                                                                                                        Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45networkCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
                                                                                                                                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
                                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 004081A7
                                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 004081AB
                                                                                                                                          • Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                                                                                                                          • Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5
                                                                                                                                        Strings
                                                                                                                                        • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.1583682879.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.1583670741.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583699901.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583712259.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583712259.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583748040.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583843452.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
                                                                                                                                        • String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                                                                                                        • API String ID: 774561529-2614457033
                                                                                                                                        • Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
                                                                                                                                        • Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
                                                                                                                                        • Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
                                                                                                                                        • Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54serviceCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • sprintf.MSVCRT ref: 00407C56
                                                                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
                                                                                                                                        • CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F8D0EF0,00000000), ref: 00407C9B
                                                                                                                                        • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.1583682879.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.1583670741.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583699901.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583712259.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583712259.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583748040.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583843452.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
                                                                                                                                        • String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
                                                                                                                                        • API String ID: 3340711343-2450984573
                                                                                                                                        • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                                                                                                                        • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
                                                                                                                                        • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                                                                                                                        • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF
                                                                                                                                        Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49serviceCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                                                                                                                        • __p___argc.MSVCRT ref: 004080A5
                                                                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
                                                                                                                                        • OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F8D0EF0,00000000,?,004081B2), ref: 004080DC
                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
                                                                                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.1583682879.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.1583670741.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583699901.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583712259.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583712259.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583748040.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.1583843452.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
                                                                                                                                        • String ID: mssecsvc2.1
                                                                                                                                        • API String ID: 4274534310-2839763450
                                                                                                                                        • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                                                                                                                        • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
                                                                                                                                        • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                                                                                                                        • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:34.8%
                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                        Signature Coverage:0%
                                                                                                                                        Total number of Nodes:36
                                                                                                                                        Total number of Limit Nodes:2

                                                                                                                                        Callgraph

                                                                                                                                        Executed Functions

                                                                                                                                        Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49serviceCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                                                                                                                        • __p___argc.MSVCRT ref: 004080A5
                                                                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
                                                                                                                                        • OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F8D0EF0,00000000,?,004081B2), ref: 004080DC
                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
                                                                                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2222819230.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000008.00000002.2222722451.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2222846933.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223023575.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223023575.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223330577.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223377103.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223636351.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223913366.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
                                                                                                                                        • String ID: mssecsvc2.1
                                                                                                                                        • API String ID: 4274534310-2839763450
                                                                                                                                        • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                                                                                                                        • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
                                                                                                                                        • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                                                                                                                        • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF
                                                                                                                                        Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45networkCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
                                                                                                                                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
                                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 004081A7
                                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 004081AB
                                                                                                                                          • Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                                                                                                                          • Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5
                                                                                                                                        Strings
                                                                                                                                        • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2222819230.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000008.00000002.2222722451.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2222846933.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223023575.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223023575.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223330577.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223377103.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223636351.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223913366.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
                                                                                                                                        • String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                                                                                                        • API String ID: 774561529-2614457033
                                                                                                                                        • Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
                                                                                                                                        • Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
                                                                                                                                        • Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
                                                                                                                                        • Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54serviceCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • sprintf.MSVCRT ref: 00407C56
                                                                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
                                                                                                                                        • CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F8D0EF0,00000000), ref: 00407C9B
                                                                                                                                        • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2222819230.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000008.00000002.2222722451.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2222846933.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223023575.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223023575.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223330577.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223377103.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223636351.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223913366.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
                                                                                                                                        • String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
                                                                                                                                        • API String ID: 3340711343-2450984573
                                                                                                                                        • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                                                                                                                        • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
                                                                                                                                        • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                                                                                                                        • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF
                                                                                                                                        Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 15 407ce0-407cfb GetModuleHandleW 16 407d01-407d43 GetProcAddress * 4 15->16 17 407f08-407f14 15->17 16->17 18 407d49-407d4f 16->18 18->17 19 407d55-407d5b 18->19 19->17 20 407d61-407d63 19->20 20->17 21 407d69-407d7e FindResourceA 20->21 21->17 22 407d84-407d8e LoadResource 21->22 22->17 23 407d94-407da1 LockResource 22->23 23->17 24 407da7-407db3 SizeofResource 23->24 24->17 25 407db9-407e4e sprintf * 2 MoveFileExA 24->25 25->17 27 407e54-407ef0 25->27 27->17 31 407ef2-407f01 27->31 31->17
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F8D0EF0,?,00000000), ref: 00407CEF
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
                                                                                                                                        • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
                                                                                                                                        • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
                                                                                                                                        • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
                                                                                                                                        • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
                                                                                                                                        • sprintf.MSVCRT ref: 00407E01
                                                                                                                                        • sprintf.MSVCRT ref: 00407E18
                                                                                                                                        • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2222819230.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000008.00000002.2222722451.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2222846933.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223023575.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223023575.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223330577.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223377103.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223636351.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223913366.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
                                                                                                                                        • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
                                                                                                                                        • API String ID: 4072214828-1507730452
                                                                                                                                        • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                                                                                                                        • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
                                                                                                                                        • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                                                                                                                        • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA
                                                                                                                                        Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2222819230.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000008.00000002.2222722451.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2222846933.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223023575.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223023575.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223330577.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223377103.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223636351.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        • Associated: 00000008.00000002.2223913366.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 801014965-0
                                                                                                                                        • Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                                                                                                                        • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
                                                                                                                                        • Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                                                                                                                        • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:1%
                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                        Signature Coverage:4.4%
                                                                                                                                        Total number of Nodes:1183
                                                                                                                                        Total number of Limit Nodes:22
                                                                                                                                        execution_graph 18832 41e9ce 18835 41e9da ___lock_fhandle 18832->18835 18833 41eadc ___lock_fhandle 18834 41e9f2 18837 41ea00 18834->18837 18838 41a506 __mtterm 66 API calls 18834->18838 18835->18833 18835->18834 18836 41a506 __mtterm 66 API calls 18835->18836 18836->18834 18839 41ea0e 18837->18839 18840 41a506 __mtterm 66 API calls 18837->18840 18838->18837 18841 41ea1c 18839->18841 18842 41a506 __mtterm 66 API calls 18839->18842 18840->18839 18843 41ea2a 18841->18843 18844 41a506 __mtterm 66 API calls 18841->18844 18842->18841 18845 41ea38 18843->18845 18846 41a506 __mtterm 66 API calls 18843->18846 18844->18843 18847 41ea46 18845->18847 18848 41a506 __mtterm 66 API calls 18845->18848 18846->18845 18849 41ea57 18847->18849 18850 41a506 __mtterm 66 API calls 18847->18850 18848->18847 18851 41efa3 __lock 66 API calls 18849->18851 18850->18849 18852 41ea5f 18851->18852 18853 41ea84 18852->18853 18854 41ea6b InterlockedDecrement 18852->18854 18868 41eae8 18853->18868 18854->18853 18855 41ea76 18854->18855 18855->18853 18859 41a506 __mtterm 66 API calls 18855->18859 18858 41efa3 __lock 66 API calls 18860 41ea98 18858->18860 18859->18853 18861 41eac9 18860->18861 18862 42223c ___removelocaleref 8 API calls 18860->18862 18871 41eaf4 18861->18871 18866 41eaad 18862->18866 18865 41a506 __mtterm 66 API calls 18865->18833 18866->18861 18867 422064 ___freetlocinfo 66 API calls 18866->18867 18867->18861 18874 41eec9 LeaveCriticalSection 18868->18874 18870 41ea91 18870->18858 18875 41eec9 LeaveCriticalSection 18871->18875 18873 41ead6 18873->18865 18874->18870 18875->18873 18886 41c7db 18889 41c7cb 18886->18889 18888 41c7e8 ctype 18892 420ed3 18889->18892 18891 41c7d9 18891->18888 18893 420edf ___lock_fhandle 18892->18893 18894 41efa3 __lock 66 API calls 18893->18894 18897 420ee6 18894->18897 18895 420f1f 18902 420f3a 18895->18902 18897->18895 18900 41a506 __mtterm 66 API calls 18897->18900 18901 420f16 18897->18901 18898 420f30 ___lock_fhandle 18898->18891 18899 41a506 __mtterm 66 API calls 18899->18895 18900->18901 18901->18899 18905 41eec9 LeaveCriticalSection 18902->18905 18904 420f41 18904->18898 18905->18904 17456 42108f 17463 4253be 17456->17463 17459 4210a2 17461 41a506 __mtterm 66 API calls 17459->17461 17462 4210ad 17461->17462 17476 4252e4 17463->17476 17465 421094 17465->17459 17466 425195 17465->17466 17467 4251a1 ___lock_fhandle 17466->17467 17468 41efa3 __lock 66 API calls 17467->17468 17469 4251ad 17468->17469 17470 425216 17469->17470 17474 4251eb DeleteCriticalSection 17469->17474 17504 426fb6 17469->17504 17517 42522b 17470->17517 17472 425222 ___lock_fhandle 17472->17459 17475 41a506 __mtterm 66 API calls 17474->17475 17475->17469 17477 4252f0 ___lock_fhandle 17476->17477 17478 41efa3 __lock 66 API calls 17477->17478 17483 4252ff 17478->17483 17479 425397 17494 4253b5 17479->17494 17482 4253a3 ___lock_fhandle 17482->17465 17483->17479 17485 42529c 104 API calls __fflush_nolock 17483->17485 17486 4210f0 17483->17486 17491 425386 17483->17491 17485->17483 17487 421113 EnterCriticalSection 17486->17487 17488 4210fd 17486->17488 17487->17483 17489 41efa3 __lock 66 API calls 17488->17489 17490 421106 17489->17490 17490->17483 17497 42115e 17491->17497 17493 425394 17493->17483 17503 41eec9 LeaveCriticalSection 17494->17503 17496 4253bc 17496->17482 17498 421181 LeaveCriticalSection 17497->17498 17499 42116e 17497->17499 17498->17493 17502 41eec9 LeaveCriticalSection 17499->17502 17501 42117e 17501->17493 17502->17501 17503->17496 17505 426fc2 ___lock_fhandle 17504->17505 17506 426ff3 17505->17506 17507 426fd6 17505->17507 17513 426feb ___lock_fhandle 17506->17513 17520 4210af 17506->17520 17508 41edae __set_error_mode 66 API calls 17507->17508 17510 426fdb 17508->17510 17512 420103 __set_error_mode 6 API calls 17510->17512 17512->17513 17513->17469 17631 41eec9 LeaveCriticalSection 17517->17631 17519 425232 17519->17472 17521 4210e3 EnterCriticalSection 17520->17521 17522 4210c1 17520->17522 17524 4210d9 17521->17524 17522->17521 17523 4210c9 17522->17523 17525 41efa3 __lock 66 API calls 17523->17525 17526 426f3f 17524->17526 17525->17524 17527 426f53 17526->17527 17528 426f6f 17526->17528 17529 41edae __set_error_mode 66 API calls 17527->17529 17531 426f68 17528->17531 17545 425234 17528->17545 17530 426f58 17529->17530 17534 420103 __set_error_mode 6 API calls 17530->17534 17542 42702a 17531->17542 17534->17531 17537 424df7 __fileno 66 API calls 17538 426f89 17537->17538 17555 4271af 17538->17555 17540 426f8f 17540->17531 17541 41a506 __mtterm 66 API calls 17540->17541 17541->17531 17624 421122 17542->17624 17544 427030 17544->17513 17546 42524d 17545->17546 17547 42526f 17545->17547 17546->17547 17548 424df7 __fileno 66 API calls 17546->17548 17551 4291a9 17547->17551 17549 425268 17548->17549 17550 424c6e __locking 100 API calls 17549->17550 17550->17547 17552 426f83 17551->17552 17553 4291b9 17551->17553 17552->17537 17553->17552 17554 41a506 __mtterm 66 API calls 17553->17554 17554->17552 17556 4271bb ___lock_fhandle 17555->17556 17557 4271c3 17556->17557 17558 4271de 17556->17558 17559 41edc1 __lseeki64 66 API calls 17557->17559 17560 4271ec 17558->17560 17563 42722d 17558->17563 17561 4271c8 17559->17561 17562 41edc1 __lseeki64 66 API calls 17560->17562 17564 41edae __set_error_mode 66 API calls 17561->17564 17565 4271f1 17562->17565 17566 426846 ___lock_fhandle 67 API calls 17563->17566 17567 4271d0 ___lock_fhandle 17564->17567 17568 41edae __set_error_mode 66 API calls 17565->17568 17569 427233 17566->17569 17567->17540 17570 4271f8 17568->17570 17571 427240 17569->17571 17572 42724e 17569->17572 17573 420103 __set_error_mode 6 API calls 17570->17573 17578 427113 17571->17578 17575 41edae __set_error_mode 66 API calls 17572->17575 17573->17567 17576 427248 17575->17576 17593 427272 17576->17593 17596 4267cf 17578->17596 17580 427179 17609 426749 17580->17609 17582 427123 17582->17580 17584 4267cf __commit 66 API calls 17582->17584 17592 427157 17582->17592 17586 42714e 17584->17586 17585 4267cf __commit 66 API calls 17587 427163 CloseHandle 17585->17587 17590 4267cf __commit 66 API calls 17586->17590 17587->17580 17591 42716f GetLastError 17587->17591 17589 4271a3 17589->17576 17590->17592 17591->17580 17592->17580 17592->17585 17623 4268e6 LeaveCriticalSection 17593->17623 17595 42727a 17595->17567 17597 4267dc 17596->17597 17601 4267f4 17596->17601 17598 41edc1 __lseeki64 66 API calls 17597->17598 17600 4267e1 17598->17600 17599 41edc1 __lseeki64 66 API calls 17603 426822 17599->17603 17604 41edae __set_error_mode 66 API calls 17600->17604 17601->17599 17602 426839 17601->17602 17602->17582 17605 41edae __set_error_mode 66 API calls 17603->17605 17606 4267e9 17604->17606 17607 426829 17605->17607 17606->17582 17608 420103 __set_error_mode 6 API calls 17607->17608 17608->17602 17610 4267b5 17609->17610 17611 42675a 17609->17611 17612 41edae __set_error_mode 66 API calls 17610->17612 17611->17610 17617 426785 17611->17617 17613 4267ba 17612->17613 17614 41edc1 __lseeki64 66 API calls 17613->17614 17615 4267ab 17614->17615 17615->17589 17618 41edd4 17615->17618 17616 4267a5 SetStdHandle 17616->17615 17617->17615 17617->17616 17619 41edc1 __lseeki64 66 API calls 17618->17619 17620 41eddf _realloc 17619->17620 17621 41edae __set_error_mode 66 API calls 17620->17621 17622 41edf2 17621->17622 17622->17589 17623->17595 17625 421152 LeaveCriticalSection 17624->17625 17626 421133 17624->17626 17625->17544 17626->17625 17627 42113a 17626->17627 17630 41eec9 LeaveCriticalSection 17627->17630 17629 42114f 17629->17544 17630->17629 17631->17519 16810 41c618 16811 41c631 16810->16811 16812 41c63c 16810->16812 16815 41ec8a 16812->16815 16814 41c641 ___lock_fhandle 16816 41ec96 ___lock_fhandle 16815->16816 16817 41e9b4 __getptd 66 API calls 16816->16817 16818 41ec9b 16817->16818 16821 423f89 16818->16821 16820 41ecbd ___lock_fhandle 16820->16814 16822 423faf 16821->16822 16823 423fa8 16821->16823 16833 42553a 16822->16833 16824 42179d __NMSG_WRITE 66 API calls 16823->16824 16824->16822 16828 424098 16857 42171b 16828->16857 16830 423fc0 _memset 16830->16828 16831 424058 SetUnhandledExceptionFilter UnhandledExceptionFilter 16830->16831 16831->16828 16834 41e768 __decode_pointer 6 API calls 16833->16834 16835 423fb5 16834->16835 16835->16830 16836 425547 16835->16836 16838 425553 ___lock_fhandle 16836->16838 16837 4255af 16840 425590 16837->16840 16843 4255be 16837->16843 16838->16837 16839 42557a 16838->16839 16838->16840 16845 425576 16838->16845 16841 41e93b __getptd_noexit 66 API calls 16839->16841 16842 41e768 __decode_pointer 6 API calls 16840->16842 16846 42557f _siglookup 16841->16846 16842->16846 16844 41edae __set_error_mode 66 API calls 16843->16844 16847 4255c3 16844->16847 16845->16839 16845->16843 16849 425625 16846->16849 16850 42171b _abort 66 API calls 16846->16850 16856 425588 ___lock_fhandle 16846->16856 16848 420103 __set_error_mode 6 API calls 16847->16848 16848->16856 16851 41efa3 __lock 66 API calls 16849->16851 16852 425630 16849->16852 16850->16849 16851->16852 16853 41e75f _doexit 6 API calls 16852->16853 16854 425665 16852->16854 16853->16854 16860 4256bb 16854->16860 16856->16830 16858 4215d9 _doexit 66 API calls 16857->16858 16859 42172c RtlUnwind 16858->16859 16859->16820 16861 4256c1 16860->16861 16862 4256c8 16860->16862 16864 41eec9 LeaveCriticalSection 16861->16864 16862->16856 16864->16862 15225 41d89d 15262 41fa9c 15225->15262 15227 41d8a9 GetStartupInfoA 15228 41d8cc 15227->15228 15263 41edf7 HeapCreate 15228->15263 15231 41d91c 15265 41eafd GetModuleHandleW 15231->15265 15235 41d92d __RTC_Initialize 15299 423b05 15235->15299 15236 41d874 _fast_error_exit 66 API calls 15236->15235 15238 41d93b 15239 41d947 GetCommandLineA 15238->15239 15383 421495 15238->15383 15314 4239ce 15239->15314 15246 41d96c 15354 42369b 15246->15354 15247 421495 __amsg_exit 66 API calls 15247->15246 15250 41d97d 15369 421554 15250->15369 15251 421495 __amsg_exit 66 API calls 15251->15250 15253 41d984 15254 41d98f 15253->15254 15255 421495 __amsg_exit 66 API calls 15253->15255 15390 42363c 15254->15390 15255->15254 15257 41d995 15258 41d9be 15257->15258 15396 421705 15257->15396 15399 421731 15258->15399 15261 41d9c3 ___lock_fhandle 15262->15227 15264 41d910 15263->15264 15264->15231 15375 41d874 15264->15375 15266 41eb11 15265->15266 15267 41eb18 15265->15267 15402 421465 15266->15402 15269 41ec80 15267->15269 15270 41eb22 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 15267->15270 15461 41e817 15269->15461 15273 41eb6b TlsAlloc 15270->15273 15275 41d922 15273->15275 15276 41ebb9 TlsSetValue 15273->15276 15275->15235 15275->15236 15276->15275 15277 41ebca 15276->15277 15406 42174f 15277->15406 15282 41e6ed __encode_pointer 6 API calls 15283 41ebea 15282->15283 15284 41e6ed __encode_pointer 6 API calls 15283->15284 15285 41ebfa 15284->15285 15286 41e6ed __encode_pointer 6 API calls 15285->15286 15287 41ec0a 15286->15287 15423 41ee27 15287->15423 15294 41e768 __decode_pointer 6 API calls 15295 41ec5e 15294->15295 15295->15269 15296 41ec65 15295->15296 15443 41e854 15296->15443 15298 41ec6d GetCurrentThreadId 15298->15275 15787 41fa9c 15299->15787 15301 423b11 GetStartupInfoA 15302 421328 __calloc_crt 66 API calls 15301->15302 15309 423b32 15302->15309 15303 423d50 ___lock_fhandle 15303->15238 15304 423ccd GetStdHandle 15308 423c97 15304->15308 15305 423d32 SetHandleCount 15305->15303 15306 421328 __calloc_crt 66 API calls 15306->15309 15307 423cdf GetFileType 15307->15308 15308->15303 15308->15304 15308->15305 15308->15307 15312 4241e6 ___lock_fhandle InitializeCriticalSectionAndSpinCount 15308->15312 15309->15303 15309->15306 15309->15308 15311 423c1a 15309->15311 15310 423c43 GetFileType 15310->15311 15311->15303 15311->15308 15311->15310 15313 4241e6 ___lock_fhandle InitializeCriticalSectionAndSpinCount 15311->15313 15312->15308 15313->15311 15315 4239ec GetEnvironmentStringsW 15314->15315 15319 423a0b 15314->15319 15316 423a00 GetLastError 15315->15316 15317 4239f4 15315->15317 15316->15319 15320 423a36 WideCharToMultiByte 15317->15320 15321 423a27 GetEnvironmentStringsW 15317->15321 15318 423aa4 15322 423aad GetEnvironmentStrings 15318->15322 15323 41d957 15318->15323 15319->15317 15319->15318 15327 423a6a 15320->15327 15328 423a99 FreeEnvironmentStringsW 15320->15328 15321->15320 15321->15323 15322->15323 15324 423abd 15322->15324 15341 423913 15323->15341 15329 4212e3 __malloc_crt 66 API calls 15324->15329 15330 4212e3 __malloc_crt 66 API calls 15327->15330 15328->15323 15331 423ad7 15329->15331 15332 423a70 15330->15332 15333 423aea 15331->15333 15334 423ade FreeEnvironmentStringsA 15331->15334 15332->15328 15335 423a78 WideCharToMultiByte 15332->15335 15788 41c290 15333->15788 15334->15323 15337 423a92 15335->15337 15338 423a8a 15335->15338 15337->15328 15340 41a506 __mtterm 66 API calls 15338->15340 15340->15337 15342 423928 15341->15342 15343 42392d GetModuleFileNameA 15341->15343 15798 422046 15342->15798 15345 423954 15343->15345 15792 423779 15345->15792 15348 41d961 15348->15246 15348->15247 15349 423990 15350 4212e3 __malloc_crt 66 API calls 15349->15350 15351 423996 15350->15351 15351->15348 15352 423779 _parse_cmdline 76 API calls 15351->15352 15353 4239b0 15352->15353 15353->15348 15355 4236a4 15354->15355 15357 4236a9 _strlen 15354->15357 15356 422046 ___initmbctable 110 API calls 15355->15356 15356->15357 15358 421328 __calloc_crt 66 API calls 15357->15358 15361 41d972 15357->15361 15364 4236de _strlen 15358->15364 15359 42373c 15360 41a506 __mtterm 66 API calls 15359->15360 15360->15361 15361->15250 15361->15251 15362 421328 __calloc_crt 66 API calls 15362->15364 15363 423762 15365 41a506 __mtterm 66 API calls 15363->15365 15364->15359 15364->15361 15364->15362 15364->15363 15366 422896 _strcpy_s 66 API calls 15364->15366 15367 423723 15364->15367 15365->15361 15366->15364 15367->15364 15368 41ffdb __invoke_watson 10 API calls 15367->15368 15368->15367 15370 421562 __IsNonwritableInCurrentImage 15369->15370 16209 4233d9 15370->16209 15372 421580 __initterm_e 15374 42159f __IsNonwritableInCurrentImage __initterm 15372->15374 16213 41c9cf 15372->16213 15374->15253 15376 41d882 15375->15376 15377 41d887 15375->15377 15378 421948 __FF_MSGBANNER 66 API calls 15376->15378 15379 42179d __NMSG_WRITE 66 API calls 15377->15379 15378->15377 15380 41d88f 15379->15380 15381 4214e9 _doexit 3 API calls 15380->15381 15382 41d899 15381->15382 15382->15231 15384 421948 __FF_MSGBANNER 66 API calls 15383->15384 15385 42149f 15384->15385 15386 42179d __NMSG_WRITE 66 API calls 15385->15386 15387 4214a7 15386->15387 15388 41e768 __decode_pointer 6 API calls 15387->15388 15389 41d946 15388->15389 15389->15239 15391 42364a 15390->15391 15393 42364f 15390->15393 15392 422046 ___initmbctable 110 API calls 15391->15392 15392->15393 15394 42368b 15393->15394 15395 426731 _parse_cmdline 76 API calls 15393->15395 15394->15257 15395->15393 16317 4215d9 15396->16317 15398 421716 15398->15258 15400 4215d9 _doexit 66 API calls 15399->15400 15401 42173c 15400->15401 15401->15261 15403 421470 Sleep GetModuleHandleW 15402->15403 15404 41eb17 15403->15404 15405 42148e 15403->15405 15404->15267 15405->15403 15405->15404 15472 41e75f 15406->15472 15408 421757 __init_pointers __initp_misc_winsig 15475 41ed0e 15408->15475 15411 41e6ed __encode_pointer 6 API calls 15412 41ebcf 15411->15412 15413 41e6ed TlsGetValue 15412->15413 15414 41e705 15413->15414 15415 41e726 GetModuleHandleW 15413->15415 15414->15415 15418 41e70f TlsGetValue 15414->15418 15416 41e741 GetProcAddress 15415->15416 15417 41e736 15415->15417 15422 41e71e 15416->15422 15419 421465 __crt_waiting_on_module_handle 2 API calls 15417->15419 15420 41e71a 15418->15420 15421 41e73c 15419->15421 15420->15415 15420->15422 15421->15416 15421->15422 15422->15282 15424 41ee32 15423->15424 15425 41ec17 15424->15425 15478 4241e6 15424->15478 15425->15269 15427 41e768 TlsGetValue 15425->15427 15428 41e7a1 GetModuleHandleW 15427->15428 15429 41e780 15427->15429 15430 41e7b1 15428->15430 15431 41e7bc GetProcAddress 15428->15431 15429->15428 15432 41e78a TlsGetValue 15429->15432 15433 421465 __crt_waiting_on_module_handle 2 API calls 15430->15433 15434 41e799 15431->15434 15436 41e795 15432->15436 15435 41e7b7 15433->15435 15434->15269 15437 421328 15434->15437 15435->15431 15435->15434 15436->15428 15436->15434 15439 421331 15437->15439 15440 41ec44 15439->15440 15441 42134f Sleep 15439->15441 15483 4253c7 15439->15483 15440->15269 15440->15294 15442 421364 15441->15442 15442->15439 15442->15440 15766 41fa9c 15443->15766 15445 41e860 GetModuleHandleW 15446 41e870 15445->15446 15451 41e876 15445->15451 15449 421465 __crt_waiting_on_module_handle 2 API calls 15446->15449 15447 41e8b2 15450 41efa3 __lock 62 API calls 15447->15450 15448 41e88e GetProcAddress GetProcAddress 15448->15447 15449->15451 15452 41e8d1 InterlockedIncrement 15450->15452 15451->15447 15451->15448 15767 41e929 15452->15767 15455 41efa3 __lock 62 API calls 15456 41e8f2 15455->15456 15770 4221ad InterlockedIncrement 15456->15770 15458 41e910 15782 41e932 15458->15782 15460 41e91d ___lock_fhandle 15460->15298 15462 41e821 15461->15462 15463 41e82d 15461->15463 15464 41e768 __decode_pointer 6 API calls 15462->15464 15465 41e841 TlsFree 15463->15465 15466 41e84f 15463->15466 15464->15463 15465->15466 15467 41eea6 15466->15467 15468 41ee8e DeleteCriticalSection 15466->15468 15470 41eeb8 DeleteCriticalSection 15467->15470 15471 41eec6 15467->15471 15469 41a506 __mtterm 66 API calls 15468->15469 15469->15466 15470->15467 15471->15275 15473 41e6ed __encode_pointer 6 API calls 15472->15473 15474 41e766 15473->15474 15474->15408 15476 41e6ed __encode_pointer 6 API calls 15475->15476 15477 41ed18 15476->15477 15477->15411 15482 41fa9c 15478->15482 15480 4241f2 InitializeCriticalSectionAndSpinCount 15481 424236 ___lock_fhandle 15480->15481 15481->15424 15482->15480 15484 4253d3 ___lock_fhandle 15483->15484 15485 4253eb 15484->15485 15495 42540a _memset 15484->15495 15496 41edae 15485->15496 15488 42547c HeapAlloc 15488->15495 15490 425400 ___lock_fhandle 15490->15439 15495->15488 15495->15490 15502 41efa3 15495->15502 15509 41f7b5 15495->15509 15515 4254c3 15495->15515 15518 41fc9b 15495->15518 15521 41e93b GetLastError 15496->15521 15498 41edb3 15499 420103 15498->15499 15500 41e768 __decode_pointer 6 API calls 15499->15500 15501 420113 __invoke_watson 15500->15501 15503 41efb8 15502->15503 15504 41efcb EnterCriticalSection 15502->15504 15563 41eee0 15503->15563 15504->15495 15506 41efbe 15506->15504 15507 421495 __amsg_exit 65 API calls 15506->15507 15508 41efca 15507->15508 15508->15504 15511 41f7e3 15509->15511 15510 41f87c 15514 41f885 15510->15514 15761 41f3cc 15510->15761 15511->15510 15511->15514 15754 41f31c 15511->15754 15514->15495 15765 41eec9 LeaveCriticalSection 15515->15765 15517 4254ca 15517->15495 15519 41e768 __decode_pointer 6 API calls 15518->15519 15520 41fcab 15519->15520 15520->15495 15535 41e7e3 TlsGetValue 15521->15535 15524 41e9a8 SetLastError 15524->15498 15525 421328 __calloc_crt 63 API calls 15526 41e966 15525->15526 15526->15524 15527 41e768 __decode_pointer 6 API calls 15526->15527 15528 41e980 15527->15528 15529 41e987 15528->15529 15530 41e99f 15528->15530 15531 41e854 __getptd_noexit 63 API calls 15529->15531 15540 41a506 15530->15540 15533 41e98f GetCurrentThreadId 15531->15533 15533->15524 15534 41e9a5 15534->15524 15536 41e813 15535->15536 15537 41e7f8 15535->15537 15536->15524 15536->15525 15538 41e768 __decode_pointer 6 API calls 15537->15538 15539 41e803 TlsSetValue 15538->15539 15539->15536 15541 41a512 ___lock_fhandle 15540->15541 15542 41a551 15541->15542 15543 41a58b ___lock_fhandle _realloc 15541->15543 15545 41efa3 __lock 64 API calls 15541->15545 15542->15543 15544 41a566 HeapFree 15542->15544 15543->15534 15544->15543 15546 41a578 15544->15546 15550 41a529 ___sbh_find_block 15545->15550 15547 41edae __set_error_mode 64 API calls 15546->15547 15548 41a57d GetLastError 15547->15548 15548->15543 15549 41a543 15559 41a55c 15549->15559 15550->15549 15553 41f006 15550->15553 15554 41f045 15553->15554 15558 41f2e7 ___sbh_free_block 15553->15558 15555 41f231 VirtualFree 15554->15555 15554->15558 15556 41f295 15555->15556 15557 41f2a4 VirtualFree HeapFree 15556->15557 15556->15558 15557->15558 15558->15549 15562 41eec9 LeaveCriticalSection 15559->15562 15561 41a563 15561->15542 15562->15561 15564 41eeec ___lock_fhandle 15563->15564 15565 41ef12 15564->15565 15589 421948 15564->15589 15571 41ef22 ___lock_fhandle 15565->15571 15635 4212e3 15565->15635 15571->15506 15573 41ef43 15577 41efa3 __lock 66 API calls 15573->15577 15574 41ef34 15576 41edae __set_error_mode 66 API calls 15574->15576 15576->15571 15578 41ef4a 15577->15578 15579 41ef52 15578->15579 15580 41ef7e 15578->15580 15581 4241e6 ___lock_fhandle InitializeCriticalSectionAndSpinCount 15579->15581 15582 41a506 __mtterm 66 API calls 15580->15582 15583 41ef5d 15581->15583 15584 41ef6f 15582->15584 15583->15584 15585 41a506 __mtterm 66 API calls 15583->15585 15640 41ef9a 15584->15640 15587 41ef69 15585->15587 15588 41edae __set_error_mode 66 API calls 15587->15588 15588->15584 15643 4259a7 15589->15643 15592 42195c 15594 42179d __NMSG_WRITE 66 API calls 15592->15594 15597 41ef01 15592->15597 15593 4259a7 __set_error_mode 66 API calls 15593->15592 15595 421974 15594->15595 15596 42179d __NMSG_WRITE 66 API calls 15595->15596 15596->15597 15598 42179d 15597->15598 15599 4217b1 15598->15599 15600 4259a7 __set_error_mode 63 API calls 15599->15600 15631 41ef08 15599->15631 15601 4217d3 15600->15601 15602 421911 GetStdHandle 15601->15602 15604 4259a7 __set_error_mode 63 API calls 15601->15604 15603 42191f _strlen 15602->15603 15602->15631 15607 421938 WriteFile 15603->15607 15603->15631 15605 4217e4 15604->15605 15605->15602 15606 4217f6 15605->15606 15606->15631 15649 422896 15606->15649 15607->15631 15610 42182c GetModuleFileNameA 15612 42184a 15610->15612 15617 42186d _strlen 15610->15617 15614 422896 _strcpy_s 63 API calls 15612->15614 15615 42185a 15614->15615 15615->15617 15618 41ffdb __invoke_watson 10 API calls 15615->15618 15616 4218b0 15674 42587e 15616->15674 15617->15616 15665 4258f2 15617->15665 15618->15617 15623 4218d4 15625 42587e _strcat_s 63 API calls 15623->15625 15624 41ffdb __invoke_watson 10 API calls 15624->15623 15627 4218e8 15625->15627 15626 41ffdb __invoke_watson 10 API calls 15626->15616 15628 4218f9 15627->15628 15630 41ffdb __invoke_watson 10 API calls 15627->15630 15683 425715 15628->15683 15630->15628 15632 4214e9 15631->15632 15721 4214be GetModuleHandleW 15632->15721 15636 4212ec 15635->15636 15638 41ef2d 15636->15638 15639 421303 Sleep 15636->15639 15724 41cf3e 15636->15724 15638->15573 15638->15574 15639->15636 15753 41eec9 LeaveCriticalSection 15640->15753 15642 41efa1 15642->15571 15644 4259b6 15643->15644 15645 42194f 15644->15645 15646 41edae __set_error_mode 66 API calls 15644->15646 15645->15592 15645->15593 15647 4259d9 15646->15647 15648 420103 __set_error_mode 6 API calls 15647->15648 15648->15645 15650 4228a7 15649->15650 15651 4228ae 15649->15651 15650->15651 15653 4228d4 15650->15653 15652 41edae __set_error_mode 66 API calls 15651->15652 15657 4228b3 15652->15657 15655 421818 15653->15655 15656 41edae __set_error_mode 66 API calls 15653->15656 15654 420103 __set_error_mode 6 API calls 15654->15655 15655->15610 15658 41ffdb 15655->15658 15656->15657 15657->15654 15710 41a820 15658->15710 15660 420008 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15661 4200e4 GetCurrentProcess TerminateProcess 15660->15661 15662 4200d8 __invoke_watson 15660->15662 15712 41e6de 15661->15712 15662->15661 15664 420101 15664->15610 15669 425904 15665->15669 15666 425908 15667 41edae __set_error_mode 66 API calls 15666->15667 15668 42189d 15666->15668 15673 425924 15667->15673 15668->15616 15668->15626 15669->15666 15669->15668 15671 42594e 15669->15671 15670 420103 __set_error_mode 6 API calls 15670->15668 15671->15668 15672 41edae __set_error_mode 66 API calls 15671->15672 15672->15673 15673->15670 15675 425896 15674->15675 15676 42588f 15674->15676 15677 41edae __set_error_mode 66 API calls 15675->15677 15676->15675 15681 4258ca 15676->15681 15678 42589b 15677->15678 15679 420103 __set_error_mode 6 API calls 15678->15679 15680 4218c3 15679->15680 15680->15623 15680->15624 15681->15680 15682 41edae __set_error_mode 66 API calls 15681->15682 15682->15678 15684 41e75f _doexit 6 API calls 15683->15684 15685 425725 15684->15685 15686 425738 LoadLibraryA 15685->15686 15690 4257c0 15685->15690 15688 425862 15686->15688 15689 42574d GetProcAddress 15686->15689 15687 4257ea 15693 41e768 __decode_pointer 6 API calls 15687->15693 15708 425815 15687->15708 15688->15631 15689->15688 15691 425763 15689->15691 15690->15687 15694 41e768 __decode_pointer 6 API calls 15690->15694 15695 41e6ed __encode_pointer 6 API calls 15691->15695 15692 41e768 __decode_pointer 6 API calls 15692->15688 15703 42582d 15693->15703 15696 4257dd 15694->15696 15697 425769 GetProcAddress 15695->15697 15698 41e768 __decode_pointer 6 API calls 15696->15698 15699 41e6ed __encode_pointer 6 API calls 15697->15699 15698->15687 15700 42577e GetProcAddress 15699->15700 15701 41e6ed __encode_pointer 6 API calls 15700->15701 15702 425793 GetProcAddress 15701->15702 15704 41e6ed __encode_pointer 6 API calls 15702->15704 15706 41e768 __decode_pointer 6 API calls 15703->15706 15703->15708 15705 4257a8 15704->15705 15705->15690 15707 4257b2 GetProcAddress 15705->15707 15706->15708 15709 41e6ed __encode_pointer 6 API calls 15707->15709 15708->15692 15709->15690 15711 41a82c __VEC_memzero 15710->15711 15711->15660 15711->15711 15713 41e6e6 15712->15713 15714 41e6e8 IsDebuggerPresent 15712->15714 15713->15664 15720 424e29 15714->15720 15717 423f50 SetUnhandledExceptionFilter UnhandledExceptionFilter 15718 423f75 GetCurrentProcess TerminateProcess 15717->15718 15719 423f6d __invoke_watson 15717->15719 15718->15664 15719->15718 15720->15717 15722 4214d2 GetProcAddress 15721->15722 15723 4214e2 ExitProcess 15721->15723 15722->15723 15725 41cff1 15724->15725 15726 41cf50 15724->15726 15727 41fc9b _realloc 6 API calls 15725->15727 15729 421948 __FF_MSGBANNER 65 API calls 15726->15729 15731 42179d __NMSG_WRITE 65 API calls 15726->15731 15732 41cfe9 15726->15732 15734 41cfad HeapAlloc 15726->15734 15735 4214e9 _doexit 3 API calls 15726->15735 15736 41cfdd 15726->15736 15737 41fc9b _realloc 6 API calls 15726->15737 15739 41cfe2 15726->15739 15741 41ceef 15726->15741 15728 41cff7 15727->15728 15730 41edae __set_error_mode 65 API calls 15728->15730 15729->15726 15730->15732 15731->15726 15732->15636 15734->15726 15735->15726 15738 41edae __set_error_mode 65 API calls 15736->15738 15737->15726 15738->15739 15740 41edae __set_error_mode 65 API calls 15739->15740 15740->15732 15742 41cefb ___lock_fhandle 15741->15742 15743 41cf2c ___lock_fhandle 15742->15743 15744 41efa3 __lock 66 API calls 15742->15744 15743->15726 15745 41cf11 15744->15745 15746 41f7b5 ___sbh_alloc_block 5 API calls 15745->15746 15747 41cf1c 15746->15747 15749 41cf35 15747->15749 15752 41eec9 LeaveCriticalSection 15749->15752 15751 41cf3c 15751->15743 15752->15751 15753->15642 15755 41f363 HeapAlloc 15754->15755 15756 41f32f HeapReAlloc 15754->15756 15758 41f386 VirtualAlloc 15755->15758 15759 41f34d 15755->15759 15757 41f351 15756->15757 15756->15759 15757->15755 15758->15759 15760 41f3a0 HeapFree 15758->15760 15759->15510 15760->15759 15762 41f3e3 VirtualAlloc 15761->15762 15764 41f42a 15762->15764 15764->15514 15765->15517 15766->15445 15785 41eec9 LeaveCriticalSection 15767->15785 15769 41e8eb 15769->15455 15771 4221cb InterlockedIncrement 15770->15771 15772 4221ce 15770->15772 15771->15772 15773 4221db 15772->15773 15774 4221d8 InterlockedIncrement 15772->15774 15775 4221e5 InterlockedIncrement 15773->15775 15776 4221e8 15773->15776 15774->15773 15775->15776 15777 4221f2 InterlockedIncrement 15776->15777 15778 4221f5 15776->15778 15777->15778 15779 42220e InterlockedIncrement 15778->15779 15780 42221e InterlockedIncrement 15778->15780 15781 422229 InterlockedIncrement 15778->15781 15779->15778 15780->15778 15781->15458 15786 41eec9 LeaveCriticalSection 15782->15786 15784 41e939 15784->15460 15785->15769 15786->15784 15787->15301 15789 41c2a8 15788->15789 15790 41c2cf __VEC_memcpy 15789->15790 15791 41c2d7 FreeEnvironmentStringsA 15789->15791 15790->15791 15791->15323 15793 423798 15792->15793 15796 423805 15793->15796 15802 426731 15793->15802 15795 423903 15795->15348 15795->15349 15796->15795 15797 426731 76 API calls _parse_cmdline 15796->15797 15797->15796 15799 422056 15798->15799 15800 42204f 15798->15800 15799->15343 16024 421eac 15800->16024 15805 4266de 15802->15805 15808 41d0c8 15805->15808 15809 41d0db 15808->15809 15813 41d128 15808->15813 15816 41e9b4 15809->15816 15812 41d108 15812->15813 15836 421ba7 15812->15836 15813->15793 15817 41e93b __getptd_noexit 66 API calls 15816->15817 15818 41e9bc 15817->15818 15819 41d0e0 15818->15819 15820 421495 __amsg_exit 66 API calls 15818->15820 15819->15812 15821 422313 15819->15821 15820->15819 15822 42231f ___lock_fhandle 15821->15822 15823 41e9b4 __getptd 66 API calls 15822->15823 15825 422324 15823->15825 15824 422352 15827 41efa3 __lock 66 API calls 15824->15827 15825->15824 15826 422336 15825->15826 15829 41e9b4 __getptd 66 API calls 15826->15829 15828 422359 15827->15828 15852 4222d5 15828->15852 15831 42233b 15829->15831 15834 422349 ___lock_fhandle 15831->15834 15835 421495 __amsg_exit 66 API calls 15831->15835 15834->15812 15835->15834 15837 421bb3 ___lock_fhandle 15836->15837 15838 41e9b4 __getptd 66 API calls 15837->15838 15839 421bb8 15838->15839 15840 41efa3 __lock 66 API calls 15839->15840 15848 421bca 15839->15848 15841 421be8 15840->15841 15842 421c31 15841->15842 15846 421c19 InterlockedIncrement 15841->15846 15847 421bff InterlockedDecrement 15841->15847 16020 421c42 15842->16020 15843 421bd8 ___lock_fhandle 15843->15813 15845 421495 __amsg_exit 66 API calls 15845->15843 15846->15842 15847->15846 15849 421c0a 15847->15849 15848->15843 15848->15845 15849->15846 15850 41a506 __mtterm 66 API calls 15849->15850 15851 421c18 15850->15851 15851->15846 15853 4222d9 15852->15853 15859 42230b 15852->15859 15854 4221ad ___addlocaleref 8 API calls 15853->15854 15853->15859 15855 4222ec 15854->15855 15855->15859 15863 42223c 15855->15863 15860 42237d 15859->15860 16019 41eec9 LeaveCriticalSection 15860->16019 15862 422384 15862->15831 15864 4222d0 15863->15864 15865 42224d InterlockedDecrement 15863->15865 15864->15859 15877 422064 15864->15877 15866 422262 InterlockedDecrement 15865->15866 15867 422265 15865->15867 15866->15867 15868 422272 15867->15868 15869 42226f InterlockedDecrement 15867->15869 15870 42227f 15868->15870 15871 42227c InterlockedDecrement 15868->15871 15869->15868 15872 422289 InterlockedDecrement 15870->15872 15873 42228c 15870->15873 15871->15870 15872->15873 15874 4222a5 InterlockedDecrement 15873->15874 15875 4222b5 InterlockedDecrement 15873->15875 15876 4222c0 InterlockedDecrement 15873->15876 15874->15873 15875->15873 15876->15864 15878 4220e8 15877->15878 15881 42207b 15877->15881 15880 422135 15878->15880 15882 41a506 __mtterm 66 API calls 15878->15882 15879 42215c 15889 4221a1 15879->15889 15898 41a506 66 API calls __mtterm 15879->15898 15880->15879 15931 425bee 15880->15931 15881->15878 15888 41a506 __mtterm 66 API calls 15881->15888 15890 4220af 15881->15890 15884 422109 15882->15884 15886 41a506 __mtterm 66 API calls 15884->15886 15891 42211c 15886->15891 15887 41a506 __mtterm 66 API calls 15887->15879 15894 4220a4 15888->15894 15895 41a506 __mtterm 66 API calls 15889->15895 15896 41a506 __mtterm 66 API calls 15890->15896 15906 4220d0 15890->15906 15897 41a506 __mtterm 66 API calls 15891->15897 15892 41a506 __mtterm 66 API calls 15893 4220dd 15892->15893 15899 41a506 __mtterm 66 API calls 15893->15899 15907 425dc8 15894->15907 15901 4221a7 15895->15901 15902 4220c5 15896->15902 15903 42212a 15897->15903 15898->15879 15899->15878 15901->15859 15923 425d83 15902->15923 15905 41a506 __mtterm 66 API calls 15903->15905 15905->15880 15906->15892 15908 425e52 15907->15908 15909 425dd5 15907->15909 15908->15890 15910 425de6 15909->15910 15911 41a506 __mtterm 66 API calls 15909->15911 15912 425df8 15910->15912 15913 41a506 __mtterm 66 API calls 15910->15913 15911->15910 15914 425e0a 15912->15914 15915 41a506 __mtterm 66 API calls 15912->15915 15913->15912 15916 425e1c 15914->15916 15918 41a506 __mtterm 66 API calls 15914->15918 15915->15914 15917 425e2e 15916->15917 15919 41a506 __mtterm 66 API calls 15916->15919 15920 425e40 15917->15920 15921 41a506 __mtterm 66 API calls 15917->15921 15918->15916 15919->15917 15920->15908 15922 41a506 __mtterm 66 API calls 15920->15922 15921->15920 15922->15908 15924 425d90 15923->15924 15925 425dc4 15923->15925 15926 425da0 15924->15926 15928 41a506 __mtterm 66 API calls 15924->15928 15925->15906 15927 425db2 15926->15927 15929 41a506 __mtterm 66 API calls 15926->15929 15927->15925 15930 41a506 __mtterm 66 API calls 15927->15930 15928->15926 15929->15927 15930->15925 15932 422155 15931->15932 15933 425bff 15931->15933 15932->15887 15934 41a506 __mtterm 66 API calls 15933->15934 15935 425c07 15934->15935 15936 41a506 __mtterm 66 API calls 15935->15936 15937 425c0f 15936->15937 15938 41a506 __mtterm 66 API calls 15937->15938 15939 425c17 15938->15939 15940 41a506 __mtterm 66 API calls 15939->15940 15941 425c1f 15940->15941 15942 41a506 __mtterm 66 API calls 15941->15942 15943 425c27 15942->15943 15944 41a506 __mtterm 66 API calls 15943->15944 15945 425c2f 15944->15945 15946 41a506 __mtterm 66 API calls 15945->15946 15947 425c36 15946->15947 15948 41a506 __mtterm 66 API calls 15947->15948 15949 425c3e 15948->15949 15950 41a506 __mtterm 66 API calls 15949->15950 15951 425c46 15950->15951 15952 41a506 __mtterm 66 API calls 15951->15952 15953 425c4e 15952->15953 15954 41a506 __mtterm 66 API calls 15953->15954 15955 425c56 15954->15955 15956 41a506 __mtterm 66 API calls 15955->15956 15957 425c5e 15956->15957 15958 41a506 __mtterm 66 API calls 15957->15958 15959 425c66 15958->15959 15960 41a506 __mtterm 66 API calls 15959->15960 15961 425c6e 15960->15961 15962 41a506 __mtterm 66 API calls 15961->15962 15963 425c76 15962->15963 15964 41a506 __mtterm 66 API calls 15963->15964 15965 425c7e 15964->15965 15966 41a506 __mtterm 66 API calls 15965->15966 15967 425c89 15966->15967 15968 41a506 __mtterm 66 API calls 15967->15968 15969 425c91 15968->15969 15970 41a506 __mtterm 66 API calls 15969->15970 15971 425c99 15970->15971 15972 41a506 __mtterm 66 API calls 15971->15972 15973 425ca1 15972->15973 15974 41a506 __mtterm 66 API calls 15973->15974 15975 425ca9 15974->15975 15976 41a506 __mtterm 66 API calls 15975->15976 15977 425cb1 15976->15977 15978 41a506 __mtterm 66 API calls 15977->15978 15979 425cb9 15978->15979 15980 41a506 __mtterm 66 API calls 15979->15980 15981 425cc1 15980->15981 15982 41a506 __mtterm 66 API calls 15981->15982 15983 425cc9 15982->15983 15984 41a506 __mtterm 66 API calls 15983->15984 15985 425cd1 15984->15985 15986 41a506 __mtterm 66 API calls 15985->15986 15987 425cd9 15986->15987 15988 41a506 __mtterm 66 API calls 15987->15988 15989 425ce1 15988->15989 15990 41a506 __mtterm 66 API calls 15989->15990 15991 425ce9 15990->15991 15992 41a506 __mtterm 66 API calls 15991->15992 15993 425cf1 15992->15993 15994 41a506 __mtterm 66 API calls 15993->15994 15995 425cf9 15994->15995 15996 41a506 __mtterm 66 API calls 15995->15996 15997 425d01 15996->15997 15998 41a506 __mtterm 66 API calls 15997->15998 15999 425d0f 15998->15999 16000 41a506 __mtterm 66 API calls 15999->16000 16001 425d1a 16000->16001 16002 41a506 __mtterm 66 API calls 16001->16002 16003 425d25 16002->16003 16004 41a506 __mtterm 66 API calls 16003->16004 16005 425d30 16004->16005 16006 41a506 __mtterm 66 API calls 16005->16006 16007 425d3b 16006->16007 16008 41a506 __mtterm 66 API calls 16007->16008 16009 425d46 16008->16009 16010 41a506 __mtterm 66 API calls 16009->16010 16011 425d51 16010->16011 16012 41a506 __mtterm 66 API calls 16011->16012 16013 425d5c 16012->16013 16014 41a506 __mtterm 66 API calls 16013->16014 16015 425d67 16014->16015 16016 41a506 __mtterm 66 API calls 16015->16016 16017 425d72 16016->16017 16018 41a506 __mtterm 66 API calls 16017->16018 16018->15932 16019->15862 16023 41eec9 LeaveCriticalSection 16020->16023 16022 421c49 16022->15848 16023->16022 16025 421eb8 ___lock_fhandle 16024->16025 16026 41e9b4 __getptd 66 API calls 16025->16026 16027 421ec1 16026->16027 16028 421ba7 __setmbcp 68 API calls 16027->16028 16029 421ecb 16028->16029 16055 421c4b 16029->16055 16032 4212e3 __malloc_crt 66 API calls 16033 421eec 16032->16033 16034 42200b ___lock_fhandle 16033->16034 16062 421cc7 16033->16062 16034->15799 16037 422018 16037->16034 16041 42202b 16037->16041 16043 41a506 __mtterm 66 API calls 16037->16043 16038 421f1c InterlockedDecrement 16039 421f2c 16038->16039 16040 421f3d InterlockedIncrement 16038->16040 16039->16040 16045 41a506 __mtterm 66 API calls 16039->16045 16040->16034 16042 421f53 16040->16042 16044 41edae __set_error_mode 66 API calls 16041->16044 16042->16034 16046 41efa3 __lock 66 API calls 16042->16046 16043->16041 16044->16034 16047 421f3c 16045->16047 16049 421f67 InterlockedDecrement 16046->16049 16047->16040 16050 421fe3 16049->16050 16051 421ff6 InterlockedIncrement 16049->16051 16050->16051 16053 41a506 __mtterm 66 API calls 16050->16053 16072 42200d 16051->16072 16054 421ff5 16053->16054 16054->16051 16056 41d0c8 _LocaleUpdate::_LocaleUpdate 76 API calls 16055->16056 16057 421c5f 16056->16057 16058 421c6a GetOEMCP 16057->16058 16059 421c88 16057->16059 16061 421c7a 16058->16061 16060 421c8d GetACP 16059->16060 16059->16061 16060->16061 16061->16032 16061->16034 16063 421c4b getSystemCP 78 API calls 16062->16063 16065 421ce7 16063->16065 16064 421cf2 setSBCS 16066 41e6de __setmbcp_nolock 5 API calls 16064->16066 16065->16064 16067 421d36 IsValidCodePage 16065->16067 16071 421d5b _memset __setmbcp_nolock 16065->16071 16068 421eaa 16066->16068 16067->16064 16069 421d48 GetCPInfo 16067->16069 16068->16037 16068->16038 16069->16064 16069->16071 16075 421a14 GetCPInfo 16071->16075 16208 41eec9 LeaveCriticalSection 16072->16208 16074 422014 16074->16034 16076 421a48 _memset 16075->16076 16084 421afa 16075->16084 16085 425bac 16076->16085 16080 41e6de __setmbcp_nolock 5 API calls 16082 421ba5 16080->16082 16082->16071 16083 42274e ___crtLCMapStringA 101 API calls 16083->16084 16084->16080 16086 41d0c8 _LocaleUpdate::_LocaleUpdate 76 API calls 16085->16086 16087 425bbf 16086->16087 16095 4259f2 16087->16095 16090 42274e 16091 41d0c8 _LocaleUpdate::_LocaleUpdate 76 API calls 16090->16091 16092 422761 16091->16092 16161 4223a9 16092->16161 16096 425a13 GetStringTypeW 16095->16096 16097 425a3e 16095->16097 16099 425a33 GetLastError 16096->16099 16100 425a2b 16096->16100 16098 425b25 16097->16098 16097->16100 16123 425ef0 GetLocaleInfoA 16098->16123 16099->16097 16101 425a77 MultiByteToWideChar 16100->16101 16118 425b1f 16100->16118 16108 425aa4 16101->16108 16101->16118 16104 41e6de __setmbcp_nolock 5 API calls 16105 421ab5 16104->16105 16105->16090 16106 425b76 GetStringTypeA 16111 425b91 16106->16111 16106->16118 16107 425ab9 _memset ___convertcp 16110 425af2 MultiByteToWideChar 16107->16110 16107->16118 16108->16107 16112 41cf3e _malloc 66 API calls 16108->16112 16113 425b08 GetStringTypeW 16110->16113 16114 425b19 16110->16114 16115 41a506 __mtterm 66 API calls 16111->16115 16112->16107 16113->16114 16119 422389 16114->16119 16115->16118 16118->16104 16120 4223a6 16119->16120 16121 422395 16119->16121 16120->16118 16121->16120 16122 41a506 __mtterm 66 API calls 16121->16122 16122->16120 16124 425f23 16123->16124 16125 425f1e 16123->16125 16154 426f29 16124->16154 16127 41e6de __setmbcp_nolock 5 API calls 16125->16127 16128 425b49 16127->16128 16128->16106 16128->16118 16129 425f39 16128->16129 16130 426003 16129->16130 16131 425f79 GetCPInfo 16129->16131 16134 41e6de __setmbcp_nolock 5 API calls 16130->16134 16132 425f90 16131->16132 16133 425fee MultiByteToWideChar 16131->16133 16132->16133 16135 425f96 GetCPInfo 16132->16135 16133->16130 16138 425fa9 _strlen 16133->16138 16136 425b6a 16134->16136 16135->16133 16137 425fa3 16135->16137 16136->16106 16136->16118 16137->16133 16137->16138 16139 41cf3e _malloc 66 API calls 16138->16139 16142 425fdb _memset ___convertcp 16138->16142 16139->16142 16140 426038 MultiByteToWideChar 16141 426050 16140->16141 16146 42606f 16140->16146 16144 426057 WideCharToMultiByte 16141->16144 16145 426074 16141->16145 16142->16130 16142->16140 16143 422389 __freea 66 API calls 16143->16130 16144->16146 16147 426093 16145->16147 16148 42607f WideCharToMultiByte 16145->16148 16146->16143 16149 421328 __calloc_crt 66 API calls 16147->16149 16148->16146 16148->16147 16150 42609b 16149->16150 16150->16146 16151 4260a4 WideCharToMultiByte 16150->16151 16151->16146 16152 4260b6 16151->16152 16153 41a506 __mtterm 66 API calls 16152->16153 16153->16146 16157 426efe 16154->16157 16158 426f17 16157->16158 16159 426ccf strtoxl 90 API calls 16158->16159 16160 426f24 16159->16160 16160->16125 16162 4223ca LCMapStringW 16161->16162 16166 4223e5 16161->16166 16163 4223ed GetLastError 16162->16163 16162->16166 16163->16166 16164 4225e3 16168 425ef0 ___ansicp 90 API calls 16164->16168 16165 42243f 16167 422458 MultiByteToWideChar 16165->16167 16190 4225da 16165->16190 16166->16164 16166->16165 16176 422485 16167->16176 16167->16190 16170 42260b 16168->16170 16169 41e6de __setmbcp_nolock 5 API calls 16171 421ad5 16169->16171 16172 422624 16170->16172 16173 4226ff LCMapStringA 16170->16173 16170->16190 16171->16083 16174 425f39 ___convertcp 73 API calls 16172->16174 16177 42265b 16173->16177 16179 422636 16174->16179 16175 4224d6 MultiByteToWideChar 16180 4225d1 16175->16180 16181 4224ef LCMapStringW 16175->16181 16178 41cf3e _malloc 66 API calls 16176->16178 16187 42249e ___convertcp 16176->16187 16182 422726 16177->16182 16186 41a506 __mtterm 66 API calls 16177->16186 16178->16187 16183 422640 LCMapStringA 16179->16183 16179->16190 16184 422389 __freea 66 API calls 16180->16184 16181->16180 16185 422510 16181->16185 16189 41a506 __mtterm 66 API calls 16182->16189 16182->16190 16183->16177 16193 422662 16183->16193 16184->16190 16188 422519 16185->16188 16192 422542 16185->16192 16186->16182 16187->16175 16187->16190 16188->16180 16191 42252b LCMapStringW 16188->16191 16189->16190 16190->16169 16191->16180 16195 42255d ___convertcp 16192->16195 16197 41cf3e _malloc 66 API calls 16192->16197 16196 422673 _memset ___convertcp 16193->16196 16198 41cf3e _malloc 66 API calls 16193->16198 16194 422591 LCMapStringW 16199 4225cb 16194->16199 16200 4225a9 WideCharToMultiByte 16194->16200 16195->16180 16195->16194 16196->16177 16202 4226b1 LCMapStringA 16196->16202 16197->16195 16198->16196 16201 422389 __freea 66 API calls 16199->16201 16200->16199 16201->16180 16203 4226d1 16202->16203 16204 4226cd 16202->16204 16206 425f39 ___convertcp 73 API calls 16203->16206 16207 422389 __freea 66 API calls 16204->16207 16206->16204 16207->16177 16208->16074 16210 4233df 16209->16210 16211 41e6ed __encode_pointer 6 API calls 16210->16211 16212 4233f7 16210->16212 16211->16210 16212->15372 16216 41c993 16213->16216 16215 41c9dc 16215->15374 16217 41c99f ___lock_fhandle 16216->16217 16224 421501 16217->16224 16223 41c9c0 ___lock_fhandle 16223->16215 16225 41efa3 __lock 66 API calls 16224->16225 16226 41c9a4 16225->16226 16227 41c8a8 16226->16227 16228 41e768 __decode_pointer 6 API calls 16227->16228 16229 41c8bc 16228->16229 16230 41e768 __decode_pointer 6 API calls 16229->16230 16231 41c8cc 16230->16231 16232 41c94f 16231->16232 16250 4213c2 16231->16250 16247 41c9c9 16232->16247 16234 41c8ea 16236 41c905 16234->16236 16237 41c914 16234->16237 16246 41c936 16234->16246 16235 41e6ed __encode_pointer 6 API calls 16238 41c944 16235->16238 16263 421374 16236->16263 16237->16232 16240 41c90e 16237->16240 16241 41e6ed __encode_pointer 6 API calls 16238->16241 16240->16237 16242 421374 __realloc_crt 73 API calls 16240->16242 16243 41c92a 16240->16243 16241->16232 16244 41c924 16242->16244 16245 41e6ed __encode_pointer 6 API calls 16243->16245 16244->16232 16244->16243 16245->16246 16246->16235 16313 42150a 16247->16313 16251 4213ce ___lock_fhandle 16250->16251 16252 4213fb 16251->16252 16253 4213de 16251->16253 16254 42143c HeapSize 16252->16254 16257 41efa3 __lock 66 API calls 16252->16257 16255 41edae __set_error_mode 66 API calls 16253->16255 16260 4213f3 ___lock_fhandle 16254->16260 16256 4213e3 16255->16256 16258 420103 __set_error_mode 6 API calls 16256->16258 16259 42140b ___sbh_find_block 16257->16259 16258->16260 16268 42145c 16259->16268 16260->16234 16265 42137d 16263->16265 16266 4213bc 16265->16266 16267 42139d Sleep 16265->16267 16272 41a594 16265->16272 16266->16240 16267->16265 16271 41eec9 LeaveCriticalSection 16268->16271 16270 421437 16270->16254 16270->16260 16271->16270 16273 41a5a0 ___lock_fhandle 16272->16273 16274 41a5b5 16273->16274 16275 41a5a7 16273->16275 16277 41a5c8 16274->16277 16278 41a5bc 16274->16278 16276 41cf3e _malloc 66 API calls 16275->16276 16280 41a5af ___lock_fhandle _realloc 16276->16280 16285 41a73a 16277->16285 16286 41a5d5 ___sbh_resize_block ___sbh_find_block 16277->16286 16279 41a506 __mtterm 66 API calls 16278->16279 16279->16280 16280->16265 16281 41a76d 16284 41fc9b _realloc 6 API calls 16281->16284 16282 41a73f HeapReAlloc 16282->16280 16282->16285 16283 41efa3 __lock 66 API calls 16283->16286 16287 41a773 16284->16287 16285->16281 16285->16282 16288 41a791 16285->16288 16290 41fc9b _realloc 6 API calls 16285->16290 16293 41a787 16285->16293 16286->16280 16286->16281 16286->16283 16296 41a660 HeapAlloc 16286->16296 16299 41a6b5 HeapReAlloc 16286->16299 16300 41f7b5 ___sbh_alloc_block 5 API calls 16286->16300 16301 41a720 16286->16301 16302 41fc9b _realloc 6 API calls 16286->16302 16303 41f006 VirtualFree VirtualFree HeapFree ___sbh_free_block 16286->16303 16305 41a703 16286->16305 16306 41c290 __VEC_memcpy _realloc 16286->16306 16309 41a6d8 16286->16309 16289 41edae __set_error_mode 66 API calls 16287->16289 16288->16280 16291 41edae __set_error_mode 66 API calls 16288->16291 16289->16280 16290->16285 16292 41a79a GetLastError 16291->16292 16292->16280 16295 41edae __set_error_mode 66 API calls 16293->16295 16297 41a708 16295->16297 16296->16286 16297->16280 16298 41a70d GetLastError 16297->16298 16298->16280 16299->16286 16300->16286 16301->16280 16304 41edae __set_error_mode 66 API calls 16301->16304 16302->16286 16303->16286 16307 41a72d 16304->16307 16308 41edae __set_error_mode 66 API calls 16305->16308 16306->16286 16307->16280 16307->16292 16308->16297 16312 41eec9 LeaveCriticalSection 16309->16312 16311 41a6df 16311->16286 16312->16311 16316 41eec9 LeaveCriticalSection 16313->16316 16315 41c9ce 16315->16223 16316->16315 16318 4215e5 ___lock_fhandle 16317->16318 16319 41efa3 __lock 66 API calls 16318->16319 16320 4215ec 16319->16320 16322 41e768 __decode_pointer 6 API calls 16320->16322 16326 4216a5 __initterm 16320->16326 16324 421623 16322->16324 16324->16326 16328 41e768 __decode_pointer 6 API calls 16324->16328 16325 4216ed ___lock_fhandle 16325->15398 16334 4216f0 16326->16334 16332 421638 16328->16332 16329 4216e4 16330 4214e9 _doexit 3 API calls 16329->16330 16330->16325 16331 41e75f 6 API calls _doexit 16331->16332 16332->16326 16332->16331 16333 41e768 6 API calls __decode_pointer 16332->16333 16333->16332 16335 4216f6 16334->16335 16336 4216d1 16334->16336 16339 41eec9 LeaveCriticalSection 16335->16339 16336->16325 16338 41eec9 LeaveCriticalSection 16336->16338 16338->16329 16339->16336

                                                                                                                                        Executed Functions

                                                                                                                                        Function 0041EDF7 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 0 41edf7-41ee19 HeapCreate 1 41ee1b-41ee1c 0->1 2 41ee1d-41ee26 0->2
                                                                                                                                        APIs
                                                                                                                                        • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041EE0C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 10892065-0
                                                                                                                                        • Opcode ID: 6c78c704c61e396e770c5c9d5bf39bc32bfab303bf8d18d204e2a82309729daa
                                                                                                                                        • Instruction ID: eb53d8fa6b9c670d76401f9b6e634384cdf5b6bc28e7f080834842f41bea832e
                                                                                                                                        • Opcode Fuzzy Hash: 6c78c704c61e396e770c5c9d5bf39bc32bfab303bf8d18d204e2a82309729daa
                                                                                                                                        • Instruction Fuzzy Hash: E6D05E366503485ADB106F716C09B763BDCD384396F104436BC1DC6150F775C5A09A48

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 0040690A Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 294fileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 90 40690a-406925 call 41a4dc call 41aaf0 95 406942-4069a9 call 406760 call 410b9c call 41a7af call 41c81c 90->95 96 406927-40693b call 406553 * 2 90->96 109 4069ab-4069c5 call 41c81c 95->109 110 4069df 95->110 96->95 109->110 116 4069c7-4069dd 109->116 111 4069e2-406a05 call 41a7f7 call 41a7af 110->111 119 406a07-406a09 111->119 120 406a4b-406a5c call 40935f 111->120 116->111 122 406a29 119->122 123 406a0b-406a19 call 40a2f5 119->123 127 406a94-406aa1 CreateDirectoryW 120->127 128 406a5e-406a65 120->128 126 406a2d 122->126 123->122 134 406a1b-406a27 call 4065c4 123->134 130 406a38 126->130 131 406a2f 126->131 127->122 135 406aa3 127->135 128->127 133 406a67-406a84 CreateFileW 128->133 132 406a3a-406a48 130->132 136 406a32-406a37 call 41a506 131->136 138 406a86-406a89 133->138 139 406a8b-406a92 CloseHandle 133->139 134->120 134->122 141 406aa5-406aae 135->141 136->130 138->126 139->141 144 406ab0-406b11 call 41a7f7 * 2 141->144 145 406b13-406b16 141->145 155 406b90-406baf CreateFileW 144->155 146 406b21-406b8d call 41a7f7 * 2 145->146 147 406b18-406b1b 145->147 146->155 147->138 147->146 157 406bb1-406bb2 155->157 158 406bb7-406bd7 DeviceIoControl 155->158 157->136 159 406bd9-406bf7 CloseHandle call 40639f GetLastError 158->159 160 406c3f-406cb8 call 408786 call 408a32 call 408d35 call 408a32 158->160 165 406c00-406c1f call 401000 call 4062ba 159->165 166 406bf9-406bfb call 401b9b 159->166 180 406cc5-406cd6 call 408c7d 160->180 181 406cba-406cc0 call 40908d 160->181 178 406c21-406c27 RemoveDirectoryW 165->178 179 406c29 DeleteFileW 165->179 166->165 182 406c2f 178->182 179->182 185 406c31-406c3a call 41a506 180->185 181->180 182->185 185->132
                                                                                                                                        APIs
                                                                                                                                        • __EH_prolog.LIBCMT ref: 0040690F
                                                                                                                                        • _wcslen.LIBCMT ref: 00406978
                                                                                                                                        • _wcscpy.LIBCMT ref: 004069E4
                                                                                                                                        • _wcslen.LIBCMT ref: 004069F0
                                                                                                                                          • Part of subcall function 00406553: GetCurrentProcess.KERNEL32(00000020,?), ref: 00406562
                                                                                                                                          • Part of subcall function 00406553: OpenProcessToken.ADVAPI32(00000000), ref: 00406569
                                                                                                                                          • Part of subcall function 00406553: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00406589
                                                                                                                                          • Part of subcall function 00406553: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 0040659E
                                                                                                                                          • Part of subcall function 00406553: GetLastError.KERNEL32 ref: 004065A8
                                                                                                                                          • Part of subcall function 00406553: CloseHandle.KERNEL32(?), ref: 004065B7
                                                                                                                                          • Part of subcall function 0040935F: _wcsncpy.LIBCMT ref: 004093C6
                                                                                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000001), ref: 00406A7B
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00406A8C
                                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000001), ref: 00406A99
                                                                                                                                        • _wcscpy.LIBCMT ref: 00406AE5
                                                                                                                                        • _wcscpy.LIBCMT ref: 00406B09
                                                                                                                                        • _wcscpy.LIBCMT ref: 00406B55
                                                                                                                                        • _wcscpy.LIBCMT ref: 00406B7E
                                                                                                                                        • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00406BA4
                                                                                                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00406BCF
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00406BDA
                                                                                                                                        • GetLastError.KERNEL32 ref: 00406BEC
                                                                                                                                        • RemoveDirectoryW.KERNEL32(00000000), ref: 00406C21
                                                                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 00406C29
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _wcscpy$CloseCreateFileHandle$DirectoryErrorLastProcessToken_wcslen$AdjustControlCurrentDeleteDeviceH_prologLookupOpenPrivilegePrivilegesRemoveValue_wcsncpy
                                                                                                                                        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                        • API String ID: 295717069-3508440684
                                                                                                                                        • Opcode ID: 655c0a61d8b82d499dd3f58a43e7c4c4e2890c798905acfbacee841f114c5236
                                                                                                                                        • Instruction ID: 0b044a0677013c3ee0dedeb9ad72db73be6c8eb7e300feb6a7d55a674be6f19f
                                                                                                                                        • Opcode Fuzzy Hash: 655c0a61d8b82d499dd3f58a43e7c4c4e2890c798905acfbacee841f114c5236
                                                                                                                                        • Instruction Fuzzy Hash: 56B1B471A00215AFDF21EF64CC45BDA77B8EF04304F00446AF95AF7281D778AAA4CB69
                                                                                                                                        Function 00402F2C Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 544COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memcmp$H_prolog
                                                                                                                                        • String ID: @$CMT
                                                                                                                                        • API String ID: 212800410-3935043585
                                                                                                                                        • Opcode ID: 61c5d66ef6b3c3ec8c684f9c378d980735cbcf4a3664b2141919c77b1943b8bf
                                                                                                                                        • Instruction ID: 4535b6ba2d5654eb70152741eafeedd3820f65e0183003bc7b62017ff8f1088e
                                                                                                                                        • Opcode Fuzzy Hash: 61c5d66ef6b3c3ec8c684f9c378d980735cbcf4a3664b2141919c77b1943b8bf
                                                                                                                                        • Instruction Fuzzy Hash: 252215715006849FDB24DF24C891BDA3BE5AF14308F08057FED4AEB2C6DB799588CB69
                                                                                                                                        Function 00406553 Relevance: 9.0, APIs: 6, Instructions: 42COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentProcess.KERNEL32(00000020,?), ref: 00406562
                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00406569
                                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00406589
                                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 0040659E
                                                                                                                                        • GetLastError.KERNEL32 ref: 004065A8
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 004065B7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3398352648-0
                                                                                                                                        • Opcode ID: c4d8732f7f1e2046f43f8b45a71e1742e44d7c33346580acd03521233585be14
                                                                                                                                        • Instruction ID: 201d4201c496fcfd48e74424a9b99b2c6b7fcfb09556bcb8571a25bcb240e8ee
                                                                                                                                        • Opcode Fuzzy Hash: c4d8732f7f1e2046f43f8b45a71e1742e44d7c33346580acd03521233585be14
                                                                                                                                        • Instruction Fuzzy Hash: A0011DB1600209FFDB209FA4DC89EAF7BBCAB04344F401076B902E1255D775CE259A75
                                                                                                                                        Function 00401CC1 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 769COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __EH_prolog.LIBCMT ref: 00401CC6
                                                                                                                                        • _strlen.LIBCMT ref: 00402237
                                                                                                                                          • Part of subcall function 00411B3C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,00001FFF,?,?,004022BC,00000000,?,00000800,?,00001FFF,?), ref: 00411B58
                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00402393
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                                                                                                        • String ID: CMT
                                                                                                                                        • API String ID: 1706572503-2756464174
                                                                                                                                        • Opcode ID: 7561139a40a2308f1242d88f2ee417ec418e5e9db844fe187d82227f014771d0
                                                                                                                                        • Instruction ID: 47e58a6222a9c82a3371e9f2a391d10810198bea5a194d1edf5ea2ede1dda2e7
                                                                                                                                        • Opcode Fuzzy Hash: 7561139a40a2308f1242d88f2ee417ec418e5e9db844fe187d82227f014771d0
                                                                                                                                        • Instruction Fuzzy Hash: 8B6201709006849FCF25DF64C8947EE7BB1AF14304F0844BEE986BB2D6DB795985CB28
                                                                                                                                        Function 00409476 Relevance: 7.6, APIs: 5, Instructions: 111fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • FindFirstFileW.KERNEL32(?,?,00000800,?,?,?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000), ref: 004094A4
                                                                                                                                        • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000), ref: 004094D4
                                                                                                                                        • GetLastError.KERNEL32(?,?,00000800,?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000,?,00000800), ref: 004094DE
                                                                                                                                        • FindNextFileW.KERNEL32(000000FF,?,00000800,?,?,?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000), ref: 00409508
                                                                                                                                        • GetLastError.KERNEL32(?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000,?,00000800), ref: 00409516
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileFind$ErrorFirstLast$Next
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 869497890-0
                                                                                                                                        • Opcode ID: be36d6b55009a5335f7a155e3552942ef4af6ff6bde46a6133a67c12a447a1f9
                                                                                                                                        • Instruction ID: 852f22f8762d0aaf1b59ecd7198268998001e7cc0733578d9edc4610c3c70bd0
                                                                                                                                        • Opcode Fuzzy Hash: be36d6b55009a5335f7a155e3552942ef4af6ff6bde46a6133a67c12a447a1f9
                                                                                                                                        • Instruction Fuzzy Hash: 2E414071500648ABCB21DF29CC84ADA77F8AF48350F10466AF9AEE2291D774AEC1DB14
                                                                                                                                        Function 0041E6DE Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 00423F3E
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423F53
                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(0042BA78), ref: 00423F5E
                                                                                                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 00423F7A
                                                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 00423F81
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2579439406-0
                                                                                                                                        • Opcode ID: 4de6ed279e9cf42e89259ac0ebda5d4927e8938d534c68d964197d147836f072
                                                                                                                                        • Instruction ID: 77c401cdca4814435c65699ef26cb777055d8c499ed0f7a386f9586c05fd5705
                                                                                                                                        • Opcode Fuzzy Hash: 4de6ed279e9cf42e89259ac0ebda5d4927e8938d534c68d964197d147836f072
                                                                                                                                        • Instruction Fuzzy Hash: 6F21C0B8A10208DFE710DF25F8496597BA0FB1A315F90117BE90887271EBB5599ECF0E
                                                                                                                                        Function 00411393 Relevance: 3.0, APIs: 2, Instructions: 20timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetSystemTime.KERNEL32(?), ref: 004113A0
                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 004113AE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Time$System$File
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2838179519-0
                                                                                                                                        • Opcode ID: 8b41b73f9ed514a8c44b67b99f577e355d9a9caacecf0c2d81d78613dc21446f
                                                                                                                                        • Instruction ID: 009d3124f8f1828f67e1715082a9abbe2f578115a5d0f640413b949eddbc0e26
                                                                                                                                        • Opcode Fuzzy Hash: 8b41b73f9ed514a8c44b67b99f577e355d9a9caacecf0c2d81d78613dc21446f
                                                                                                                                        • Instruction Fuzzy Hash: 2DE0E67690021DAFCB10DF94D945CDEBBFCEB48214F400465DD82E3200EA30E655CB95
                                                                                                                                        Function 00417D78 Relevance: 2.6, APIs: 1, Instructions: 1055COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2102423945-0
                                                                                                                                        • Opcode ID: f2ddf0237e8c887b9397686041efde03e6b7465c6b8aca2acf299e0ee70c85ec
                                                                                                                                        • Instruction ID: ca8e397051957a2ab45e24d4035287d6273771f133136d8253d7927585564b75
                                                                                                                                        • Opcode Fuzzy Hash: f2ddf0237e8c887b9397686041efde03e6b7465c6b8aca2acf299e0ee70c85ec
                                                                                                                                        • Instruction Fuzzy Hash: 5692D5709087859FCB29CF34C4D06E9BBF1AF55308F18C5AED8968B342D738A985CB59
                                                                                                                                        Function 00414946 Relevance: 2.0, APIs: 1, Instructions: 478COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _realloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1750794848-0
                                                                                                                                        • Opcode ID: 3f896a36bcdedd16947d6d0e695f173bb51ee08cdd737608f26534185599a9a2
                                                                                                                                        • Instruction ID: 2a1397d1efbb1e156a4ddc1088eaf27e515a490876f5f290c2ff2c2445328417
                                                                                                                                        • Opcode Fuzzy Hash: 3f896a36bcdedd16947d6d0e695f173bb51ee08cdd737608f26534185599a9a2
                                                                                                                                        • Instruction Fuzzy Hash: 0B02E5B1A106069BCB1DCF28C5916E9B7E1FF85304F24852ED556CBA85D338F9E1CB88
                                                                                                                                        Function 00413EE3 Relevance: 1.8, APIs: 1, Instructions: 267COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2102423945-0
                                                                                                                                        • Opcode ID: 9c54e9cdedc4d1f5f0a70ee5fbfd421263a38b40d6fcac4ed0c82430486a0b60
                                                                                                                                        • Instruction ID: 3562be7dcc5a33f83423fe2ddc28cf6e78eed116dec30ec79901489c8d2199a3
                                                                                                                                        • Opcode Fuzzy Hash: 9c54e9cdedc4d1f5f0a70ee5fbfd421263a38b40d6fcac4ed0c82430486a0b60
                                                                                                                                        • Instruction Fuzzy Hash: CBA11472A00208EBDB04DF65C581BED77B5AB94304F24447FE942EB282C77C9AC2DB59
                                                                                                                                        Function 00419BB0 Relevance: 1.6, APIs: 1, Instructions: 89comCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CoCreateInstance.OLE32(0042B1F8,00000000,00000001,0042B148,?), ref: 00419BC9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateInstance
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 542301482-0
                                                                                                                                        • Opcode ID: 291608a549582a43ab036b31c95ed53b806bcf03129be81fab9f556b712dc9f9
                                                                                                                                        • Instruction ID: e9337f94160ec10d5a134cda80235c1f61728acff05639409476ed3799cc72ed
                                                                                                                                        • Opcode Fuzzy Hash: 291608a549582a43ab036b31c95ed53b806bcf03129be81fab9f556b712dc9f9
                                                                                                                                        • Instruction Fuzzy Hash: FC311875A00209EFCF04CFA0C898DAA7BB9EF49304B204499F942DB250D739EE51DBA4
                                                                                                                                        Function 004234CE Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_0002348C), ref: 004234D3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3192549508-0
                                                                                                                                        • Opcode ID: c83ebaee86b923b47ec218d74108a47e8bb0214f05dc8ef17ebda85afd4cada2
                                                                                                                                        • Instruction ID: 1b01da781a1f42b14bf088c4285091799bc00e9a7c54fca4454c541a30810ab4
                                                                                                                                        • Opcode Fuzzy Hash: c83ebaee86b923b47ec218d74108a47e8bb0214f05dc8ef17ebda85afd4cada2
                                                                                                                                        • Instruction Fuzzy Hash: 539002603521104746112BB06C1D51565A17F48617BD104A5B401C5054DA598621551B
                                                                                                                                        Function 00404986 Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: gj
                                                                                                                                        • API String ID: 0-4203073231
                                                                                                                                        • Opcode ID: 8e8f698dc4288f7cd721a7a81a634b87765ee1de91585cf515aab87a68fe5fee
                                                                                                                                        • Instruction ID: d9eb52a2d6ff44a43e3580116b86408f9a206631cbab7b39ea8bb55ae5343344
                                                                                                                                        • Opcode Fuzzy Hash: 8e8f698dc4288f7cd721a7a81a634b87765ee1de91585cf515aab87a68fe5fee
                                                                                                                                        • Instruction Fuzzy Hash: 81C126B2D002289BDF44CF9AD8405EEFBF2BFC8310F2AC1A6D81477615D6346A529F91
                                                                                                                                        Function 0040FDFA Relevance: .9, Instructions: 929COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 19f40a36ed80e7fa84ae32882f285ae408a2c48f212789fbf0ffe7819f4ee8d6
                                                                                                                                        • Instruction ID: ccfbe87dc01bca8481d5bc7e89d2e7a56772373bde9bbd99eab17f8220eb3834
                                                                                                                                        • Opcode Fuzzy Hash: 19f40a36ed80e7fa84ae32882f285ae408a2c48f212789fbf0ffe7819f4ee8d6
                                                                                                                                        • Instruction Fuzzy Hash: C352B87284D3D60FD7279B704A6A1D5BFA0AA13310B1D06CFC4E18B5A3D29D99CAC35E
                                                                                                                                        Function 00416C3F Relevance: .8, Instructions: 835COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2102423945-0
                                                                                                                                        • Opcode ID: 0de7a046ec34b83bbc3033ab6ae0e99f87698ffc0b25ddf2edfa9e03facaa23f
                                                                                                                                        • Instruction ID: ec473c390e775c3513d1f4c5f902ffdbdf11d251c2712a84011b28fca20aaef5
                                                                                                                                        • Opcode Fuzzy Hash: 0de7a046ec34b83bbc3033ab6ae0e99f87698ffc0b25ddf2edfa9e03facaa23f
                                                                                                                                        • Instruction Fuzzy Hash: 5F72E770A087459FCB29CF24C5D0AE9BBF1EF55304F1584AED99A8B342D338E985CB58
                                                                                                                                        Function 00415D9A Relevance: .8, Instructions: 795COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8e66e87e45e33e9b6c354f5b6263b5aa39b97c7922118d9d558ebbb9b9929d35
                                                                                                                                        • Instruction ID: 136bcfac07b0c46142f126060f48d767d5d9002a5a6c7f55271a6c6e067ee92a
                                                                                                                                        • Opcode Fuzzy Hash: 8e66e87e45e33e9b6c354f5b6263b5aa39b97c7922118d9d558ebbb9b9929d35
                                                                                                                                        • Instruction Fuzzy Hash: 8C72B070A04645DFCB19CF68C5806EDBBB1FF45308F2981AED8598B742C339E991CB59
                                                                                                                                        Function 0040FEF0 Relevance: .6, Instructions: 617COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6ebf441c70ff6532865c288c87f3bce7e5014ce8903a4a7d139da48b9e85dfb4
                                                                                                                                        • Instruction ID: 0e00f547d9c9432e6b2b80a4b4e8710aa94bb2d64e29154f4667ae4663dd4859
                                                                                                                                        • Opcode Fuzzy Hash: 6ebf441c70ff6532865c288c87f3bce7e5014ce8903a4a7d139da48b9e85dfb4
                                                                                                                                        • Instruction Fuzzy Hash: 6112EC7284D3D94FDB279B704A6A1D67F60AA23300B2D05CFC5D18B5A3D2AD89C6C35E
                                                                                                                                        Function 0041BCD9 Relevance: .4, Instructions: 384COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                                                                        • Instruction ID: fa64fecedd4ee0fbc6ebc6d5fd45eff142ec883d8ec5514f9c97111b8272a84e
                                                                                                                                        • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                                                                        • Instruction Fuzzy Hash: 93D18E73C0E9B34A8735812D84582BBEE62AFD175031EC3E2DCE42F389D62B5D9196D4
                                                                                                                                        Function 0041B8B9 Relevance: .4, Instructions: 378COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                                                                        • Instruction ID: 1a9104bdc18b99a6bc3a57d880f0b00b8efb4b2948f4f82757f4a36a4691901f
                                                                                                                                        • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                                                                        • Instruction Fuzzy Hash: 8DD18E73D1E9B30A8735812D80682ABEE62AFD175031EC3E2DCE42F389D72B5D9195D4
                                                                                                                                        Function 0041B4AD Relevance: .4, Instructions: 361COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                                                                        • Instruction ID: 29e0c2194e43b481a6c61040bafb45c2199937250b84d4f9493dc4b244529513
                                                                                                                                        • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                                                                        • Instruction Fuzzy Hash: 24C16E73C0E9B30A8736812D81685ABEE62AFD175031FC3A2DCE42F389D36B5D9195D4
                                                                                                                                        Function 0041B0D9 Relevance: .4, Instructions: 351COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                                                                        • Instruction ID: 2db7ca3506525dcc090db9a2522c638e963424884ad3e69ae6d01f57f6380b46
                                                                                                                                        • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                                                                        • Instruction Fuzzy Hash: 7AC17173D0E9B3068735812E84686ABEE62AFD175031FC3E29CE42F389D32B5D9495D4
                                                                                                                                        Function 0041462B Relevance: .2, Instructions: 236COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 74c5e34f9abefec6387e3142de93532e06a17bc948433487153fd85e66a9dea7
                                                                                                                                        • Instruction ID: 3d3811311c0e96151038b15cdb33c9c3baef1538c920ea216c41a1bce0e780a6
                                                                                                                                        • Opcode Fuzzy Hash: 74c5e34f9abefec6387e3142de93532e06a17bc948433487153fd85e66a9dea7
                                                                                                                                        • Instruction Fuzzy Hash: DC812731600644ABDB14EF29C590BFD73A5EB92318F20842FE9569B2C2C77CD9C2CB59
                                                                                                                                        Function 0040CC10 Relevance: .1, Instructions: 129COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2f5bf5cecdb1f64457438b731ed3817205f980e215465e163cae759f501b06fa
                                                                                                                                        • Instruction ID: 9df8b40ebdd558454bc31cf35b4b069549cd357de740422902aa7ddb2246d643
                                                                                                                                        • Opcode Fuzzy Hash: 2f5bf5cecdb1f64457438b731ed3817205f980e215465e163cae759f501b06fa
                                                                                                                                        • Instruction Fuzzy Hash: EB51A46104FBC19FC313977488666817FB56E13124B1E8AEBC0C9CF4B3E659594ADB32
                                                                                                                                        Function 0041450F Relevance: .1, Instructions: 109COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 51b2d21a1de5244f25583c5063fbcf28c6649e746e5830653507aa8b0461497a
                                                                                                                                        • Instruction ID: 1b781f1f23d015917a337ea3c6206954a5313e6084e2437016288461132a8366
                                                                                                                                        • Opcode Fuzzy Hash: 51b2d21a1de5244f25583c5063fbcf28c6649e746e5830653507aa8b0461497a
                                                                                                                                        • Instruction Fuzzy Hash: EF312372A10605ABCB04DF38C4912DEBBE2EF81308F14812FD865DB782D37DA945CB94
                                                                                                                                        Function 00405610 Relevance: .1, Instructions: 73COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 866ee34adc6fec30ee19582cd252525266032b464ccb2f20f1e66a817629a287
                                                                                                                                        • Instruction ID: 2ccb413243c8e3f3810094ea986113c02d7a387cc67c693c5ca68079d889c8bb
                                                                                                                                        • Opcode Fuzzy Hash: 866ee34adc6fec30ee19582cd252525266032b464ccb2f20f1e66a817629a287
                                                                                                                                        • Instruction Fuzzy Hash: 2821D872A106716BD7048F65EC8412733A2D7CA3617DB4237DF445B3B1D135B922CAE8
                                                                                                                                        Function 00410E50 Relevance: .0, Instructions: 35COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8242d2adca0ee77033965afe3d9840a22183be55bece64a87820915d62a16758
                                                                                                                                        • Instruction ID: 4356a253f76cc5610e9bc1f537dddfa62eb33724237590aeb4e51f1bbf9acff9
                                                                                                                                        • Opcode Fuzzy Hash: 8242d2adca0ee77033965afe3d9840a22183be55bece64a87820915d62a16758
                                                                                                                                        • Instruction Fuzzy Hash: 35F0AE725007059AE7109F5998467D777F8EB10704F14C81FD556F62C0C2F8D5C1CB85
                                                                                                                                        Function 00419779 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 125memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 189 419779-419786 190 41978c-4197b7 call 4191a2 call 41a7af call 41cf3e 189->190 191 4198be-4198bf 189->191 198 4197bd-4197ea call 41a7f7 call 41a7c9 * 2 190->198 199 4198bc-4198bd 190->199 206 4197f9-41980c call 411e81 198->206 207 4197ec-4197f7 198->207 199->191 210 419814-41981f call 41a7c9 206->210 211 41980e-419811 206->211 207->206 207->207 214 419821-41982d call 41a7c9 210->214 215 41982e-419832 210->215 211->210 214->215 217 419834-41983d call 4191d8 215->217 218 41983f-41985d call 41a7af GlobalAlloc 215->218 217->218 224 41988c-4198a3 call 41a506 CreateStreamOnHGlobal 218->224 225 41985f-41987a WideCharToMultiByte 218->225 224->199 230 4198a5-4198b8 call 41963b 224->230 226 419889 225->226 227 41987c-419887 225->227 226->224 227->224 230->199
                                                                                                                                        APIs
                                                                                                                                        • _wcslen.LIBCMT ref: 0041979F
                                                                                                                                        • _malloc.LIBCMT ref: 004197AC
                                                                                                                                          • Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
                                                                                                                                          • Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
                                                                                                                                          • Part of subcall function 0041CF3E: HeapAlloc.KERNEL32(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5
                                                                                                                                        • _wcscpy.LIBCMT ref: 004197C5
                                                                                                                                        • _wcscat.LIBCMT ref: 004197D0
                                                                                                                                        • _wcscat.LIBCMT ref: 004197DB
                                                                                                                                        • _wcscat.LIBCMT ref: 00419816
                                                                                                                                        • _wcscat.LIBCMT ref: 00419827
                                                                                                                                        • _wcslen.LIBCMT ref: 00419840
                                                                                                                                        • GlobalAlloc.KERNEL32(00000040,-00000009), ref: 00419851
                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000106,00000000,00000000), ref: 00419872
                                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 0041989A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _wcscat$AllocGlobal_wcslen$ByteCharCreateHeapMultiStreamWide_malloc_wcscpy
                                                                                                                                        • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                                                                        • API String ID: 3841325325-4209811716
                                                                                                                                        • Opcode ID: 858a996e26029bd60ca6401db7a314eaf989d6b4d57c198e73a70fd8604f7e50
                                                                                                                                        • Instruction ID: 9750a07ada00fadd6417d4a808c8c0194c88b3581ecb1a923ba5d07fa5d26e01
                                                                                                                                        • Opcode Fuzzy Hash: 858a996e26029bd60ca6401db7a314eaf989d6b4d57c198e73a70fd8604f7e50
                                                                                                                                        • Instruction Fuzzy Hash: 1C312A32900205BBDB11BB659C95EEF77789F42724F14415FF810AB2C6DB7C8E81836A
                                                                                                                                        Function 00419A9D Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 233 419a9d-419afb ShowWindow call 419a36 GetWindowRect GetParent MapWindowPoints 236 419b04-419b47 GetParent CreateWindowExW 233->236 237 419afd-419afe DestroyWindow 233->237 238 419b86-419b88 236->238 239 419b49-419b4c 236->239 237->236 242 419b8a-419b96 ShowWindow UpdateWindow 238->242 243 419b9c-419ba0 238->243 240 419ba9-419bad 239->240 241 419b4e-419b51 239->241 241->240 244 419b53-419b58 241->244 242->243 243->240 245 419ba2-419ba4 call 4192d0 243->245 244->240 246 419b5a-419b66 call 41947d 244->246 245->240 246->240 250 419b68-419b84 ShowWindow SetWindowTextW call 41a506 246->250 250->240
                                                                                                                                        APIs
                                                                                                                                        • ShowWindow.USER32(?,00000000), ref: 00419AB7
                                                                                                                                          • Part of subcall function 00419A36: LoadCursorW.USER32(00000000,00007F00), ref: 00419A6D
                                                                                                                                          • Part of subcall function 00419A36: RegisterClassExW.USER32(00000030), ref: 00419A8E
                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00419AD8
                                                                                                                                        • GetParent.USER32(?), ref: 00419AEB
                                                                                                                                        • MapWindowPoints.USER32(00000000,00000000), ref: 00419AF0
                                                                                                                                        • DestroyWindow.USER32(?), ref: 00419AFE
                                                                                                                                        • GetParent.USER32(?), ref: 00419B1C
                                                                                                                                        • CreateWindowExW.USER32(00000000,RarHtmlClassName,00000000,40000000,?,?,?,?,00000000), ref: 00419B3B
                                                                                                                                        • ShowWindow.USER32(?,00000005), ref: 00419B6D
                                                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 00419B77
                                                                                                                                        • ShowWindow.USER32(00000000,00000005), ref: 00419B8D
                                                                                                                                        • UpdateWindow.USER32(?), ref: 00419B96
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$Show$Parent$ClassCreateCursorDestroyLoadPointsRectRegisterTextUpdate
                                                                                                                                        • String ID: RarHtmlClassName
                                                                                                                                        • API String ID: 3841971108-1658105358
                                                                                                                                        • Opcode ID: 80ed833fde46ef0684476050259e54a8f734e03cc260d1f6d230bab863c7ff7f
                                                                                                                                        • Instruction ID: a0655035169e6554100d25c4e6de203faa719369231219c5c88fda93c074337e
                                                                                                                                        • Opcode Fuzzy Hash: 80ed833fde46ef0684476050259e54a8f734e03cc260d1f6d230bab863c7ff7f
                                                                                                                                        • Instruction Fuzzy Hash: 0331B035600604EFCB319F65EC48EAFBBB9FF44700F10451AF91692260D735AD51DBA9
                                                                                                                                        Function 00405164 Relevance: 21.1, APIs: 14, Instructions: 91COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • _wcscpy.LIBCMT ref: 00405182
                                                                                                                                        • _wcslen.LIBCMT ref: 0040518A
                                                                                                                                        • _wcscpy.LIBCMT ref: 0040519A
                                                                                                                                        • _wcslen.LIBCMT ref: 004051A0
                                                                                                                                        • _wcscpy.LIBCMT ref: 004051B8
                                                                                                                                        • _wcslen.LIBCMT ref: 004051BE
                                                                                                                                        • _wcscpy.LIBCMT ref: 004051CD
                                                                                                                                        • _wcslen.LIBCMT ref: 004051D3
                                                                                                                                        • _memset.LIBCMT ref: 004051E8
                                                                                                                                        • GetSaveFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405234
                                                                                                                                        • GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 0040523C
                                                                                                                                        • CommDlgExtendedError.COMDLG32(?,?,?,?,?,000000A2), ref: 00405244
                                                                                                                                        • GetSaveFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405260
                                                                                                                                        • GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405268
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileName_wcscpy_wcslen$OpenSave$CommErrorExtended_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3496903968-0
                                                                                                                                        • Opcode ID: e74642d2070660b170970d878bf29844ae1157b468b04acc2c75ad1758c26d21
                                                                                                                                        • Instruction ID: 017447a648ceccb586da1f31f92202068c03838f3088d87860c47b682a039f1a
                                                                                                                                        • Opcode Fuzzy Hash: e74642d2070660b170970d878bf29844ae1157b468b04acc2c75ad1758c26d21
                                                                                                                                        • Instruction Fuzzy Hash: D531D775901618ABCB11AFA5DC45ACF7BB8EF04314F00002AF904B7281DB38DA958FAE
                                                                                                                                        Function 00419D0B Relevance: 19.6, APIs: 13, Instructions: 75windowCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetDC.USER32(00000000), ref: 00419D17
                                                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00419D27
                                                                                                                                        • CreateCompatibleDC.GDI32(?), ref: 00419D2E
                                                                                                                                        • GetObjectW.GDI32(?,00000018,?), ref: 00419D3C
                                                                                                                                        • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00419D5E
                                                                                                                                        • SelectObject.GDI32(00000000,?), ref: 00419D71
                                                                                                                                        • SelectObject.GDI32(?,?), ref: 00419D7C
                                                                                                                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00419D9A
                                                                                                                                        • SelectObject.GDI32(00000000,?), ref: 00419DA4
                                                                                                                                        • SelectObject.GDI32(?,?), ref: 00419DAC
                                                                                                                                        • DeleteDC.GDI32(00000000), ref: 00419DB5
                                                                                                                                        • DeleteDC.GDI32(?), ref: 00419DBA
                                                                                                                                        • ReleaseDC.USER32(00000000,?), ref: 00419DC0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Object$Select$CompatibleCreate$Delete$BitmapReleaseStretch
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3950507155-0
                                                                                                                                        • Opcode ID: c5f4d7ef721d9f2cf6d28cde0393e927751e3943138dffdaa34ce4f2faff49d0
                                                                                                                                        • Instruction ID: fe64683af8def945f8560e9c967618457674570685148338231d72a037962566
                                                                                                                                        • Opcode Fuzzy Hash: c5f4d7ef721d9f2cf6d28cde0393e927751e3943138dffdaa34ce4f2faff49d0
                                                                                                                                        • Instruction Fuzzy Hash: C021A076900218FFCF129FA1DC48DDEBFBAFB48350B104466F914A2120C7369A65EFA4
                                                                                                                                        Function 0041E854 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0042D8A0,0000000C,0041E98F,00000000,00000000,?,0041FE78,0041A9BA,?,?,?,0041A9BA,00000000,?), ref: 0041E866
                                                                                                                                        • __crt_waiting_on_module_handle.LIBCMT ref: 0041E871
                                                                                                                                          • Part of subcall function 00421465: Sleep.KERNEL32(000003E8,00000000,?,0041E7B7,KERNEL32.DLL,?,0041E803,?,0041FE78,0041A9BA,?,?,?,0041A9BA,00000000,?), ref: 00421471
                                                                                                                                          • Part of subcall function 00421465: GetModuleHandleW.KERNEL32(00000000,?,0041E7B7,KERNEL32.DLL,?,0041E803,?,0041FE78,0041A9BA,?,?,?,0041A9BA,00000000,?), ref: 0042147A
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0041E89A
                                                                                                                                        • GetProcAddress.KERNEL32(0041A9BA,DecodePointer), ref: 0041E8AA
                                                                                                                                        • __lock.LIBCMT ref: 0041E8CC
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 0041E8D9
                                                                                                                                        • __lock.LIBCMT ref: 0041E8ED
                                                                                                                                        • ___addlocaleref.LIBCMT ref: 0041E90B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                                                                                                        • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                                                                        • API String ID: 1028249917-2843748187
                                                                                                                                        • Opcode ID: d8a1d3b64ce03b740c9770e28a10d8a3d1cb693a8f1fd6d09f99049fe87b25f8
                                                                                                                                        • Instruction ID: 28857185edf288c115030afddfc21b3ad53991f12277c54fa87cb1ac16e0dfb5
                                                                                                                                        • Opcode Fuzzy Hash: d8a1d3b64ce03b740c9770e28a10d8a3d1cb693a8f1fd6d09f99049fe87b25f8
                                                                                                                                        • Instruction Fuzzy Hash: 82119071A40701AFD720AF36D805B9EBBE0AF44314F60456FE8A997290CB78A981CF5D
                                                                                                                                        Function 004191D8 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 93COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 312 4191d8-4191f0 call 41a7af 315 4191f1 call 41cf3e 312->315 316 4191f6-4191ff 315->316 317 419201-419203 316->317 318 419208-419225 call 41a7f7 call 41a7af 316->318 319 4192ca-4192cd 317->319 324 4192b8-4192c9 call 41a506 318->324 325 41922b-41923a call 411e81 318->325 324->319 330 41927d-419280 325->330 331 41923c-419243 325->331 332 419282-419286 330->332 333 4192a4-4192ab 330->333 334 419245-41924b 331->334 335 419276-41927b 331->335 332->333 337 419288-41928d 332->337 336 4192ac-4192b2 333->336 338 41924e-419253 334->338 335->336 336->324 336->325 337->333 339 41928f-4192a2 call 41a7f7 337->339 338->335 340 419255-419274 call 41a7f7 338->340 339->336 340->335 340->338
                                                                                                                                        APIs
                                                                                                                                        • _wcslen.LIBCMT ref: 004191E3
                                                                                                                                        • _malloc.LIBCMT ref: 004191F1
                                                                                                                                          • Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
                                                                                                                                          • Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
                                                                                                                                          • Part of subcall function 0041CF3E: HeapAlloc.KERNEL32(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5
                                                                                                                                        • _wcscpy.LIBCMT ref: 0041920F
                                                                                                                                        • _wcslen.LIBCMT ref: 00419215
                                                                                                                                        • _wcscpy.LIBCMT ref: 0041925D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _wcscpy_wcslen$AllocHeap_malloc
                                                                                                                                        • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                                                        • API String ID: 4203449756-406990186
                                                                                                                                        • Opcode ID: b9a7af0f39a4056f62aa7d377c459f50f8166c19c0f532a011f788f3a39773f3
                                                                                                                                        • Instruction ID: 0e02d37120f5dc5c9773bcbd7ae744d1444ccd80410fa70afd17435bf81929d8
                                                                                                                                        • Opcode Fuzzy Hash: b9a7af0f39a4056f62aa7d377c459f50f8166c19c0f532a011f788f3a39773f3
                                                                                                                                        • Instruction Fuzzy Hash: BF21FB76904304BBDB20AB54DC41ADAB3B4EF45314B20445BE455A7390E7BC9ED1839E
                                                                                                                                        Function 0041963B Relevance: 13.6, APIs: 9, Instructions: 133windowCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 345 41963b-419656 GetTickCount 346 419659-419668 345->346 348 41966a-41966d 346->348 349 41966f-419679 GetTickCount 346->349 348->349 350 4196b0-4196c2 348->350 349->350 351 41967b-41968b PeekMessageW 349->351 354 4196c4-4196c9 350->354 355 41971b-41971e 350->355 351->346 352 41968d-4196ae GetMessageW TranslateMessage DispatchMessageW 351->352 352->346 356 419711-419714 354->356 357 4196cb-4196de 354->357 358 419720-419723 355->358 359 41976a-419776 355->359 356->355 361 419716-419719 356->361 364 4196e0-4196ee 357->364 365 419708-41970d 357->365 358->359 360 419725-41972a 358->360 360->359 363 41972c-419738 call 41947d 360->363 361->355 361->359 363->359 369 41973a-419769 SetWindowPos ShowWindow SetWindowTextW call 41a506 363->369 370 4196f0-4196fc 364->370 371 4196ff-419704 364->371 365->356 369->359 370->371 371->365
                                                                                                                                        APIs
                                                                                                                                        • GetTickCount.KERNEL32 ref: 00419654
                                                                                                                                        • GetTickCount.KERNEL32 ref: 0041966F
                                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00419683
                                                                                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00419694
                                                                                                                                        • TranslateMessage.USER32(?), ref: 0041969E
                                                                                                                                        • DispatchMessageW.USER32(?), ref: 004196A8
                                                                                                                                        • SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000204), ref: 00419748
                                                                                                                                        • ShowWindow.USER32(?,00000005), ref: 00419753
                                                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 0041975D
                                                                                                                                          • Part of subcall function 0041A506: __lock.LIBCMT ref: 0041A524
                                                                                                                                          • Part of subcall function 0041A506: ___sbh_find_block.LIBCMT ref: 0041A52F
                                                                                                                                          • Part of subcall function 0041A506: ___sbh_free_block.LIBCMT ref: 0041A53E
                                                                                                                                          • Part of subcall function 0041A506: HeapFree.KERNEL32(00000000,00000000,0042D658,0000000C,0041EF84,00000000,0042D930,0000000C,0041EFBE,00000000,0041A9AB,?,00425448,00000004,0042DB18,0000000C), ref: 0041A56E
                                                                                                                                          • Part of subcall function 0041A506: GetLastError.KERNEL32(?,00425448,00000004,0042DB18,0000000C,0042133E,00000000,0041A9BA,00000000,00000000,00000000,?,0041E966,00000001,00000214), ref: 0041A57F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$Window$CountTick$DispatchErrorFreeHeapLastPeekShowTextTranslate___sbh_find_block___sbh_free_block__lock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1762286965-0
                                                                                                                                        • Opcode ID: 0459753bd330617b9bf5afbe23bb0f5f6ffb8490f7f9503ea0c887863e27fb98
                                                                                                                                        • Instruction ID: 0fcf3197ed2ac79a16e8f935243f891c0de6f754acb5965f6be033bd159a0870
                                                                                                                                        • Opcode Fuzzy Hash: 0459753bd330617b9bf5afbe23bb0f5f6ffb8490f7f9503ea0c887863e27fb98
                                                                                                                                        • Instruction Fuzzy Hash: F4412871A00219EFCB10EFA5C8989DEBB79FF49751B10846AF905D7250D738DE81CBA4
                                                                                                                                        Function 0041A060 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 30librarycomCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryW.KERNEL32(riched32.dll), ref: 0041A07B
                                                                                                                                        • LoadLibraryW.KERNEL32(riched20.dll), ref: 0041A084
                                                                                                                                        • OleInitialize.OLE32(00000000), ref: 0041A08B
                                                                                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 0041A0A3
                                                                                                                                        • SHGetMalloc.SHELL32(0044F800), ref: 0041A0AE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad$CommonControlsInitInitializeMalloc
                                                                                                                                        • String ID: riched20.dll$riched32.dll
                                                                                                                                        • API String ID: 448729520-3294723617
                                                                                                                                        • Opcode ID: 8624e4f240296107261ce0a47b5d27c571c626025523bcd3f0aeccd25934cca6
                                                                                                                                        • Instruction ID: d62a9b991739124620cbbd73e07a01740528edc951963754c9102d88a2026b42
                                                                                                                                        • Opcode Fuzzy Hash: 8624e4f240296107261ce0a47b5d27c571c626025523bcd3f0aeccd25934cca6
                                                                                                                                        • Instruction Fuzzy Hash: EFF08271B00318AFD7209FA5DC0EB9ABBE8EF40766F50442DE54593250DBB8A4458BA9
                                                                                                                                        Function 004192D0 Relevance: 12.1, APIs: 8, Instructions: 71windowCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 376 4192d0-4192f3 GetTickCount * 2 377 419346-419348 376->377 378 4192f5-41930c 377->378 379 41934a-41937e VariantInit 377->379 378->379 382 41930e-41931e PeekMessageW 378->382 383 419341-419343 GetTickCount 382->383 384 419320-41933b TranslateMessage DispatchMessageW GetMessageW 382->384 383->377 384->383
                                                                                                                                        APIs
                                                                                                                                        • GetTickCount.KERNEL32 ref: 004192E2
                                                                                                                                        • GetTickCount.KERNEL32 ref: 004192E7
                                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00419316
                                                                                                                                        • TranslateMessage.USER32(?), ref: 00419324
                                                                                                                                        • DispatchMessageW.USER32(?), ref: 0041932E
                                                                                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0041933B
                                                                                                                                        • GetTickCount.KERNEL32 ref: 00419341
                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 0041934E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$CountTick$DispatchInitPeekTranslateVariant
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4242828014-0
                                                                                                                                        • Opcode ID: 3739eaef324a12835188418d8e4db8062592f3b82a480bdb7c4c47042269d501
                                                                                                                                        • Instruction ID: 9cb0af2a0f3e63d9aa0a53d062aebc77c377528e3d470f830326fa06e80cb38f
                                                                                                                                        • Opcode Fuzzy Hash: 3739eaef324a12835188418d8e4db8062592f3b82a480bdb7c4c47042269d501
                                                                                                                                        • Instruction Fuzzy Hash: C121F7B1E00208AFDB10DFE4D888EEEBBBCEF48305F504866F911E7250D6799E458B61
                                                                                                                                        Function 00419EA0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 184comCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 385 419ea0-419ead call 419e75 388 419ec2-419ee5 GetObjectW 385->388 389 419eaf-419ebd call 419d0b 385->389 391 419ee7 388->391 392 419ee9-419f05 CoCreateInstance 388->392 396 41a05c-41a05d 389->396 391->392 394 41a056 392->394 395 419f0b-419f23 392->395 397 41a059-41a05b 394->397 399 419f25-419f34 395->399 400 419f6a-419f70 395->400 397->396 403 419f36-419f53 399->403 404 419f5e-419f67 399->404 400->394 407 419f75-419fcc call 41a820 CreateDIBSection 403->407 408 419f55-419f5a 403->408 404->400 411 41a034-41a054 407->411 412 419fce-41a018 407->412 408->404 411->394 411->397 419 41a022-41a025 DeleteObject 412->419 420 41a01a-41a020 412->420 421 41a02b-41a030 419->421 420->421 421->411
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00419E75: GetDC.USER32(00000000), ref: 00419E79
                                                                                                                                          • Part of subcall function 00419E75: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00419E84
                                                                                                                                          • Part of subcall function 00419E75: ReleaseDC.USER32(00000000,00000000), ref: 00419E8F
                                                                                                                                        • GetObjectW.GDI32(?,00000018,?), ref: 00419ECD
                                                                                                                                        • CoCreateInstance.OLE32(0042B208,00000000,00000001,0042B100,?,?,?), ref: 00419EFD
                                                                                                                                          • Part of subcall function 00419D0B: GetDC.USER32(00000000), ref: 00419D17
                                                                                                                                          • Part of subcall function 00419D0B: CreateCompatibleDC.GDI32(00000000), ref: 00419D27
                                                                                                                                          • Part of subcall function 00419D0B: CreateCompatibleDC.GDI32(?), ref: 00419D2E
                                                                                                                                          • Part of subcall function 00419D0B: GetObjectW.GDI32(?,00000018,?), ref: 00419D3C
                                                                                                                                          • Part of subcall function 00419D0B: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00419D5E
                                                                                                                                          • Part of subcall function 00419D0B: SelectObject.GDI32(00000000,?), ref: 00419D71
                                                                                                                                          • Part of subcall function 00419D0B: SelectObject.GDI32(?,?), ref: 00419D7C
                                                                                                                                          • Part of subcall function 00419D0B: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00419D9A
                                                                                                                                          • Part of subcall function 00419D0B: SelectObject.GDI32(00000000,?), ref: 00419DA4
                                                                                                                                          • Part of subcall function 00419D0B: SelectObject.GDI32(?,?), ref: 00419DAC
                                                                                                                                          • Part of subcall function 00419D0B: DeleteDC.GDI32(00000000), ref: 00419DB5
                                                                                                                                          • Part of subcall function 00419D0B: DeleteDC.GDI32(?), ref: 00419DBA
                                                                                                                                          • Part of subcall function 00419D0B: ReleaseDC.USER32(00000000,?), ref: 00419DC0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Object$CreateSelect$Compatible$DeleteRelease$BitmapCapsDeviceInstanceStretch
                                                                                                                                        • String ID: (
                                                                                                                                        • API String ID: 189428636-3887548279
                                                                                                                                        • Opcode ID: 2c95d850f981d7af9c5ed3b9bf4fae1c522e7595f6c5569b0b0a1ef1f992ee39
                                                                                                                                        • Instruction ID: d8cf3f11634150c5eb1370622c6fe0712570af28e2ae67cdae83cea958a68594
                                                                                                                                        • Opcode Fuzzy Hash: 2c95d850f981d7af9c5ed3b9bf4fae1c522e7595f6c5569b0b0a1ef1f992ee39
                                                                                                                                        • Instruction Fuzzy Hash: 21610875A00209EFCB00DFA5D888EEEBBB9FF89704B10845AF815EB250D7759E51CB64
                                                                                                                                        Function 0041947D Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 157COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 422 41947d-419492 call 41a7af 425 419493 call 41cf3e 422->425 426 419498-41949f 425->426 427 4194a5-4194b9 call 4191a2 426->427 428 4195f9-4195fc 426->428 431 4195f6 427->431 432 4194bf-4194c0 427->432 431->428 433 41953e-419541 432->433 434 4194c2-4194c6 433->434 435 419547-41955c call 411e81 433->435 434->435 436 4194c8-4194cc 434->436 441 41956f-419584 435->441 442 41955e-41956d call 411e81 435->442 439 4194eb-4194f0 436->439 440 4194ce-4194d2 436->440 445 4194f2-4194f6 439->445 446 41951b-419521 439->446 443 4194d4-4194d8 440->443 444 4194da-4194dd 440->444 449 419596-4195aa call 411e81 441->449 450 419586-419594 441->450 442->441 442->449 443->439 443->444 452 4194e6-4194e9 444->452 453 4194df-4194e4 444->453 445->446 447 4194f8 445->447 446->435 451 419523-419527 446->451 454 4194fa-419503 447->454 467 4195d9-4195df 449->467 468 4195ac-4195af 449->468 450->449 457 419534-419538 451->457 458 419529-41952c 451->458 452->457 453->452 459 419539-41953a 453->459 460 419505-419509 454->460 461 419517-419519 454->461 457->459 458->457 463 41952e-419532 458->463 464 41953b 459->464 465 419510-419515 460->465 466 41950b-41950e 460->466 461->446 461->464 463->457 463->459 464->433 465->454 465->461 466->465 469 4195d1-4195d5 467->469 470 4195e1-4195e5 467->470 471 4195b1-4195c2 call 411e81 468->471 472 4195f5 468->472 473 4195e7-4195e8 469->473 474 4195d7-4195d8 469->474 470->473 475 4195e9-4195ef 470->475 478 4195c4-4195c8 471->478 479 4195cc-4195cf 471->479 472->431 473->475 474->467 475->434 475->472 478->471 480 4195ca 478->480 479->475 480->475
                                                                                                                                        APIs
                                                                                                                                        • _wcslen.LIBCMT ref: 00419489
                                                                                                                                        • _malloc.LIBCMT ref: 00419493
                                                                                                                                          • Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
                                                                                                                                          • Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
                                                                                                                                          • Part of subcall function 0041CF3E: HeapAlloc.KERNEL32(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocHeap_malloc_wcslen
                                                                                                                                        • String ID: </p>$</style>$<br>$<style>
                                                                                                                                        • API String ID: 1868046988-1200123991
                                                                                                                                        • Opcode ID: 11f98262dd591ee340f2e045aac2cbee0ec90665085e5cd499b590bf6392889c
                                                                                                                                        • Instruction ID: 25e48dc46573b9320602deb0b34776bf62bfe2b29788b043e296d39cf0375d11
                                                                                                                                        • Opcode Fuzzy Hash: 11f98262dd591ee340f2e045aac2cbee0ec90665085e5cd499b590bf6392889c
                                                                                                                                        • Instruction Fuzzy Hash: 69412477645212B5DB315B1998217FA73A69F01754F68401BED81B32C0E76C8EC2C26D
                                                                                                                                        Function 004113F1 Relevance: 10.6, APIs: 7, Instructions: 134timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?,?,?), ref: 00411425
                                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 00411435
                                                                                                                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00411441
                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0041144F
                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00411459
                                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?,00000000,00000000,00000001), ref: 004114A6
                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00411523
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Time$File$System$Local$Specific
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3144155402-0
                                                                                                                                        • Opcode ID: dda2a11e6d76ed0c02cb1e5d6795d5acba6154e9d991bab1c61d1e0689a93e9c
                                                                                                                                        • Instruction ID: 2321c29e0176793db35fe244bdb3b2ca835dfa759224b44d16608c614d02fbda
                                                                                                                                        • Opcode Fuzzy Hash: dda2a11e6d76ed0c02cb1e5d6795d5acba6154e9d991bab1c61d1e0689a93e9c
                                                                                                                                        • Instruction Fuzzy Hash: 40410AB1E00218AFCB14DFA9C8849EEB7F9FF48314B14852FE946E7240D778A945CB64
                                                                                                                                        Function 004084EE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __EH_prolog.LIBCMT ref: 004084F3
                                                                                                                                        • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00408516
                                                                                                                                        • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00408535
                                                                                                                                          • Part of subcall function 00411E60: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,004054EE,00000000,?,00000000,?,?), ref: 00411E76
                                                                                                                                        • MoveFileW.KERNEL32(?,00000000), ref: 00408639
                                                                                                                                        • MoveFileW.KERNEL32(00000000,?), ref: 0040867C
                                                                                                                                          • Part of subcall function 00410B9C: _wcsncpy.LIBCMT ref: 00410BB3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileMoveNamePath$CompareH_prologLongShortString_wcsncpy
                                                                                                                                        • String ID: rtmp%d
                                                                                                                                        • API String ID: 2942086052-3303766350
                                                                                                                                        • Opcode ID: 59297f0ed4bdc37ef1d7502774a7e984916758b9c8b31d55678aaee556d0cc2f
                                                                                                                                        • Instruction ID: 086441498323e4bc326e09acd5d1366d0aff3811eaae5beb392a373780c828d6
                                                                                                                                        • Opcode Fuzzy Hash: 59297f0ed4bdc37ef1d7502774a7e984916758b9c8b31d55678aaee556d0cc2f
                                                                                                                                        • Instruction Fuzzy Hash: DE415E71901218AACB20EB61CE45EDF777CAF00394F0008ABB585B7181EA7D9B959E68
                                                                                                                                        Function 0040680A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 84COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __EH_prolog.LIBCMT ref: 0040680F
                                                                                                                                          • Part of subcall function 00402C8B: __EH_prolog.LIBCMT ref: 00402C90
                                                                                                                                        • SetFileSecurityW.ADVAPI32(00000000,00000007,?,?,?,?,00000000,?,00406EF5,?,?,?,?,0040773A,?,?), ref: 00406897
                                                                                                                                        • SetFileSecurityW.ADVAPI32(?,00000007,?,00000000,?,00000800,?,0040773A,?,?,?,?,?,00000000,0040839C,?), ref: 004068BE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileH_prologSecurity
                                                                                                                                        • String ID: @Oiu0hu$SeRestorePrivilege$SeSecurityPrivilege
                                                                                                                                        • API String ID: 2167059215-3865491934
                                                                                                                                        • Opcode ID: e93da029cabc767ec1c392023e62d2c0e7b38da0f3cec8ffbaba9f3ed0ece07f
                                                                                                                                        • Instruction ID: e80266907105dbdc6ea336272c15ef3f26093cba4c1f52b7c6092cd65192489b
                                                                                                                                        • Opcode Fuzzy Hash: e93da029cabc767ec1c392023e62d2c0e7b38da0f3cec8ffbaba9f3ed0ece07f
                                                                                                                                        • Instruction Fuzzy Hash: 8D219372901259BEDF21AF55DC01BAF77689B04758F00803BF802B62C1C7BC8A559BAD
                                                                                                                                        Function 00411541 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,004116A7,?,?), ref: 00411592
                                                                                                                                        • LocalFileTimeToFileTime.KERNEL32(004116A7,?), ref: 004115BE
                                                                                                                                        • FileTimeToSystemTime.KERNEL32(004116A7,?), ref: 004115D4
                                                                                                                                        • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 004115E4
                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 004115F2
                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 004115FC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Time$File$System$Local$Specific
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3144155402-0
                                                                                                                                        • Opcode ID: 25928130b54ac9dd7b7fac3ffeb54b87ab731dc14cadb33affbf70a2fa674ade
                                                                                                                                        • Instruction ID: daaaa78088cd12f13caf2716ff388f37494b9d87aa27411613d97d80370a29eb
                                                                                                                                        • Opcode Fuzzy Hash: 25928130b54ac9dd7b7fac3ffeb54b87ab731dc14cadb33affbf70a2fa674ade
                                                                                                                                        • Instruction Fuzzy Hash: 92313276D001199BCB14DFD4C840AEFB7B9FF48710F04452AE946E3250E634A945CBA9
                                                                                                                                        Function 0041DD85 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __CreateFrameInfo.LIBCMT ref: 0041DDAD
                                                                                                                                          • Part of subcall function 0041A3D6: __getptd.LIBCMT ref: 0041A3E4
                                                                                                                                          • Part of subcall function 0041A3D6: __getptd.LIBCMT ref: 0041A3F2
                                                                                                                                        • __getptd.LIBCMT ref: 0041DDB7
                                                                                                                                          • Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
                                                                                                                                          • Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4
                                                                                                                                        • __getptd.LIBCMT ref: 0041DDC5
                                                                                                                                        • __getptd.LIBCMT ref: 0041DDD3
                                                                                                                                        • __getptd.LIBCMT ref: 0041DDDE
                                                                                                                                        • _CallCatchBlock2.LIBCMT ref: 0041DE04
                                                                                                                                          • Part of subcall function 0041A47B: __CallSettingFrame@12.LIBCMT ref: 0041A4C7
                                                                                                                                          • Part of subcall function 0041DEAB: __getptd.LIBCMT ref: 0041DEBA
                                                                                                                                          • Part of subcall function 0041DEAB: __getptd.LIBCMT ref: 0041DEC8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1602911419-0
                                                                                                                                        • Opcode ID: 5eb10d2cb4eb5e2da6c5453d1fe4c56248c4e16d68a7da2668f442ad0aab7930
                                                                                                                                        • Instruction ID: e3df1943845817192d3dafa627097d3dc4affc0cfff12b6418408f9c93a4c95a
                                                                                                                                        • Opcode Fuzzy Hash: 5eb10d2cb4eb5e2da6c5453d1fe4c56248c4e16d68a7da2668f442ad0aab7930
                                                                                                                                        • Instruction Fuzzy Hash: 9E1126B1D00209DFDF00EFA1C445AED7BB0FF04318F10806AF854AB251DB389A519B59
                                                                                                                                        Function 00405F3C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset$H_prolog
                                                                                                                                        • String ID: r
                                                                                                                                        • API String ID: 3013590873-3291565091
                                                                                                                                        • Opcode ID: adb95f05f7a194937a5df8f484bb6bf36145664ded8c6b0a2324601c3f7e7fd4
                                                                                                                                        • Instruction ID: fcb346f71e1c6521d09fa93fcec7134e0802dca7d1a5d7d76298086db4932847
                                                                                                                                        • Opcode Fuzzy Hash: adb95f05f7a194937a5df8f484bb6bf36145664ded8c6b0a2324601c3f7e7fd4
                                                                                                                                        • Instruction Fuzzy Hash: 880144B17417407AD220EB669C46FEBBAA8DB85B18F00041FB255661C2C7FC5941CA9D
                                                                                                                                        Function 0041DAD4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 0041DAEE
                                                                                                                                          • Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
                                                                                                                                          • Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4
                                                                                                                                        • __getptd.LIBCMT ref: 0041DAFF
                                                                                                                                        • __getptd.LIBCMT ref: 0041DB0D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                        • String ID: MOC$csm
                                                                                                                                        • API String ID: 803148776-1389381023
                                                                                                                                        • Opcode ID: ff76af2ab1f2bc655f60c8d28124db9f091a0a07b538bc98cf4441336e04e070
                                                                                                                                        • Instruction ID: 7ce874268d128f0e9cc5e4e4439fd54cca852ebc00a18d755191ea46e2ae681e
                                                                                                                                        • Opcode Fuzzy Hash: ff76af2ab1f2bc655f60c8d28124db9f091a0a07b538bc98cf4441336e04e070
                                                                                                                                        • Instruction Fuzzy Hash: 8EE048755141048FDB50976AC445FA93394EB48318F1504A7E80CC7353D77CE8C0558B
                                                                                                                                        Function 00421BA7 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 00421BB3
                                                                                                                                          • Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
                                                                                                                                          • Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4
                                                                                                                                        • __amsg_exit.LIBCMT ref: 00421BD3
                                                                                                                                        • __lock.LIBCMT ref: 00421BE3
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 00421C00
                                                                                                                                        • InterlockedIncrement.KERNEL32(00741690), ref: 00421C2B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4271482742-0
                                                                                                                                        • Opcode ID: ebc1e90ea7ebb2cd7a70d9e2b8ecced687c6613aa7d00b2615dd79ed11a35268
                                                                                                                                        • Instruction ID: 6d4d6cab2ca80c9586acdc371c3e58b42f7918e3e726cea937426c24952e9619
                                                                                                                                        • Opcode Fuzzy Hash: ebc1e90ea7ebb2cd7a70d9e2b8ecced687c6613aa7d00b2615dd79ed11a35268
                                                                                                                                        • Instruction Fuzzy Hash: 8401C439B40731ABC728AF56A40679E7760BF10724F94012BE804AB3A1CB3C6991DBDD
                                                                                                                                        Function 0041A506 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __lock.LIBCMT ref: 0041A524
                                                                                                                                          • Part of subcall function 0041EFA3: __mtinitlocknum.LIBCMT ref: 0041EFB9
                                                                                                                                          • Part of subcall function 0041EFA3: __amsg_exit.LIBCMT ref: 0041EFC5
                                                                                                                                          • Part of subcall function 0041EFA3: EnterCriticalSection.KERNEL32(0041A9AB,0041A9AB,?,00425448,00000004,0042DB18,0000000C,0042133E,00000000,0041A9BA,00000000,00000000,00000000,?,0041E966,00000001), ref: 0041EFCD
                                                                                                                                        • ___sbh_find_block.LIBCMT ref: 0041A52F
                                                                                                                                        • ___sbh_free_block.LIBCMT ref: 0041A53E
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,0042D658,0000000C,0041EF84,00000000,0042D930,0000000C,0041EFBE,00000000,0041A9AB,?,00425448,00000004,0042DB18,0000000C), ref: 0041A56E
                                                                                                                                        • GetLastError.KERNEL32(?,00425448,00000004,0042DB18,0000000C,0042133E,00000000,0041A9BA,00000000,00000000,00000000,?,0041E966,00000001,00000214), ref: 0041A57F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2714421763-0
                                                                                                                                        • Opcode ID: 1eba3eb2bfd23f5b1e043426ba5b029f38dd9947a11c8dba489f2cac3b6c6ae4
                                                                                                                                        • Instruction ID: 0c17081243acc93c5e04f74f5850e91c5e9c62578e05a8caa74c22d26ff5c9bd
                                                                                                                                        • Opcode Fuzzy Hash: 1eba3eb2bfd23f5b1e043426ba5b029f38dd9947a11c8dba489f2cac3b6c6ae4
                                                                                                                                        • Instruction Fuzzy Hash: 1D01847194A215BBDB306BB29C067DE3B65AF00798F10012BFC0496291DB3C86D19A5E
                                                                                                                                        Function 00411E81 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _wcslen$CompareString
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3397213944-0
                                                                                                                                        • Opcode ID: a78696411e0fb58170a85e42f91a72465e9b1cb7d1a352a10a0ff52bf1fcbbb8
                                                                                                                                        • Instruction ID: fd224344e63f22d7e065bf6fa160c6ce473b51916626f6dd2966927fcf662de7
                                                                                                                                        • Opcode Fuzzy Hash: a78696411e0fb58170a85e42f91a72465e9b1cb7d1a352a10a0ff52bf1fcbbb8
                                                                                                                                        • Instruction Fuzzy Hash: 5FF02436148148BFDF126F92EC01CDE3F26DB81375B244027FE298A0A0D635C9A29789
                                                                                                                                        Function 00411119 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0041102B: ResetEvent.KERNEL32(?,00000200,?,?,00405016), ref: 00411051
                                                                                                                                          • Part of subcall function 0041102B: ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 00411061
                                                                                                                                        • ReleaseSemaphore.KERNEL32(?,00000020,00000000,?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 00411135
                                                                                                                                        • CloseHandle.KERNEL32(00000003,00000003,?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 00411156
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 0041116C
                                                                                                                                        • CloseHandle.KERNEL32(?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 00411178
                                                                                                                                        • CloseHandle.KERNEL32(?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 00411180
                                                                                                                                          • Part of subcall function 00410EA0: WaitForSingleObject.KERNEL32(?,000000FF,0041106E,?), ref: 00410EA6
                                                                                                                                          • Part of subcall function 00410EA0: GetLastError.KERNEL32(?), ref: 00410EB2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1868215902-0
                                                                                                                                        • Opcode ID: 0382d21baac6a1741122a34ea6855b84d6e50229a7b3d3c8aab95350a1ea80c2
                                                                                                                                        • Instruction ID: 628da898c48b8095e2505876ae832dd6733ab043d372e65b09dbeb3e2adc3a3f
                                                                                                                                        • Opcode Fuzzy Hash: 0382d21baac6a1741122a34ea6855b84d6e50229a7b3d3c8aab95350a1ea80c2
                                                                                                                                        • Instruction Fuzzy Hash: F9F06275101704AFD7206B70DC45BD7BBA5EB0A354F00042AF7AA41120CB7768A19B29
                                                                                                                                        Function 00416790 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 381COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __EH_prolog.LIBCMT ref: 00416795
                                                                                                                                          • Part of subcall function 004129F9: _realloc.LIBCMT ref: 00412A51
                                                                                                                                          • Part of subcall function 0041A89A: _malloc.LIBCMT ref: 0041A8B4
                                                                                                                                        • _memset.LIBCMT ref: 004169F6
                                                                                                                                        • _memset.LIBCMT ref: 00416BB0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset$H_prolog_malloc_realloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1826288403-3916222277
                                                                                                                                        • Opcode ID: e35177213208d61a0a763407be839d455d7b5a86de6920380dbe57b4c94731d4
                                                                                                                                        • Instruction ID: b2eea235d821e150737843ebb12b5e68f22e0a3d12c725fcd3f3b3fef6346f43
                                                                                                                                        • Opcode Fuzzy Hash: e35177213208d61a0a763407be839d455d7b5a86de6920380dbe57b4c94731d4
                                                                                                                                        • Instruction Fuzzy Hash: 92E1BF71A007499FCB10EF65C980BEEB7B1FF14304F11482EE956A7281DB39E991CB59
                                                                                                                                        Function 00418B3D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 222COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _wcscpy
                                                                                                                                        • String ID: T
                                                                                                                                        • API String ID: 3048848545-3187964512
                                                                                                                                        • Opcode ID: 764e4e8a4f4e8074cd2997a40fed6d08be93389de6c886212a83cd10804fca37
                                                                                                                                        • Instruction ID: 08ee224434b4342d1c159c2c22343cdeaadf414e9d08c0d11a019e9d32988bbe
                                                                                                                                        • Opcode Fuzzy Hash: 764e4e8a4f4e8074cd2997a40fed6d08be93389de6c886212a83cd10804fca37
                                                                                                                                        • Instruction Fuzzy Hash: 99910871600744AFDF24DF64C884BEAB7F8AF15304F0445AFE95997282CB78AAC4CB65
                                                                                                                                        Function 00406D02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __EH_prolog.LIBCMT ref: 00406D07
                                                                                                                                        • _wcscpy.LIBCMT ref: 00406D3A
                                                                                                                                          • Part of subcall function 00410BC9: _wcslen.LIBCMT ref: 00410BCF
                                                                                                                                          • Part of subcall function 00410BC9: _wcsncat.LIBCMT ref: 00410BE8
                                                                                                                                        • SetFileTime.KERNEL32(?,?,?,?,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000), ref: 00406E78
                                                                                                                                          • Part of subcall function 0040908D: SetFileAttributesW.KERNEL32(00000000,00000000,75573110,00000001,?,0040933D,00000000,?,?,0040941E,?,00000001,00000000,?,?), ref: 004090A8
                                                                                                                                          • Part of subcall function 0040908D: SetFileAttributesW.KERNEL32(?,00000000,00000000,?,00000800,?,0040933D,00000000,?,?,0040941E,?,00000001,00000000,?,?), ref: 004090D5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Attributes$H_prologTime_wcscpy_wcslen_wcsncat
                                                                                                                                        • String ID: :
                                                                                                                                        • API String ID: 326910402-336475711
                                                                                                                                        • Opcode ID: f5173041702b61483f3d104a7baf222bf5bcfa3b9d9a113727e24170d826f752
                                                                                                                                        • Instruction ID: 6639f4f99703ce1112f5787d69d8c123706ab186ca62756c3ad703d048bc38cc
                                                                                                                                        • Opcode Fuzzy Hash: f5173041702b61483f3d104a7baf222bf5bcfa3b9d9a113727e24170d826f752
                                                                                                                                        • Instruction Fuzzy Hash: D0417F71905258AAEB20EB64CC55EEE737CAF04344F0040ABB556B71C2DB78AF94CF69
                                                                                                                                        Function 0041254D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Exception@8Throw_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3963884845-3916222277
                                                                                                                                        • Opcode ID: f121cb723b88151b8d7c29095ae3e5beb5fa647253e82d4155322dd225e1007f
                                                                                                                                        • Instruction ID: ba4e6bc0ef6041dd665025fb65f45a384477b48ee7e133f8ed84bbd0a598a512
                                                                                                                                        • Opcode Fuzzy Hash: f121cb723b88151b8d7c29095ae3e5beb5fa647253e82d4155322dd225e1007f
                                                                                                                                        • Instruction Fuzzy Hash: 60110671E01218BACB14EFA9CAD55DEB776FF54344F10406BE405E7241D6B85BD2CB88
                                                                                                                                        Function 00410F29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InitializeCriticalSection.KERNEL32(000001A0,?,000001B8,0044F590,004110EE,00000020,?,00000000,?,0041776B,00000001,00000001,?,00000000,?,00402D2B), ref: 00410F62
                                                                                                                                        • CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00000000,?,0041776B,00000001,00000001,?,00000000,?,00402D2B,?,00000802), ref: 00410F6C
                                                                                                                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00000000,?,0041776B,00000001,00000001,?,00000000,?,00402D2B,?,00000802), ref: 00410F7E
                                                                                                                                        Strings
                                                                                                                                        • Thread pool initialization failed., xrefs: 00410F96
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                        • String ID: Thread pool initialization failed.
                                                                                                                                        • API String ID: 3340455307-2182114853
                                                                                                                                        • Opcode ID: 5d2de00027b14f6e07390935bc826641c20494178e34cc3b56ee4834533d8747
                                                                                                                                        • Instruction ID: 3f206ddc5264aa259e24750db78c3e6b08f6c9018291aa2998b68a3e9789e537
                                                                                                                                        • Opcode Fuzzy Hash: 5d2de00027b14f6e07390935bc826641c20494178e34cc3b56ee4834533d8747
                                                                                                                                        • Instruction Fuzzy Hash: FF115EB1600301AFD3305F659886BE7BBE8FB55315F60482FF6DAC6240D6B458C1CB18
                                                                                                                                        Function 004050E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SHGetMalloc.SHELL32(?), ref: 004050F5
                                                                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 00405130
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BrowseFolderMalloc
                                                                                                                                        • String ID: A
                                                                                                                                        • API String ID: 3812826013-3554254475
                                                                                                                                        • Opcode ID: 38b49180d38aa256d497848d66ef1996a2da1d611468f43139da5b44fce9136b
                                                                                                                                        • Instruction ID: 7c691baa3b27f7502734ebd35b11d26621297010b335108cc4fc530f71bfb90e
                                                                                                                                        • Opcode Fuzzy Hash: 38b49180d38aa256d497848d66ef1996a2da1d611468f43139da5b44fce9136b
                                                                                                                                        • Instruction Fuzzy Hash: F0010572900619EBDB11CFA4D909BEF7BF8EF49311F204466E805EB240D779DA058FA5
                                                                                                                                        Function 0041E132 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • ___BuildCatchObject.LIBCMT ref: 0041E145
                                                                                                                                          • Part of subcall function 0041E0A0: ___BuildCatchObjectHelper.LIBCMT ref: 0041E0D6
                                                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 0041E15C
                                                                                                                                        • ___FrameUnwindToState.LIBCMT ref: 0041E16A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                                                        • String ID: csm
                                                                                                                                        • API String ID: 2163707966-1018135373
                                                                                                                                        • Opcode ID: ffb5442ac62a4f85a48ef68d244cd4b92cff39c7c80ea712eb3c4bba393a9d17
                                                                                                                                        • Instruction ID: 59b9ad28f981bea14fd5052789bebdc6dccf333051ec123e92fb5a6599f75b08
                                                                                                                                        • Opcode Fuzzy Hash: ffb5442ac62a4f85a48ef68d244cd4b92cff39c7c80ea712eb3c4bba393a9d17
                                                                                                                                        • Instruction Fuzzy Hash: 14012479401109BBDF126E52CC45EEB3F6AEF09398F044016FD1815261DB3AA8B1EBA9
                                                                                                                                        Function 00423463 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(KERNEL32,0041D860), ref: 00423468
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00423478
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                        • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                                        • API String ID: 1646373207-3105848591
                                                                                                                                        • Opcode ID: 7ab99d9e72488d8bf21e4bf78f78cc33f843bd022a3d825351adfd90e0f12518
                                                                                                                                        • Instruction ID: 925bd1e911d968a2cf7935e923f91739ef174afc765d351c528eb22c7f6e48fa
                                                                                                                                        • Opcode Fuzzy Hash: 7ab99d9e72488d8bf21e4bf78f78cc33f843bd022a3d825351adfd90e0f12518
                                                                                                                                        • Instruction Fuzzy Hash: C7F03060B00A1AD2DB116FA1BC1A67F7B78FB80742FD105D1D6D5E0084DF7885B1D38A
                                                                                                                                        Function 00419CB2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetClassNameW.USER32(?,?,00000050), ref: 00419CC9
                                                                                                                                        • SHAutoComplete.SHLWAPI(?,00000010), ref: 00419D00
                                                                                                                                          • Part of subcall function 00411E60: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,004054EE,00000000,?,00000000,?,?), ref: 00411E76
                                                                                                                                        • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00419CF0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                                        • String ID: EDIT
                                                                                                                                        • API String ID: 4243998846-3080729518
                                                                                                                                        • Opcode ID: b027ed5b97d113a91e8e700dc85ec23dd11054ff1df16afbaa6f3d453c1c9159
                                                                                                                                        • Instruction ID: c03662b206b47bf0f9187f3c1687b62eae72e09aaad69f108c393d7fbd584eff
                                                                                                                                        • Opcode Fuzzy Hash: b027ed5b97d113a91e8e700dc85ec23dd11054ff1df16afbaa6f3d453c1c9159
                                                                                                                                        • Instruction Fuzzy Hash: 3CF0E232300219BBDB305A15AD05FEB36BC9F86B40F840066FE01E2280EB68D84285BA
                                                                                                                                        Function 00419A36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00419A6D
                                                                                                                                        • RegisterClassExW.USER32(00000030), ref: 00419A8E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ClassCursorLoadRegister
                                                                                                                                        • String ID: 0$RarHtmlClassName
                                                                                                                                        • API String ID: 1693014935-3342523147
                                                                                                                                        • Opcode ID: 191bbc33d2b33050640957ba9683b50acfea39c34108bf4aa43fc12e5a7eb183
                                                                                                                                        • Instruction ID: b9ed7023dc6f3226d58ddf2044dfc6b29f2317d5cd4a011e6e0fd8f9270d308a
                                                                                                                                        • Opcode Fuzzy Hash: 191bbc33d2b33050640957ba9683b50acfea39c34108bf4aa43fc12e5a7eb183
                                                                                                                                        • Instruction Fuzzy Hash: 81F0F2B1D00228ABCB019F9AD844AEEFBF8FF98304F10805BE500B6250D7B916018FA9
                                                                                                                                        Function 00410E1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32), ref: 00410E21
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00410E31
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                        • String ID: SetDllDirectoryW$kernel32
                                                                                                                                        • API String ID: 1646373207-2052158636
                                                                                                                                        • Opcode ID: 613fa81eedf6cfefe4bb79f79fd7d80da4da150b27e50d1fb967e6d6e35de1a2
                                                                                                                                        • Instruction ID: d1dc000951ac042e8af12af71ac4f40d64c7c6d3e89629ddd7054994e9706fe8
                                                                                                                                        • Opcode Fuzzy Hash: 613fa81eedf6cfefe4bb79f79fd7d80da4da150b27e50d1fb967e6d6e35de1a2
                                                                                                                                        • Instruction Fuzzy Hash: 2BD0A7B03243215797282B729C1AB2B65584B50F027944D3E7E0AC0080CA6DC0A0853F
                                                                                                                                        Function 00409135 Relevance: 6.1, APIs: 4, Instructions: 128filetimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,00407536,?,?,?), ref: 004091CD
                                                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00407536,?,?,?,?), ref: 00409204
                                                                                                                                        • SetFileTime.KERNEL32(?,00000000,00000000,00000000,?,00407536,?,?,?,?), ref: 00409275
                                                                                                                                        • CloseHandle.KERNEL32(?,?,00407536,?,?,?,?), ref: 0040927E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Create$CloseHandleTime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2287278272-0
                                                                                                                                        • Opcode ID: 6a8276f57ee53cdbc91cc020f39a17d418f5c9fb0df3296a94224ec9e042af11
                                                                                                                                        • Instruction ID: 149005b1c5d3a5dbb79089aff48ec9cca0dae1d541df05bff41c4f18bd56acf5
                                                                                                                                        • Opcode Fuzzy Hash: 6a8276f57ee53cdbc91cc020f39a17d418f5c9fb0df3296a94224ec9e042af11
                                                                                                                                        • Instruction Fuzzy Hash: 1141A131A00248BEEF12DBA4CC49FEE7BB89F05304F1445AAF851BB2D2C6789E45D755
                                                                                                                                        Function 004087C3 Relevance: 6.1, APIs: 4, Instructions: 104fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateFileW.KERNEL32(?,-7FFFF7FE,?,00000000,00000003,-00000001,00000000,00000802,00000000,?,00000000,00406E59,00000000,00000005,?,00000011), ref: 00408854
                                                                                                                                        • GetLastError.KERNEL32(?,00000000,00406E59,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000,00000802), ref: 0040885D
                                                                                                                                        • CreateFileW.KERNEL32(?,-7FFFF7FE,?,00000000,00000003,00000000,00000000,?,?,00000800,?,00000000,00406E59,00000000,00000005,?), ref: 00408895
                                                                                                                                        • GetLastError.KERNEL32(?,00000000,00406E59,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000,00000802), ref: 00408899
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateErrorFileLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1214770103-0
                                                                                                                                        • Opcode ID: af91fa9e31fc35479b06de1e2718df4f2ae689f678c6a4dec4fb7829a965a613
                                                                                                                                        • Instruction ID: e5fec55928a071c2e3d1b6f10086eb5e0cd4d8e33465c7e2028d9d916ffc9c2f
                                                                                                                                        • Opcode Fuzzy Hash: af91fa9e31fc35479b06de1e2718df4f2ae689f678c6a4dec4fb7829a965a613
                                                                                                                                        • Instruction Fuzzy Hash: 083169725047449BE7309B20CD05BEB77D4AB80318F104A2EF9D0A33C2DBBE9548D75A
                                                                                                                                        Function 00401822 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __EH_prolog.LIBCMT ref: 00401827
                                                                                                                                          • Part of subcall function 00405F3C: __EH_prolog.LIBCMT ref: 00405F41
                                                                                                                                          • Part of subcall function 00405F3C: _memset.LIBCMT ref: 00405FA4
                                                                                                                                          • Part of subcall function 00405F3C: _memset.LIBCMT ref: 00405FB0
                                                                                                                                          • Part of subcall function 00405F3C: _memset.LIBCMT ref: 00405FCE
                                                                                                                                        • _memset.LIBCMT ref: 0040196A
                                                                                                                                        • _memset.LIBCMT ref: 00401979
                                                                                                                                        • _memset.LIBCMT ref: 00401988
                                                                                                                                          • Part of subcall function 0041A89A: _malloc.LIBCMT ref: 0041A8B4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset$H_prolog$_malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4233843809-0
                                                                                                                                        • Opcode ID: 501c6eee4a7241d63770c4c2f1de26fd54ae9709b4e94646da0b45a51fa4183c
                                                                                                                                        • Instruction ID: 211b101a5e2dbba32f2c8dae62910ed897794103f7d8a7f2ed724c9505602145
                                                                                                                                        • Opcode Fuzzy Hash: 501c6eee4a7241d63770c4c2f1de26fd54ae9709b4e94646da0b45a51fa4183c
                                                                                                                                        • Instruction Fuzzy Hash: 865127B1445F809EC321DF7988916D7FFE0AF29314F84496E91FE93282D7352658CB29
                                                                                                                                        Function 00424FCE Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00425002
                                                                                                                                        • __isleadbyte_l.LIBCMT ref: 00425036
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,0041A9BA,?,00000000,00000000,?,?,?,?,0041A9BA,00000000,?), ref: 00425067
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,0041A9BA,00000001,00000000,00000000,?,?,?,?,0041A9BA,00000000,?), ref: 004250D5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3058430110-0
                                                                                                                                        • Opcode ID: 5ede48c89caf3767bd10844c4e2adb50473344288511d083f5bbcd5d287f352f
                                                                                                                                        • Instruction ID: 432046cfce088e341913eb2016d1b5e66f5b1b0e2666f0ac1bd271c546b36d2c
                                                                                                                                        • Opcode Fuzzy Hash: 5ede48c89caf3767bd10844c4e2adb50473344288511d083f5bbcd5d287f352f
                                                                                                                                        • Instruction Fuzzy Hash: C831D131B00265EFDB20DF64EC809BA7BA0EF41310F5685AAE4618B2D1D735D981DB99
                                                                                                                                        Function 00413CE8 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset$H_prolog_malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1600808285-0
                                                                                                                                        • Opcode ID: 75873b8bc138ad3d6f3cbaf08acd952bbb3a9c6cdc0421f6e50df2b8bea4b983
                                                                                                                                        • Instruction ID: 702ce421a693160a9893d7f58a622c69960126b9ff2eeb296b605b135dd4a1ff
                                                                                                                                        • Opcode Fuzzy Hash: 75873b8bc138ad3d6f3cbaf08acd952bbb3a9c6cdc0421f6e50df2b8bea4b983
                                                                                                                                        • Instruction Fuzzy Hash: F831D4B1E01215ABDB14AF65D9057EB76A8FF14319F10013FE105E7281E7789E9087ED
                                                                                                                                        Function 00408CA0 Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetStdHandle.KERNEL32(000000F6,004335AC,?,00000000,?,?,00408EB0,?,00000000,?,?,00000000), ref: 00408CB1
                                                                                                                                        • ReadFile.KERNEL32(?,?,?,00000000,00000000,004335AC,?,00000000,?,?,00408EB0,?,00000000,?,?,00000000), ref: 00408CC9
                                                                                                                                        • GetLastError.KERNEL32(?,00408EB0,?,00000000,?,?,00000000), ref: 00408D01
                                                                                                                                        • GetLastError.KERNEL32(?,00408EB0,?,00000000,?,?,00000000), ref: 00408D1C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$FileHandleRead
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2244327787-0
                                                                                                                                        • Opcode ID: c1fed62a9ea2a8515d50b02984c21f09fd940ae1629289a4c1ded04f954c3d6f
                                                                                                                                        • Instruction ID: b149f771e66fe820b49a3db0cdc04a66bbf6f60059da98a6e892905e95da3d99
                                                                                                                                        • Opcode Fuzzy Hash: c1fed62a9ea2a8515d50b02984c21f09fd940ae1629289a4c1ded04f954c3d6f
                                                                                                                                        • Instruction Fuzzy Hash: B411A734504608EFEB205B50DA4096A37A8FF71374B10863FE996A52D1DE3DCD41DF2A
                                                                                                                                        Function 00413097 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2102423945-0
                                                                                                                                        • Opcode ID: 0d338722b2e3e51696f4e1a05dd7a6835afd7bcab5979c6f78e2f817af711592
                                                                                                                                        • Instruction ID: dbb621f027503421eccd8689c294ebf88999011181a54c0115c225b35bd7b5a3
                                                                                                                                        • Opcode Fuzzy Hash: 0d338722b2e3e51696f4e1a05dd7a6835afd7bcab5979c6f78e2f817af711592
                                                                                                                                        • Instruction Fuzzy Hash: 9811487164478069E220EA7A4C46FE3B6DD9B1931CF44883FF2DEC7183C6AA6846C756
                                                                                                                                        Function 00411072 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __EH_prolog.LIBCMT ref: 00411077
                                                                                                                                        • EnterCriticalSection.KERNEL32(0044F590,?,00000000,?,0041776B,00000001,00000001,?,00000000,?,00402D2B,?,00000802), ref: 00411085
                                                                                                                                        • LeaveCriticalSection.KERNEL32(0044F590,?,00000000,?,0041776B,00000001,00000001,?,00000000,?,00402D2B,?,00000802), ref: 004110F5
                                                                                                                                          • Part of subcall function 0041A89A: _malloc.LIBCMT ref: 0041A8B4
                                                                                                                                        • LeaveCriticalSection.KERNEL32(0044F590,?,00000000,?,0041776B,00000001,00000001,?,00000000,?,00402D2B,?,00000802), ref: 00411100
                                                                                                                                          • Part of subcall function 00410F29: InitializeCriticalSection.KERNEL32(000001A0,?,000001B8,0044F590,004110EE,00000020,?,00000000,?,0041776B,00000001,00000001,?,00000000,?,00402D2B), ref: 00410F62
                                                                                                                                          • Part of subcall function 00410F29: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00000000,?,0041776B,00000001,00000001,?,00000000,?,00402D2B,?,00000802), ref: 00410F6C
                                                                                                                                          • Part of subcall function 00410F29: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00000000,?,0041776B,00000001,00000001,?,00000000,?,00402D2B,?,00000802), ref: 00410F7E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$CreateLeave$EnterEventH_prologInitializeSemaphore_malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1405584564-0
                                                                                                                                        • Opcode ID: 3f0bec743d3c3e54beb4ca038bcc84bad5a4a530a73f67f15a7eea00e341295c
                                                                                                                                        • Instruction ID: 491e5497db774d6ab3e78c5f78b9db4af1dc916e288055147b814ae628d52a75
                                                                                                                                        • Opcode Fuzzy Hash: 3f0bec743d3c3e54beb4ca038bcc84bad5a4a530a73f67f15a7eea00e341295c
                                                                                                                                        • Instruction Fuzzy Hash: 1A118234A01321EBD724AF74AC457EABBA4AB0C355F10453BE902E3692DBBC89D1865D
                                                                                                                                        Function 0042332E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3016257755-0
                                                                                                                                        • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                        • Instruction ID: 44ddc5ebc1807cb1f8dbc3b2ce9dd0a677749795dee404b17e6a32e81244ff51
                                                                                                                                        • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                        • Instruction Fuzzy Hash: AE11723250015EFBCF125E85EC418EE3F32BB48355B988456FE1859130CA3ACAB2AB85
                                                                                                                                        Function 00422313 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 0042231F
                                                                                                                                          • Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
                                                                                                                                          • Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4
                                                                                                                                        • __getptd.LIBCMT ref: 00422336
                                                                                                                                        • __amsg_exit.LIBCMT ref: 00422344
                                                                                                                                        • __lock.LIBCMT ref: 00422354
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3521780317-0
                                                                                                                                        • Opcode ID: 2067aca802aea6c84e1c6e0627a9ce2a9215c14d0a893de0c815b7a1e0d9c920
                                                                                                                                        • Instruction ID: ac1e04e8c31356b773b53a495aea9e08dc5a2d3a98daccf88dafce2968103349
                                                                                                                                        • Opcode Fuzzy Hash: 2067aca802aea6c84e1c6e0627a9ce2a9215c14d0a893de0c815b7a1e0d9c920
                                                                                                                                        • Instruction Fuzzy Hash: D2F09631B00720EBDB60FBB6A50279D73A07F44724F54416FE844AB2D1CBBC9942DA5E
                                                                                                                                        Function 0040272E Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 405COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: ;%u
                                                                                                                                        • API String ID: 0-535004727
                                                                                                                                        • Opcode ID: cfc7ebbd9fd2601b316cdb1ef2982a4c119fdbfeb810569a95eeff81c31aed19
                                                                                                                                        • Instruction ID: 268b90de5ef8301e543b0e1450f18e5b796866e9caf2f0e9a7a428077d8a2ebb
                                                                                                                                        • Opcode Fuzzy Hash: cfc7ebbd9fd2601b316cdb1ef2982a4c119fdbfeb810569a95eeff81c31aed19
                                                                                                                                        • Instruction Fuzzy Hash: ADE114702007445ADB24EF75C699BEE77E5AF40304F04053FE996A72C2DBBCA984CB5A
                                                                                                                                        Function 0040820B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __EH_prolog.LIBCMT ref: 00408210
                                                                                                                                          • Part of subcall function 00401822: __EH_prolog.LIBCMT ref: 00401827
                                                                                                                                          • Part of subcall function 00401822: _memset.LIBCMT ref: 0040196A
                                                                                                                                          • Part of subcall function 00401822: _memset.LIBCMT ref: 00401979
                                                                                                                                          • Part of subcall function 00401822: _memset.LIBCMT ref: 00401988
                                                                                                                                          • Part of subcall function 00401417: __EH_prolog.LIBCMT ref: 0040141C
                                                                                                                                        • _wcscpy.LIBCMT ref: 004082AF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: H_prolog_memset$_wcscpy
                                                                                                                                        • String ID: rar
                                                                                                                                        • API String ID: 2876264062-1792618458
                                                                                                                                        • Opcode ID: df481757314c625f03e0d64007fa51f0ba59a3fe21eb1f952cf43b257384ef2c
                                                                                                                                        • Instruction ID: 75000dcce843433d4275637ef0618472c828e59e125cdaf0ff5f97d994d1ab7f
                                                                                                                                        • Opcode Fuzzy Hash: df481757314c625f03e0d64007fa51f0ba59a3fe21eb1f952cf43b257384ef2c
                                                                                                                                        • Instruction Fuzzy Hash: 3D41A4319002589EDB24DB50C955BEA77B8AB14304F4448FFE489B3182DB796FC8CB29
                                                                                                                                        Function 00411254 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateThread.KERNEL32(00000000,00010000,004111DD,?,00000000,?), ref: 00411278
                                                                                                                                        • SetThreadPriority.KERNEL32(?,00000000,?,?,004112E4,-00000108,00404FE0), ref: 004112BF
                                                                                                                                          • Part of subcall function 00406423: __vswprintf_c_l.LIBCMT ref: 00406441
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Thread$CreatePriority__vswprintf_c_l
                                                                                                                                        • String ID: CreateThread failed
                                                                                                                                        • API String ID: 2655393344-3849766595
                                                                                                                                        • Opcode ID: 3061c48cbf7df5314d67cb84a6f78a2ab06f9f7c5b99b3b88179035cff10f0ee
                                                                                                                                        • Instruction ID: 964536ca15170dd961cb9332306e5bd8003a90b1d1e662a5f33448d65f1dc838
                                                                                                                                        • Opcode Fuzzy Hash: 3061c48cbf7df5314d67cb84a6f78a2ab06f9f7c5b99b3b88179035cff10f0ee
                                                                                                                                        • Instruction Fuzzy Hash: 4B01A2753453057BD3215F55AC46BB673A9EB44766F20043FFB82E11D0DAB4A8608A2D
                                                                                                                                        Function 0041DEAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0041A429: __getptd.LIBCMT ref: 0041A42F
                                                                                                                                          • Part of subcall function 0041A429: __getptd.LIBCMT ref: 0041A43F
                                                                                                                                        • __getptd.LIBCMT ref: 0041DEBA
                                                                                                                                          • Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
                                                                                                                                          • Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4
                                                                                                                                        • __getptd.LIBCMT ref: 0041DEC8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                        • String ID: csm
                                                                                                                                        • API String ID: 803148776-1018135373
                                                                                                                                        • Opcode ID: 2d55cb122b51988d1cc7e6481490fc99cbdc11bcbdbc1298bbf42470784b3229
                                                                                                                                        • Instruction ID: 7c6b91792d137033b66a9eec197cc920f164d7126653d302a3e0d72df4157e21
                                                                                                                                        • Opcode Fuzzy Hash: 2d55cb122b51988d1cc7e6481490fc99cbdc11bcbdbc1298bbf42470784b3229
                                                                                                                                        • Instruction Fuzzy Hash: 040162B5C013148ACF389F25D444AEEB3B6AF14315F24441FE44156791DB38DED1DB49
                                                                                                                                        Function 00410EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,0041106E,?), ref: 00410EA6
                                                                                                                                        • GetLastError.KERNEL32(?), ref: 00410EB2
                                                                                                                                          • Part of subcall function 00406423: __vswprintf_c_l.LIBCMT ref: 00406441
                                                                                                                                        Strings
                                                                                                                                        • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00410EBB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000B.00000002.1645914303.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646018342.000000000044F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 0000000B.00000002.1646076927.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_11_2_400000_tasksche.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                                                                        • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                                        • API String ID: 1091760877-2248577382
                                                                                                                                        • Opcode ID: ac3bcd71a64bb110093b5bec46156cf20680403487952e12d0601c5134127ac2
                                                                                                                                        • Instruction ID: 79dccacb4fa0009262a18c3e3c709d5502c54047c68cfd859e09497cac206ec9
                                                                                                                                        • Opcode Fuzzy Hash: ac3bcd71a64bb110093b5bec46156cf20680403487952e12d0601c5134127ac2
                                                                                                                                        • Instruction Fuzzy Hash: 13D0C23260402037C5013B245C05EAE36116B11331BA00722F831602F1CB6909A2429F